As your firm develops its cybersecurity plan, here are some words to keep in mind: Yahoo, Target, Anthem, Sony, Equifax, eBay.
Those are just some of the companies – ranging from healthcare providers to retail stores – that have been hit by massive cyber-attacks. They have little in common except for the fact that bad guys found a way to break into their systems and gain access to sensitive data.
All of them beefed up their security and plugged holes after the attacks, and lawyers would be well-served by taking note of their preventive measures.
“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” says cybersecurity lawyer Rich Santalesa in this article. “Unfortunately, other industries have had to learn their lessons the hard way.”
Here are five cybersecurity lessons to be learned from these high-profile industry attacks:
Lesson 1: Understand the Risk
Some firms are in denial about the risk of getting attacked. They think it won’t happen to them. Some are complacent. Others appreciate the risk but never get around to doing anything about it.
More than one in five law firms have experienced a cyber-attack resulting in data exposure, according to the ABA TechReport 2017. And these are just the firms that know they’ve been attacked.
Most vulnerable are firms with 10-49 lawyers. More than one-third of them have been hacked. Solos have the lowest incidence (10 percent), but they may also be less likely to know when a breach has occurred.
Lesson 2: Start at the Top
Every expert agrees that data security is only as good as the people behind it. Train your staff on the importance of cyber-safety. Call a meeting to discuss the details of the ABA TechReport 2017. Talk about ways other than an outside hack in which data can be compromised, such as lost or stolen laptops, case files left lying around the office, or computer screens visible to people in the waiting room.
Most importantly, set a good example. Ironically, managers and partners are often the ones most resistant to cybersecurity awareness in the law firm.
“They tend to operate with a sense of privilege,” says one expert in this ABA Journal article. “Therefore, when law firms are establishing and reinforcing their cybersecurity protocols, partners need to be leaders, not rule breakers, by following the same procedures that apply to associates and administrative staff.”
Lesson 3: Encrypt, Encrypt, Encrypt
Law firm data is no longer confined to a lockable filing cabinet. It’s in the cloud, on portable devices and on multiple servers. With information spread so diffusely, the best defense is encryption.
“[T]he lesson learned from other industries is that encryption is a good investment to help secure end-to-end protection,” says the ABA Journal. “While encryption can’t prevent all cyberattacks, it makes stealing information a lot harder.”
Lesson 4: Know the Privacy Rules for Lawyers
Financial institutions have to comply with a myriad of laws regarding data privacy. Hospitals deal with HIPAA. Firms that do business in Europe wrestle with the EU’s General Data Protection Regulation.
Lawyers must comply with Rule of Professional Conduct 1.6, which requires keeping client information confidential: “(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Comment 19 to Rule 1.6 says: Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Lesson 5: Create a Firm Culture of Cyber-Safety
Develop a data security protocol and put it in writing. Come up with office guidelines on computer and cellphone usage, passwords and disposal of documents.
Consider bringing in an outside consultant to conduct a risk assessment. Talk to an expert on encryption. Be sure to vet all third-party vendors carefully.
What cyber-safety steps have you taken at your firm? What areas need more work?
- ABA Journal http://www.abajournal.com/magazine/article/law_firms_cybersecurity_awareness_prevention
- ABA TechReport 2017 https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security.html
- NC Rule of Professional Conduct 1.6 https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-16-confidentiality-of-information/