Law Firm Hacked? Here’s How to Prepare and Implement a Proper Response Plan

Law firms have always been a popular target for cybercriminals, but in recent years, an increase in online fraud and theft schemes targeting lawyers has been apparent.

This is has been especially true over the last year, with lawyers working from home more often as a result of the COVID-19 pandemic. Cybercriminals see lawyers working from home as easy targets since they do not have the infrastructural security and support that protects them when working at their offices.

While cyber attacks in which confidential data is compromised are the most severe types of hacking attacks your law firm could face, it’s important to remember that even attacks that might seem much less severe could prove to be very costly.

For example, say your law firm’s marketing website is hacked. What type of effects could it have on your business?

• Your search engine rankings and visits to your website could plummet because Google will not recommend unsafe websites that can potentially compromise user safety.
• Visitors will refrain from using your contact forms to provide personal information.
• Many of your marketing campaigns that are automated could potentially be sabotaged.

Lawyers need to be fully aware of the fact that both minor and major hacks can result in significant business losses, prolonged periods of recovery, and a myriad of expenses, legal and otherwise.

Why Are Lawyers Targeted By Cybercriminals So Often?

It’s really isn’t hard to understand why law firms are such popular targets. There are not many other professions, outside of politics, that deal with the sheer amount of valuable documents that lawyers typically have access to. Not just sensitive personal and private client information, but also very valuable business documents related to finances, mergers and acquisitions, transactions, due diligence, business strategies, and much more.

Hackers stand to profit from such attacks in a variety of ways. Some of the most common include selling the information to third parties or holding your data hostage until your law firm has paid a ransom for it.

Obviously, being hacked and having much of the valuable information your law firm stores compromised can be absolutely devastating for you and your clients. And as lawyers know best, these types of issues can lead to lawsuits being filed against you by your clients. They can also lead to compliance violations and could put your good reputation in jeopardy and cripple all of the efforts you have put into marketing and growing your law firm.

It’s clear that law firms need to put a significant amount of effort towards creating processes and plans aimed at protecting their practice from hackers. That includes outsourcing cybersecurity experts or hiring them in-house if their budget permits and, most importantly, educating their staff about the multitude of cyberthreats that exist and what they can do to avoid them.

But no matter how robust your risk management plan is, hacking attacks are practically unavoidable these days and are bound to occur sooner or later. Hopefully, when an attack does occur, the efforts you have put towards mitigating these threats have paid off and the hack doesn’t end up being disastrous.

However, even a minor hack can turn into a big problem if you don’t know how to handle it. In order to respond to the attack appropriately and escape with as little financial and reputational damage incurred as possible, you need to have a plan that deals with the aftermath of the attack.

This is commonly referred to as an incident response plan (IRP).

The Importance of a Good Incident Response Plan

How effective your law firm is in dealing with a hack will all depend on how much effort was put into planning for it. That’s what an incident report plan is all about; being ready and knowing exactly what to do when a cyber attack does occur.

Creating a good incident response plan entails planning in advance and looking at your firm and the potential threats it faces in a very holistic way. Your IRP should not only focus on possible data breaches, but also insider hacks and employee theft schemes, malware attacks, social engineering, stolen equipment, and any other type of incident that could qualify as a hacking attack perpetrated against your law firm.

Large law firms tend to understand the importance of both protecting themselves and planning their responses to attacks. However, smaller firms often wrongfully assume that their chances of being targeted are much smaller, which is absolutely untrue.

If you take a look at general cyber attack statistics, it’s plain to see that small businesses are attacked just as regularly as large corporations. According to a recent survey, 47% of small businesses surveyed experienced a cyber attack over the past year, and out of those, 44% experienced several.

That’s why it’s never too early to both develop and implement a plan for dealing with possible attacks when they do occur. Remember, having no plan and simply reacting to a hacking attack with no structure or process in place can prove to be more costly than the attack itself.

So where do you start when it comes to trying to put together a strong IRP for your law firm? While no two law firms are the same, there are plenty of key aspects of an attack and your response to it that just about every law firm should take into consideration.

Putting Together a Proper IRP for Your Law Firm

The length and complexity of your incident response plan will obviously depend a lot on the size of your firm, the amount of data at risk, and the sensitivity of that data.

And while your law firm might not need to include all of these steps in its IRP, here is a general list of steps that are most commonly recommended for businesses of any size that when responding to and recovering from any type of cyber attack.

Contain the Damage and Begin Recovery Procedures

Your IT security team, whether in-house or outsourced, is obvious your first line of defense. So it makes sense that they will be the first group of people who will become aware of the attack and kick off the procedures that are defined in your incident response plan.

Containing the damage is all about closing the doors that hackers used to gain access to your firm’s data. This process can and will include a majority of the following steps:

• Changing all passwords for all servers, devices, and even emails.
• Securing Wi-Fi routers; especially if the attack occurred at a home office.
• Pinpointing what data has been compromised.
• Verifying data encryption protocols.
• Identifying and preserving logs for all your information systems so that investigators will be able to access them.
• Scanning all servers.
• Running malware and virus scans.

If you can swing it financially, getting a digital forensics consultant involved in the process at this early stage is also prudent. If you have the right insurance policy in place (which we’ll talk about later), your insurer will usually pay for these types of services of the attack is covered by your policy.

Having a professional investigate the hack can help you catch issues that your team might have missed and it will definitely help you in the process of remediating the breach and beginning the process of recovering and re-securing the data that has been compromised.

