Page 1

This article was first published on LexisPSL Practice Compliance on 20 February 2014. Click here for a free 24h trial of LexisPSL.

Microsoft withdraws support--how to keep your IT systems safe

20/02/2014 Practice Compliance analysis: As Microsoft withdraws support of Windows XP SP3 and Office 2003, Caroline Egan, consultant at Squire Sanders, looks at some of the implications for law firms.

What specific responsibilities do law firms have to guard against IT security risks?
Law firms must address security risks in relation to client data from two perspectives: o o client data held in order to set up and manage the client relationship, and client data held in order to advise their clients

Where this data includes personal data, the law firm will be considered to be either sole data controller or a co-data controller--having direct liability for compliance with the Data Protection Act 1998 (DPA 1998). They are required to ensure that they have technical and organisational measures in place to keep personal data secure from accidental or malicious access, misuse, loss or corruption. When appointing data processors they are required to undertake due diligence as to the security measures offered by the processors, to choose a processor who will provide adequate security guarantees, and to build compliance with those obligations into a written contract with the processor. Microsoft would be regarded as the law firm's processor. From 8 April 2014, Microsoft will no longer be supporting Windows XP/Office 2003 with updates, assisted support or online technical options. It is highly unlikely that a law firm choosing to stay with Windows XP or Office 2003 would be considered to be complying with those obligations. In addition, as these systems become out of date, users' systems may become more vulnerable to cyber-attacks.

What should law firms which rely on these systems have done by now?
By now, the process of moving away from Windows XP and Office 2003 should be complete. This is no trivial undertaking--firms should not underestimate the effort required to select, test and rollout a new desktop application suite, together with any necessary training. A key issue is in the size of 'jump' being taken, especially if the application suite used is of a similar age to the version of Windows. Many older applications are not supported, not tested, or will not run on Windows 7 or 8. Applications developed in-house will need to be reviewed and potentially re-written and hardware requirements examined to ensure PCs/laptops are able to cope with the newer software. Firms should look at exceptions to general desktop use such as PCs used in conference rooms or print rooms, or dedicated to burning CDs, door access systems, or running banking systems. Some may have machines running older versions of Windows or Office to support in-house or niche applications not yet replaced, and some may be unconnected to the corporate network and not reported by asset management tools.

Page 2

It is not just desktop systems that fall out of support. While Windows Server 2003 is still within extended support until July 2015, Microsoft Exchange Server 2003 (email server) extended support ends in April this year. Microsoft SQL Server 2005 (database server) extended support expires in April 2016. Organisations need to plan for their migration away from these versions also, if not already complete. When looking for replacements, the firm will need to look at the security measures guaranteed, and seek to build protections into their contract with the supplier.

Microsoft seems to have backtracked and agreed to provide anti-malware support for Windows XP until 2015. How does this change things?
This announcement has caused some confusion. Some have wondered whether further reversals may follow, and perhaps been hesitant to commit to an expensive Windows XP migration project. There is no change to Microsoft's position around fixing security vulnerabilities in Windows XP or Office 2003. If new vulnerabilities are discovered, there will be no security patch to block that vulnerability. Microsoft will, however, be providing virus signature updates and engine updates for their Windows XP security products. Anti-malware protection is essential but not sufficient for strong information security. Microsoft will continue to provide updates until July 2015 for their malware clean-up tools, but will not address underlying causes of vulnerabilities. We are likely to see other software vendors dropping support for running applications on Windows XP. Using Microsoft's latest announcement as an excuse to put off Windows XP replacement project for another would be a brave choice. Windows XP was released before modern imperatives to develop software with security in mind. It is time to move on to a more secure platform, the sooner the better.

The SRA has advised that firms still using Windows XP should take appropriate actions to ensure they continue to protect their clients' data. What might those 'appropriate actions' include?
The starting point should be risk assessing all uses of Windows XP, considering different attack vectors including web browsing, file transfer and email and possible consequences/exposure if a PC were to be compromised. Firms should ensure that Windows XP machines are up-to-date with the Microsoft patches, and also consider non-Microsoft updates such as third party browsers, Java, and Flash. Security features built in to Windows that XP does not natively have (such as application blockers or drive encryption) are useful. Restrict the administrative access user accounts have to XP machines and impose restrictions through group policy. Limit user accounts access to other systems such as network shares. Windows XP machines should be considered a 'weak link'--actions should extend to the whole infrastructure, not just Windows XP workstations.

What would be the implications for law firms not taking appropriate action from both a regulatory and a practical perspective?
Data security breaches occurring as a result of inherent security flaws in Windows XP and Office 2003 would be the most serious implication for firms. The firm would almost certainly have to inform clients of the breach, and if the data of employees or individual customers were involved, those individuals also. If the breach fell within the category designated 'serious' by the Information Commissioner's Office (ICO), the threshold for which is quite low, it would also need to inform the ICO. The ICO would investigate the breach itself and the firm's data protection compliance. Regulatory sanctions could be imposed ranging from binding public undertakings to penalties of up to 500,000 per data protection principle breached. Equally concerning for the firm would be the ICO's 'name and shame policy'--publicising details of the breach.

Page 3

Individuals suffering monetary loss or damage as a result of the security breach would be entitled to sue the firm. To make the firm's misery complete, it is quite possible a firm's corporate clients suffering loss or damage could sue the firm for negligence given that it is widely known that Microsoft are withdrawing support for these products.

How important is it for law firm chief information officers (CIOs) or heads of IT to keep on top of what the big tech companies are doing with their enterprise products?
CIOs should be reviewing the portfolio of systems in use in the organisation on a regular basis. They should have a firm understanding of the lifecycle of the system in use and be anticipating the changes they will need to make in the coming years. Several big tech companies are undergoing change, reviewing the markets they operate in and withdrawing from some. Moving to new versions of enterprise systems may mean non-trivial changes in software licensing, with an increasing prevalence of subscription models and cloud-based offerings. These can be big changes, and the organisation may need to prepare for them over a number of years. Interviewed by Sarah Perry. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.