A Guide to Data Security for Law Firms in 2020
The average person might assume the files on a lawyer’s laptop are essentially a bunch of boring documents, but hackers know the hard truth about that hard-drive.
Lawyers must adhere to attorney-client privilege which means any information a client shares with their attorney is to remain confidential — therefore, any testimony or information given by the lawyer is inadmissible in court.
Essentially, what this means is that lawyers have access to trade secrets, intellectual property, and figurative skeletons in the closets of their clients. And while it’s not a stretch to think that a multinational corporation can afford a sophisticated cybersecurity strategy, many law firms either cannot afford much in the way of cybersecurity or do not prioritize it.
This is why law firms have become targets within the hacker community. They contain all the desired information with less cybersecurity, on average.
In this guide to data security for law firms, we detail what obligations lawyers have to their clients regarding data protection, the risks of being hacked, examples of cyber-attacks, and strategies to prevent, detect, and defend against intrusions.
Table of Contents
- Obligations and Responsibilities for Law Firms
- Risks of Attack
- Examples of Law Firms Under Cyberattack
- Security Audits
- Data and Security Policies
- Tips for Your Law Firm’s Data Security
Obligations and Responsibilities for Law Firms
The American Bar Association (ABA) has held lawyers to the ethical and model rules of professional conduct since they were approved in 1983. These rules are the internal compass for lawyers to use when navigating various scenarios and interactions with clients.
Rule 1.6, regarding the confidentiality of client information, states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Basically, this means lawyers must make efforts to protect their clients’ data.
In 2018, the ABA issued Formal Opinion 483, which discusses the importance of data protection and how to handle the inevitable security breach. The opinion states matter-of-factly that the risk of law firms experiencing a data breach is not if, but when. The opinion outlines requirements for before, during, and after a cyberattack targeting law firms:
As you can see, there are regulations in place that lawyers must make reasonable efforts to protect their data, react when a breach is suspected or detected, and inform any clients that may have been impacted by the breach.
In the sections to follow, you’ll see just how prevalent the risks are for law firms, case law that shows how liable law firms are for data breaches, and tips to increase your firm’s security processes.
Risks of Attack
The threat landscape for law firms, and businesses more generally, has increased as more and more of our daily life and work is conducted online.
Just consider one of your firm’s top attorneys and how they allocate their time during work and life. Perhaps they start the day by checking email, update their status on Facebook, make a client call, and send a follow-up email with sensitive information attached. Not one, but every single one of these actions exposes information that hackers can use to infiltrate your law firm.
They may have fallen victim to email spoofing, which forges the sender and can include malicious attachments or links. Hackers could use their Facebook status to tailor a hack based on location or personal information to identify potential passwords.
Cyber attacks against law firms are not a new phenomenon, but the rate of incidence and year-over-year growth is staggering. In fact, according to the ABA, up to 42% of law firms between with up to 100 employees have experienced a data breach.
We’ve already discussed why hackers target law firms (because they typically have information hackers want from their clients, with less security), but we haven’t discussed their motives for obtaining this information.
1. Information ransom
Most hackers seek financial gain in one way or another. Hackers see the value of the information to your law firm as leverage for extracting money (likely cryptocurrency).
Once they have breached your database, retrieved the artifacts, and encrypted the data, they will send a notice of ransom before decrypting the data with the threat of releasing the information publicly. The public release of this information can have long-lasting repercussions, such as financial or physical damage to clients, damages to your firm’s reputation, and malpractice lawsuits from clients.
2. Insider trading schemes
Another method for hackers to profit from the data they extract from your firm is to make investment decisions based on the confidential information regarding your clients such as financial statements, mergers and acquisitions, financing deals, lawsuits, and more.
For example, your client is in the process of acquiring a top competitor and, if the deal is successful, will materially impact the stock price. If a hacker accessed pertinent information surrounding the deal, they could use that to buy (or sell) the stock based on this insider information.
Other risks and consequences of data breaches are a hacker bringing down your network, restricting access to information required for your work, or otherwise disrupting your billable hours. If you or your associates can’t access the necessary information to conduct client work, then your billables will suffer.
Other costs and consequences include hardware replacement, cybersecurity consulting fees, and, of course, client churn.
Hackers can come from a number of sources. There are nation-state actors who are acting on behalf of another country to manipulate the market or leverage information geopolitically, organized crime looking to exploit information for financial gain, or compromised insiders.
Examples of Law Firms Under Cyber Attack
1. Wengui v. Clark Hill Law Firm
In 2016, Chinese businessman and political dissident, Guo Wengui, hired the international law firm Clark Hill to help apply for political asylum in the US. Wengui explained to the team at Clark Hill that the Chinese government had made him the target of ongoing cyberattacks and that it was likely they would experience similar attacks.
Sure enough, on September 12, 2017, Clark Hill’s servers were hacked, compromising Wengui and his wife’s passport information and their application for political asylum, which was then shared online. The hacks were widely believed to be orchestrated by the Chinese government.
After this event, Clark Hill tried to absolve itself of any liability by dropping Wengui as a client. Wengui then brought a $50 million suit against Clark Hill for breach of fiduciary duty, breach of contract, and legal malpractice.
The case is ongoing but the court held that Wengui pleaded viable claims for malpractice.