Talk to a Data Breach Expert

Yes, you are a law firm, but data breaches and hacking attacks might not be your expertise. Many large firms have departments focused on security and data breach response, but smaller firms might have to outsource help.

A skilled and experienced data breach lawyer can be invaluable throughout this process and even lead your IRP team. The fact that this lawyer will be able to preserve a lot of the privileged information related to the investigation is also a plus.

Notify Your Insurance Provider

Hopefully, you’ve purchased insurance to protect you from these types of threats. A combination of a cyber liability policy and a legal professional liability policy should provide enough coverage for most law firms.

If you have purchased coverage, locate your policies and contact your insurer as soon as possible. Even if there were no losses, you should contact your insurer for the following reasons:

• Notifying them right away covers you in the event that a loss slipped through the cracks initially and led to a future claim being filed against you.
• Showing the insurer that you have a response plan and that you were vigilant in dealing with the attack can help stop your premiums from soaring in the future.

Contact Law Enforcement

It’s important to remember that a hacking attempt is a criminal attack on your business. Even if it wasn’t successful, you should still report the attack to authorities.

For cyber attacks, the best course of action is to contact your local FBI Field Office. You can also file a complaint through the Internet Crime Complaint Center.

Notify All Affected Third Parties

One of the most difficult aspects of dealing with a hacking attempt is notifying all third parties (clients, partners, etc.) that might have been affected by the breach without giving all of the details of the attack.

Transparency is important, but it’s also a good idea to keep the news of the attack as contained as possible, if circumstances permit. Your notification plan needs to be very detailed and should be handled with great care.

What makes striking a balance so difficult is the fact that you need to react quickly and notify third parties that have possibly been affected, but you might not have all of the details and facts at your disposal in these early stages of your incident response plan.

While it might seem counterintuitive, saying less might do more towards limiting damage than trying to be as detailed as possible.

As soon as you are certain that specific third parties have been affected, you need to alert them and give them all of the information that you currently have at your disposal. If only a handful of third parties were affected, then a phone or email to these specific partners and clients is in order.

In the most extreme cases, you’ll have to put together a press release. Your hope at this early stage of the IRP is that your team is on top of it and that you will be able to provide assurances to these third parties that you are doing everything within your power to limit the damage.

Focus on Compliance

Compliance is obviously a very important aspect of running a law firm. All states have data breach notification laws, which makes it important to include all relevant compliance guidelines in your incident response plan.

In some cases, you might have a legal obligation to contact your state attorney general. Requirements can vary greatly from state to state, which is why it’s important to make sure that all relevant data breach regulations are included in your plan.

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack in 2018. This opinion followed Formal Opinion 477R, issued a year earlier, that outlined the ethical obligations of attorneys to secure confidential client data when communicating via the Internet.

Opinion 483 gives explicit guidance on how these types of situations should be handled, stating that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the Internet, external data sources, and external vendors providing services relating to data and the use of data.”

Review and Update Your Plan

Every time a breach occurs (hopefully, not very often), your law firm is provided with the opportunity to take a closer look at your incident response plan and see if the latest data breach requires updates to be made to your security protocols and policies.

Even if no hacking attacks have occurred, your IRP should mandate an annual review at the very least. When a breach does occur, be sure to use the incident to reflect on how bad the breach could have been and what you can do to improve your cybersecurity.

It’s also important to take the time to review and update your risk management plan and refresh both your security protocols and the training plans, education, and best practices you have installed for your employees.

Mitigating the Financial Risk of Cyber Attacks with Insurance

We’ve already talked about the two most important plans that you need to implement in order to protect your law firm from cyberthreats; one preventive risk management plan and one reactive incident response plan.

But to provide the best possible protection for your law firm from hackers and other types of cybercriminals, there’s still one missing piece—transferring some of the financial risk to a third party. That can be done by purchasing business insurance.

Many of the steps we’ve listed in the incident response plan can be costly ones if your law firm is going to be paying for everything by itself. Having the right insurance program for your law firm can alleviate the burden of these costs greatly.

When talking about hacking issues, cybercrime, and data breaches, cyber liability is the key insurance policy that lawyers need to consider.

A proper cyber liability policy will cover both first and third-party losses. First-party coverage covers your lost data and income while third-party coverage covers your liability to clients and various federal and state regulatory bodies.

Your cyber policy will typically cover all expenses related to data loss, recovery, and recreation, computer fraud, cyber extortion, and business interruption loss of revenue related to a cyber attack.

The policy will also cover the costs of notifying all affected parties, credit monitoring costs, civil damages if your law firm is sued by affected parties, computer forensics consultations to help uncover the source of the cyber attack, and even reputational damage and PR costs that might arise from a serious data breach.

Two other policies that could help give you more holistic protection from cybercrime risks are legal professional liability and commercial crime insurance.

Professional liability insurance is easily the most important policy that all law firms need to purchase as soon as they open their doors. It covers the costs of potential claims that clients and partners can file against you if they believe that they suffered losses as a result of a mistake made by your law firm while providing professional services.

Many hacking attacks and data breaches result from professional errors or omissions made by employees, so it’s easy to see how such a policy could help protect you in these types of circumstances.

If the hacking attack was in some way perpetrated or assisted by one of your employees, a commercial crime policy could provide you with added protection and could cover gaps that might exist in your cyber liability policy that are related to employee crimes.

If you’re a law firm looking to build a strong insurance program that can help protect your business from a wide variety of common risks related to the legal profession, don’t hesitate to reach out to one of our brokers.

Our legal practice is made up of dedicated brokers who all have years of experience working specifically with law firms and helping them get the best coverage for the best price possible.