Best Practices for Securing Your Law Firm’s Sensitive DocumentsBusiness Advice & Research
One of the hallmarks of the legal profession is that clients entrust their lawyers with very sensitive personal information. This means that law firms, no matter what size they are, often store on their work computers and networks a multitude of files documenting their client’s trade secrets, financial reports, healthcare information, and other privileged information related to cases.
This information is not only sensitive, it’s also very valuable, which makes it attractive to cybercriminals. To make matters more difficult, law firms also tend to be very vulnerable to data breaches. According to the 2020 ABA Legal Technology Survey Report, the number of law firms that experienced a known security breach rose to 29% in 2020.
This combination of value and exposure creates a perfect opportunity for cybercrime. Cybercriminals are well aware of how valuable the data stored on a law firm’s network is and how vulnerable to cyberattacks attorneys tend to be on average.
However, there’s a third component that makes it especially important for law firms to secure their documents; the potentially devastating cost of a data breach. If clients allege that they suffered damages from their information being leaked, they can sue for legal malpractice. These claims can be fairly costly, both monetarily and reputationally.
In this article, we’ll cover key steps attorneys need to take when securing law firm documents, what obligations they have to their clients, and what methods cybercriminals will use to get their hands on confidential data.
How Do Regulations Influence Law Firm Data Security?
Currently, no federal regulation exists concerning a law firm’s cybersecurity duties. However, certain clients, such as medical practitioners or financial institutions, are regulated, and law firms may need to take special precautions to protect the data of such clients.
State boards regulate the duties and responsibilities of a lawyer towards client data. Violating these rules could result in an official reprimand or even suspension or disbarment.
The American Bar Association (ABA) issued Formal Opinion 477R, giving lawyers uniform guidelines for assessing their cybersecurity and better protecting client data. The opinion is not legally binding, but it does offer a model for when and how a higher degree of security should be attained.
How Can A Law Firm’s Documents Become Compromised?
Cybercriminals are getting more creative and sophisticated each year and are constantly opening new vectors of attack. However, there are several types of attacks that law firms commonly face. These can be broadly categorized as malware, social engineering, and man-in-the-middle attacks.
Malware Attacks: Malware attacks rely on specially designed, malicious software to breach a law firm’s systems. A user simply needs to click on an infected link or download a file for the company’s systems to be compromised. This malicious software can copy data from your online and offline storage systems and send it to criminals.
Phishing Attacks: Phishing attacks are extremely hard to plan for and deal with because they rely on human error to create opportunities for cyberattacks. In these cases, the cybercriminal will impersonate a legitimate entity that should have access to sensitive information and then simply ask to be provided access. These types of attacks have a higher success rate when employees are working from home, as many are currently because of the ongoing pandemic.
MITM Attacks: In a MITM (man-in-the-middle) attack, the criminal will position themselves in a conversation between two entities—in this case, typically a legitimate user and an application—with the goal to intercept or change the exchanged information. The user will think that the transaction is legitimate and give the cybercriminals access to sensitive information.
How To Protect Your Law Firm’s Documents
The National Institute of Standards and Technology (NIST) provides data security standards that are recognized by the federal government. These standards are not mandatory, but their implementation can be considered sufficient protection for most law firms.
Implementing these standards can greatly reduce the chance of your firm losing a malpractice lawsuit and increase your overall cybersecurity.
The NIST standards require law firms to take the following seven steps:
Step 1: Locate and identify the systems that contain the sensitive data in question.
This includes, but is not limited to files on your computers, the firm’s cloud storage solutions, and portable hard drives.
Step 2: Classify and segregate sensitive information.
Separating the confidential and critical data from other, less valuable files will help streamline your cybersecurity efforts and will also make auditing and forensics after a potential attack more efficient.
Step 3: Limit access to sensitive data.
Only authorized employees should be allowed access to files that contain sensitive client data. It’s also important to ensure that expiration dates have been set on these authorizations to ensure that old and closed cases won’t be exposed.
Step 4: Implement data encryption.
Data encryption is a process of translating data into a format that’s inaccessible without a special key or code. It will make it more difficult for cybercriminals and bad faith actors to access your law firm’s sensitive data.
Step 5: Monitor who has access to sensitive data.
Monitoring user activity will help establish responsibility for any incidents but also help your team discover if something is amiss and stop breaches before they happen.
Step 6: Provide employee training.
Knowledge is the best defense against cybercriminals. Educating lawyers and other legal staff about the risks related to data breaches and cybersecurity is a crucial step in ensuring that your documents are secure.
Step 7: Assess your cybersecurity protocols.
Examining all security systems and procedures that your firm has in place will give you a realistic overview of what your exposures are and how they can be addressed.
If you want to learn more about securing your sensitive information, you can read this in-depth guide to law firm data security.
In today’s increasingly digital world, the law industry as a whole will have to invest more in cybersecurity. Criminals are becoming more and more sophisticated and law firms are starting to stand out as valuable and vulnerable targets. If this trend continues, protecting your legal documentation may become nearly as important to your clients as how well you practice law.
Larger firms with more information and higher budgets should look into creating an extensive team of dedicated, in-house technology experts to maintain and secure their networks. Smaller firms may have to settle for outsourcing their data security duties to freelance experts or companies offering affordable solutions.
Law firms should also consider risk management solutions if the worst comes to pass and they do suffer a significant data breach. Two insurance policies will respond in such cases; a cyber liability insurance policy working in concert with a legal professional liability policy. They will respond to the legal and reputational costs of a data breach and minimize the potential fallout.
If you want to learn more about LPL insurance, you can watch the video below:
A cyber policy can cover things such as the cost of notifying affected clients, civil damages, credit monitoring, defense costs, computer forensics for finding and nullifying the problems that caused the breach, and PR expenses to help with potential reputational fallout caused by the breach.
A legal professional liability policy will cover your defense costs if a client sues you for professional liability, claiming that it was your professional negligence that led to the data breach.
When looking at your risk management options, it’s imperative to work with expert brokers who will be able to tailor policies to your firm’s specific needs. Feel free to connect with someone from our expert legal insurance team at any time to discuss your law firm’s insurance needs and options.
Law firms have always been popular targets for hackers. What steps do lawyers need to take in the wake of a cyberattack?