The biggest threat to your firm’s computer security is probably not some shadowy hacker on the other side of the globe.
It is more likely a trusted employee just across the hall.
“The single biggest threat is people inadvertently bringing down a virus from outside or through a phishing scheme,” says one law firm cyber-specialist. “You can never tell your workforce enough ‘don’t do this’ or ‘don’t do that.’”
It’s probably not terribly reassuring to consider the fact that your worst cyber-nightmare might well be on your payroll. But it should be. That’s because it is easier to combat local, identifiable threats than distant, anonymous ones.
Take a look at the main areas of law firm vulnerability, courtesy of Philadelphia data privacy lawyer John F. Mullen:
- An employee downloads a virus.
- An employee clicks on a link in a suspect email.
- An employee loses an unencrypted laptop loaded with sensitive information.
- A law firm vendor with access to client information is breached.
- A foreign hacker taps into law firm info.
Only the last scenario involves an unknown agent. All the others involve known – and therefore controllable – agents.
Keeping Your House Clean
So how to make sure the next Edward Snowden is not lurking in your break room?
Start with common sense. Hire good people. Screen them carefully. Use professional headhunters and professional staffing services to do the vetting for you.
Here are some other suggestions:
- Be vigilant. Cyber-risk is real. Just look at recent headlines. Target, Barnes & Noble, Google, J.P Morgan – and countless others that haven’t made the news – have been victims of massive data breaches. And it is not just mega-corporations. Anyone with a computer and an Internet connection is vulnerable.
- But don’t panic. Read enough articles on cyber-liability and your hair will burst into flames. You will start stocking up on legal pads, batteries and bottled water. You will hole up in your office, disconnect the modem and never boot up again. Relax. While the risk is real, it is neither inevitable nor rampant. Many of the most terrifying “hackers are everywhere” articles are written by vendors that have a financial interest in ratcheting up your fear.
- Know your vulnerabilities. International transactions, multiple parties and big bucks flowing online are all risk factors. So are branch offices, e-banking and outside vendors. Some software programs are more susceptible to hackers than others. Identify your weak spots – bring in a cyber-consultant if necessary – and shore them up.
- Develop a data security policy. Are employees allowed to use work computers for personal email? Can they take laptops and other devices home? Who has access to passwords? How often are the passwords changed? Is there a chain of command for reporting potential problems?
- Put your policy in writing. Explain it to everyone and make sure they’re on board. Encourage feedback and questions. Follow up to ensure adherence to protocols and procedures. Revisit your plan regularly to keep pace with changes in technology.
- Call in a pro. A legal technology consultant might have answers to questions you don’t even know to ask. Some firms even hire experts to conduct security audits – in effect, inviting cyber-sleuths to try to hack into their own systems to expose soft spots.
- Don’t overlook physical security. How easily can strangers enter and leave your office? Must visitors sign in? Do you have private security? Cameras?
The Confidence Game
Rule of Professional Conduct 1.6 prohibits unauthorized disclosure of confidential information. This rule applies not just to what your client tells you but all information acquired during the representation, regardless of the source.
- Comment : A lawyer must act competently to safeguard information acquired during the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.
- Comment : When transmitting a communication that includes information acquired during the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the client's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.
How Safe Are You?
What data security steps are you taking? What works and doesn’t work? We’d love to hear from you.
Source: The Legal Intelligencer http://www.thelegalintelligencer.com/id=1202646262515/Law-Firms-Prime-Data-Security-Threat-Their-Own-Employees?slreturn=20140810190207
Jay Reeves a/k/a The Risk Man is an attorney licensed in North Carolina and South Carolina. Formerly he was Legal Editor at Lawyers Weekly and Risk Manager at Lawyers Mutual. Contact firstname.lastname@example.org.