The modern security challenges facing law firms are more complex than ever. Regardless of its size, a firm is obligated to follow the data breach laws established in all 50 states, which require disclosure within a reasonable time following a cyber attack. This has forced law firms to take preventative measures to mitigate the risk of a breach by implementing security policies and procedures.
That said, with cyber criminals seeking to exploit targets that are well-funded and have a lot to lose if their private information is made public, attacks on law firms have become more common. It’s not enough to try and keep up with the latest in security compliance and data protection, you have to be a step ahead.
BASIC TENANTS OF CYBER SECURITY
The main concepts of cyber security are applicable across every industry while publications like NIST 800 or ISO 27001 lay groundwork for most security plans, each sector (including legal) has its own specific requirements based on business type.
Failure to secure your Practice’s data puts you and your firm at risk. Beyond that, it can violate the trust you have with your clients and can damage your firm’s reputation.
Cyber criminals view attorney’s protected data as a highly exploitable and lucrative target and information contained within your business’s network can be a treasure trove for those wishing to do you harm. Consider what’s on your servers (local and/or cloud). This may include:
- Personally Identifiable Information (PII)
- Protected Health Information (PHI),
- Intellectual Property
- Client Confidential Information
- Sensitive HR Information including Employee Files
- Merger, Acquisition and Business Records
All of this, as well as other confidential information including Attorney-Client privileged data, is of interest to hackers and cyber criminals.
The risks to your Practice are substantial. Not only that, but you have an obligation to protect client information. Failing to do so, leaves you open to disrupted daily operations, serious legal ramifications, and reputational damage. A few examples of this include:
- Phishing emails and compromised email accounts leading to insecure communications
- Successful deployment of ransomware and encryption of system files leading to the inability to access information and the curtailment or total shutdown of the Practice
- Exfiltration and distribution of client confidential data by cyber criminals
- Public disclosure of business information on the Dark Web impacting poorly on public relations and leading to loss of client trust.
- Allegations of malpractice that may lead to lawsuits
Cyber criminals don’t hold back. Hackers will encrypt then threaten to distribute the client’s private information and sensitive data to the public. They’ll directly contact a law firm’s clients to extort a faster payout. In addition to damaging the firm’s reputability and relationship with clients, an approach like this one puts even more pressure on the firm to pay the ransom in what they hope will be the best and only solution.
Ethical and Regulatory Obligations and Considerations
You have an ethical, professional, and legal obligation to protect attorney-client confidentiality. The risk posed to Law Firms is substantial as all 50 states require businesses to disclose a data breach.
Furthermore, the American Bar Association (ABA) has its own set of rules (Model Rules of Professional Conduct) that Practices are required to follow. Rule 1.6 C states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The ABA has also released multiple Ethics Opinions which provide guidance for lawyers on how to address cybersecurity. These include Lawyer's Obligations After an Electronic Data Breach or Cyber Attack and Securing Communication of Protected Client Information.
A case study example of a highly impactful event is the 2016 ‘Panama Papers’, a very well-known data breach in the cyber legal industry. Law firm Mossack Fonseca suffered a cyber supply chain attack that leaked over 2.5 terabytes of sensitive client data and approximately 11.5 million documents.
Earlier this year, Campbell Conroy & O’Neil announced that their ‘network was impacted by ransomware, which prevented access to certain files on the system.’ AmLaw 100 firm Goodwin Procter divulged a data breach affecting ‘a small percentage’ of the firm’s clients. They went on to say that those affected may have experienced unauthorized access to or acquisition of confidential material.
Complying with American Bar Association obligations entails making reasonable efforts to protect Law Firm data. Examples of this include:
- The creation and implementation of a comprehensive cyber security plan
- Assessing the cyber readiness of 3rd party providers
- Mandatory employee awareness training at regular intervals
- Strengthening email and communication security practices
- Securing all mobile devices by the use of 2-factor authentication
- Encryption of data in transit and at rest
Protect Attorney-Client Data & Your Firm
Protecting your firm and client’s data requires a multi-faceted approach. If you have the financial resources, you may already have an Information Security Officer (ISO) or better yet, a Chief Information Security Officer (CISO). Unfortunately, many firms lack these resources, and security is relegated to the internal IT departments or a Managed Service Provider (MSP) who is responsible for day-to-day IT operations and maintenance.
Utilizing internal resources to manage security is a 2-fold challenge. The first is that they are focused on keeping day-to-day operations running smoothly. Their time is often spent troubleshooting hardware, software, and user issues, leaving them little time to focus on security.
The bigger issue is that they are most likely not certified, security specialists. Think in terms of your Internist who sees you for normal things like a sore throat or annual physical. One day you have chest pains and shortness of breath. Who would seek out in that case? The answer is a specialist, a Cardiologist. Properly addressing security is the same thing, you need a specialist with experience in the field, one who will devote 100% attention to ascertaining what the real issues are.
Maybe your Practice has availed itself of an MSP in an effort to reduce payroll, headcounts, and operational complexity. Undoubtedly your MSP has sold you on the concept that a single organization can take care of all your IT needs, including security. We take issue with that line of thought. It goes back to the concept of the fox guarding the henhouse.
Cyber Security Compliance Testing and Assessments
When it comes to assessing your cyber readiness, an outside (3rd party) group that maintains your infrastructure will most likely be hesitant to divulge weaknesses since that would be admitting that their performance is less than stellar. Or, they may admit to problems only to turn around and recommend new hardware or software solutions. We consider that to be a conflict of interest and that is why JANUS sells no hardware or software. When it comes to security, your singular focus needs to be protecting your Practice, and your clients in the best possible manner.
As a law firm, you have a responsibility that far transcends what are normal business requirements.
Consider having a conversation with a specialist security organization that has deep expertise and understands the challenges that legal teams face today. With 32+ years of experience, JANUS Associates can help you meet your security, privacy, and compliance goals. Reach out today.