2. The Panama Papers
One of the largest data breaches of all time occurred back in 2016, in which more than 2.6 terabytes of data, or 11.5 million documents, were extracted from the international law firm Mossack Fonseca with headquarters in Panama.
The breach exposed data regarding the firm’s participation in forming shell companies for offshore wealth management. Many world leaders were implicated in the breach, including Russian President Vladimir Putin, who was linked to $2 billion in offshore accounts.
3. Class Action Suit for Threat of Data Breach
Over the last few years, lawsuits have begun to emerge based on the threat of data breach, even before any data has been compromised.
For example, Chicago based law firm Johnson & Bell is the defendant in an ongoing case where the plaintiff argues their web portal is vulnerable to attack and therefore continues to put client information at risk.
Johnson & Bell argue their system is secure, but their servers are running on an outdated JBoss software that has known vulnerabilities. With clients in the healthcare, insurance, and other industries, Johnson & Bell have significant targets in the form of sensitive business information such as financial statements, merger and acquisition deals, and more.
If the judge rules in favor of the plaintiff, a new precedent will be set regarding how law firms are expected to manage and maintain client data.
There are two kinds of security audits: internal and external. The former is conducted by your team, the latter by external auditors.
Below, we provide a checklist for your internal audit:
- Why? Almost two-thirds of breaches are linked to external vendors*
- Why? Insider threats are among the top 5 threat types in cybersecurity
Data and Security Policies
Many people ask, “how do I know if my account information has been compromised?” The very nature of this question assumes a hacker has already breached the system and a method of detection is all you need. This is a retroactive mindset: You should strive to be more proactive by forming systems and processes for prevention.
Let’s cover some policies that can help prevent attackers from exploiting vulnerabilities in your systems.
1. Create a security feedback loop
Having an email address for users to contact your security team if a vulnerability is believed to exist can help avoid exploits down the line. Some companies even offer a bug bounty, where they incentivize security experts to alert them of potential issues and receive compensation, instead of simply exploiting the bug for financial gain.
A growing number of sites are implementing a security.txt standard, which offers a centralized place for sites to define their security policies. This can help individual security researchers who find vulnerabilities quickly and easily report them.
2. Regularly check and update permissions
Not everyone in your organization needs a key to every door in the building, hypothetically speaking. When considering what level of access each employee should have, you should consider the minimum level of access possible. Or to continue with our example, figure out the minimum number of doors this person needs access to, and give them keys to those doors and those doors only. This is known as least privilege access.
You can automate the process of re-certification and/or revocation of access. This process becomes especially important when employees get promoted or resign. You should have a recurring event when all permissions within the company are re-evaluated.
3. Maintain an audit trail of data access
It’s important to have a process in place to track irregularities in regard to data touchpoints to help highlight when an administrator’s account has been compromised, the employee has gone rogue, or any number of other scenarios.
A User and Entity Behavioral Analysis (UEBA) tool, uses sophisticated machine learning algorithms to analyze and highlight any unusual activity within your organization.
For example, if an IT Manager has historically downloaded 100 MB of data on a daily basis to run reports, your UEBA tool would signal if and when a deviation of significant magnitude occurred. For example, if one day the IT Manager downloaded 100 GB of data (1,000x) this would trigger an alert.
4. Enforce strong passwords
One of the most common entry points for hackers is through insecure passwords. If you have ever used “password” as a password or reused a password for more than one account login, you are not alone. According to a survey by Google, 65% of users reuse passwords for multiple, if not all, accounts.
When creating a password, ensure your system has a validation in place to reject passwords that do not meet minimum criteria. It’s also recommended that you have employees, clients, and anyone else with access to your system reset their passwords regularly.
5. Use multi-factor authentication
Many breaches could have been thwarted by multi-factor authentication. The most common form is two-factor authentication, where the user must provide at least two pieces of evidence regarding their identity.
Commonly, when a user is logging into a web portal, a unique code will be sent via an SMS text message to verify the person logging in has access to the phone number on file. Other forms of multi-factor authentication include security questions, captcha, and more.
6. Stay up-to-date with government regulations
Data and privacy have taken center stage in many regulatory arenas around the world. From GDPR in Europe to CCPA in California, understanding how to comply with regulations where you practice law is essential to protect your clients and their data.
For example, to be GDPR-compliant, a company is legally required to have a nominated Data Protection Officer responsible for the inflows and outflows of data.
7. Incident Response Plan
The incident response plan is how your team will handle the various phases of attack, including:
- Detection: Discovery of the event through software tools, unusual activity, or reports by personnel or outside sources.
- Containment: The triage stage where the compromised component is identified and isolated.
- Investigation: Determine the entry point and scope of the attack.
- Remediation: Repair systems affected by the breach, notify affected parties, report to law enforcement if necessary, conduct a post-mortem of the attack.
- Recovery: Use the lessons learned from this attack to iterate your process and improve.
Tips for Your Law Firm’s Data Security
With the threat of malpractice for mishandling your client data, implementing processes to prevent data security breaches is the most responsible course of action after having adequate professional liability insurance coverage.
Here are some tips for your law firm to lower the chances of getting hacked:
It’s clear that law firms are under a constant threat of cybercrime and must take steps to defend their clients’ data. Don’t wait until it’s too late, take steps today to prevent future data breaches and the consequences that follow. Akin to the need for having adequate insurance for your law firm, having adequate data protection is essential.