From detection to notification and response, a data breach will cost you, no matter your industry or company size. In fact, the average cost of a data breach in the United States is $7.91M. Many laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Fair and Accurate Credit Transactions Act of 2003 (FACTA), and Gramm-Leach Bliley Act (GLBA), exist to protect consumers from the fallout associated with private data mishandling and breaches. On top of monetary costs and legal ramifications, there’s also the matter of a tarnished reputation to deal with. As we know, word travels fast in the digital age and a business is only as good as its reputation.
Unlike other industries, those in the legal field have an additional consideration when it comes to safeguarding client data – ethical obligations. According to CNA Professional Counsel’s Safe and Secure: Cyber Security Practices for Law Firms, “These ethical duties arise primarily under Rules 1.1 and 1.6 of the ABA Model Rules of Professional Conduct. A violation of these ethical rules can give rise to a disciplinary action or a malpractice lawsuit against a lawyer and/or a law firm. For example, ABA Model Rule 1.6, subsection (a) provides that:
[a] Lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized to carry out the representation, or it falls within one of the exceptions under section (b).
Most states have adopted ABA Model Rule 1.6(a) or similar wording. Moreover, recent revisions to ABA Model Rule of Professional Conduct 1.6 added the following affirmative obligation for lawyers:
[c] A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
A number of states have since adopted this new language into their rules of professional conduct. Therefore, under this new ethical obligation, lawyers may now be required to make “reasonable efforts” to prevent the disclosure or access of client information.”
In a recent survey, over half of mid-sized and large law firms reported that their security practices have been audited by a client or regulatory body. So not only does the implementation of a strong security program protect you and your clients, it can also give you credibility and a competitive edge.
Not sure where to start? Apart from the basic measures you probably already employ (such as firewalls and anti-virus & spam protection), here are 6 essentials to keep in mind while building your cyber security program:
In a 2013 American Bar Association survey, all forms of encryption (file, email, full-disk, etc.) were the least used security feature by law firms. Encryption is the process of encoding information so that only authorized parties can access it and is a simple way to protect your data. Even though encryption doesn’t prevent interception, it does make your information inaccessible and intelligible if it happens to be stolen.
Employee training is absolutely critical to your cyber security program’s success. To start, your firm should put internet usage and social media policies in place in order to protect your clients. Employees need to understand how to identify phishing emails and websites, protect portable media, and email do’s & don’ts. Training should be given on a frequent and consistent basis in order to reinforce best practices.
Your law firm probably uses a number of third party vendors to help with tasks such as e-discovery, legal research, payroll, human resources, and other non-legal services. A lawyer’s ethical obligations to their clients also extend to vendor conduct. According to ABA Formal Opinion 08-451, when outsourcing, a lawyer must “act competently to safeguard information relating to client representation against inadvertent or unauthorized disclosure”. It’s up to each law firm to ensure that their third party vendors are employing security basics in order to mitigate the risk of a data breach.
BYOD (bring your own device) is a policy where employees can use personal devices for work – reducing business costs and allowing greater freedom for employees to work wherever/whenever. It’s important for companies to have strict use guidelines in place so their BYOD policy doesn’t turn into a security nightmare. At the very least, company data should always be encrypted and the device should be password protected. Installing a remote management software to track and wipe company data in the event of employee termination is also a good idea.
Password policies are a simple, effective, and inexpensive way to secure your network. Passwords should be random, long, complex, and frequently changed. Passphrases are also useful and sometimes easier to remember than a random string of letters/numbers/special characters. You can check out our eBook, Passwords: Your Greatest Vulnerability for more password tips.
You probably don’t want to think about worst case scenario but preparing for a data breach will make it that much easier to pick up the pieces if you fall victim to one. It’s wise to hire a third party to come in to assess your current network, address any liabilities or causes for concern, and maintain a strict set of security policies so changes do not put you, or your clients, at risk.
New threats emerge every day. It’s important to recognize that it’s no longer a question of whether or not you need a security program. The American Bar Association’s 2017 Legal Technology Survey Report found that overall, 22% of respondents said that their firm has experienced a breach at some point. That’s a pretty significant number. The breakdown looks like this:
“Safe and Secure: Cyber Security Practices for Law Firms.” CNA, Professional Counsel, Mar. 2015, www.cna.com/web/wcm/connect/61aec549-ac28-457b-8626-aa791c782459/Safe_Secure_Cyber_Security_Practices.pdf?MOD=AJPERES.
“2017 Security.” American Bar Association, Dec. 2017, https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security.
Icons made by Freepik from www.flaticon.com.