Cybercrime is evolving rapidly, and hackers are always on the lookout for high-return victims. In their search for sensitive and valuable data such as trade secrets, financial reports, intellectual property, and business strategies, some cyber thieves view the legal industry as a prime hunting ground for their nefarious activities. Law firms in our nation's capital and the surrounding areas are no exception, and may actually be even more attractive targets to cyber criminals, due to the high-profile nature of clients in DC.
Data theft at any enterprise can have tragic consequences. Accounting firms, medical offices, and engineers also have privileged information, but law firms must set an especially high bar regarding data protection because of client confidentiality. Loss of a client’s trust because their data was compromised while in the possession of their lawyer can be crippling to a law firm’s reputation. Whether your law firm is small or large, the same basics apply to establishing a security program.
1. Top-Down Awareness is Essential
Senior partners should set the security tone "from the top." This includes high-level directives regarding the privacy and security of both in-house and client data. Enterprise policies and guidelines on remote access, encryption, bring-your-own-devices (BYOD), corporate email, and social networking should be clear to all. Cultivate a culture of data security. Make sure that all employees, from the most senior partners to the newest mail clerks, feel like a member of the security team. Data loss prevention and protection at a law firm is an all-in issue that involves everyone—attorneys, management and support personnel, not just the IT guys.
2. Inventory and Prioritize
Know your software and its capabilities. Categorize your data and assign risk priorities. Not all data is equal. Extremely sensitive material may have the highest risk and cause the most harm if breached. This information may require higher security measures such as stronger encryptions and access controls. It may even require separate servers.
Antivirus software is essential, but it is does not detect all threats. Deploy the necessary technologies for encryption, intruder prevention and detection, security event management and system monitoring. This may require outsourcing through a managed services provider (MSP).
3. Recognize the Source of Threats
In general, data leaks result from one of three sources—external, internal, and user error. Externally, they may be competing law firms, or opposing sides trying to compromise a case. Or, they may just be cyber vandals like hacktivists, who are anarchists wishing to harm the law firm and/or its client(s). Internal threats could include a disgruntled employee, who for whatever reason wants to harm the organization, or steal valuable data.
As egregious as this type of cyber-crime is, the majority of data loss occurs because of user error. The human factor is where most of the risk lies. Lost laptops, misplaced thumb drives, sending unencrypted emails, these are just some of the security lapses law firm employees at all levels sometimes do.
4. Rehearse and Respond
Have a plan in place in case of a data breach. Rehearse and perform regular crisis simulations that specify what data has been compromised, when the incident occurred, and who will be notified.
Cyber forensic authorities may need to be contacted, as well as clients. Law firms, and other businesses, are subject to breach notification laws. Be prepared to outline your security program and show that it complies with accepted policies and procedures.
5. Ignorance is No Excuse
The American Bar Association states that attorneys have a responsibility to their clients to keep up with the benefits and risks of “relevant” technology.
Like it or not, lawyers now have to be tech savvy and very aware of the rapid changes in information technology. A law firm practicing today without a sound cyber security policy in place is placing both its own and its clients’ data at risk.