Cyber security threats are so pervasive that it’s not a matter of if your law firm will be hacked, but when. At a 2012 security conference, Robert Mueller (former FBI Director), said:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.
Since then, the threat landscape has continued to grow at a breakneck pace. Every industry and every size organization is at risk of a breach. With various information on multiple clients, law firms are frequently seen as “one-stop shops” and are often targeted by cybercriminals (and then put up for sale on the dark web). According to the ABA’s 2018 Legal Technology Survey Report, 23% of all firms have experienced a data breach. From contractual and regulatory obligations to ethics rules, it’s your job as an attorney to safeguard client information. Unfortunately, this poses a serious challenge as most law firms lack information security know-how. It’s time to protect your client data.
Threats
From basic breaches, like those resulting from a stolen laptop, to more elaborate hacking schemes, your client data is constantly in jeopardy. Here are a few things you’re probably doing right now that are putting your clients at risk:
1. Ignoring Basic Safeguards
The ABA 2018 Legal Technology Survey Report found that a significant number of firms have experienced an infection (viruses/spyware/malware). Infections can cause a leak or loss of sensitive data. Overall, 40% reported infections, 37% reported none, and 23% reported that they were unsure. The breakdown of reported infections based on firm size can be found below:
To combat this, every organization needs to have a comprehensive security program in place. This program needs to focus on people, process, and technology. Basic cyber security technology safeguards are a key foundation of this. These safeguards include utilizing up to date antivirus software, installing firewalls, keeping your software and operating systems up to date, consistently applying patches, segmenting your network, using spam filters, and backing up your data.
2. Skipping Assessments
You can’t protect something if you don’t know it exists. To help prevent a data breach, an annual inventory should be taken so you know what devices and data you have, where they are located, and who has access to them. It’s also important to conduct a security and risk assessment. How vulnerable is your information? What would the ramifications be if it was stolen? According to the American Bar Association, “Comment [18] to Model Rule 1.6 includes a risk-based approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are ‘the sensitivity of the information’ and ‘the likelihood of disclosure if additional safeguards are not employed’. This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others—generally and in the legal profession”.
Even though only 28% of law firms reported conducting a third-party assessment in 2018, it is a key first step in safeguarding client data, regardless of firm size. The ABA 2018 Survey Report found that law firm data breaches occur across the board – 14% of solos, 24% of firms with 2-9 attorneys and 10-49 attorneys, 42% of firms with 50-99 attorneys, and about 31% of firms with 100+ attorneys. Larger firms are targeted more frequently since they have a greater attack surface with more clients, more data, and more technology; however, they often have more resources to protect themselves. Smaller firms may have a smaller target on their back, but it’s a target just the same and they’re typically out in the open with no protection whatsoever.
3. Phoning in Your Passwords
Most attorneys use various applications and programs that are password protected so it’s tempting to reuse a simple, easy to remember password over and over. Don’t! Be sure to mandate that every person in your firm use a strong password on all devices (laptop, desktop, smartphone, tablet, etc.). A strong password is long and complex. If remembering dozens of unique passwords sounds impossible, remember that there are password managers out there that make the job easier. Password managers are an encrypted repository of all your passwords – all you have to do is remember the manager password and you’re good to go.
4. Not Fully Utilizing Your Human Firewall
One of the leading causes of data breaches is human error. All it takes is one wrong click on a link in a phishing email, downloading a malicious program, or accidentally sending confidential documents to the wrong person and your network (and everything on it) is vulnerable. With the right training, your employees can go from being your biggest liability to most powerful asset.
Here are 5 topics your firm should include in its cyber security curricula:
- PII procedures
- Internal and external security threats
- Phishing awareness
- Password policies
- Physical device protection