You might not think cyber security is such a big deal.
Your clients might disagree.
And some aren’t just sitting back and hoping their attorneys are being cyber-savvy. They’re demanding proof that their sensitive information will be kept safe and secure. If they don’t get it, they’re voting with their feet – and their checkbooks – by taking their business to another firm.
“It is forcing the law firms to clean up their acts,” says Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that works with law firms. “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.”
Everyone is Concerned
For now, most of the pressure is coming from banks and large corporate clients. They’re the ones with leverage to demand that firms be proactive in thwarting hackers.
But in today’s environment – where mega-hacks of databases at Google, Target and Sony fill the headlines – it is not unreasonable to expect that all clients will soon be asking questions about privacy.
“Clients are putting more restrictions on law firms about things to do to protect themselves,” Mary Galigan, a cyber-risk executive and former FBI special agent, told the Times. “It is being driven by victims of hackers, and they don’t want to be victims again. It’s just good business sense.”
Already, many banks and financial institutions are asking law firms to fill out lengthy questionnaires detailing their cybersecurity measures. Others are requesting written proof of safety protocols.
And some are demanding that the firm carry cyber-liability insurance coverage.
Among other client-driven privacy demands:
- On-site inspections of law firm systems
- Independent third-party audits
- Requests that firms stop putting files on thumb drives and other portable devices
- Restrictions on using email, non-secure computers and shared networks, especially those linked to hacking havens like China and Russia
Give Yourself a Cyber Audit
Another trend: insurers, risk managers and big corporations are using cyber audits to assess the risk of law firms they employ.
You can improve your cyber-safety by conducting a self-audit:
- Start by getting up to speed on your ethical responsibilities regarding computers, websites, social media and client confidentiality. Read the latest State Bar ethics opinions on point.
- Make a diagram of where your data is stored and who can get to it.
- Be vigilant when third parties hold client data or have access to it. Inquire about their security precautions and procedures.
- Review your cyber-security policies and plans at least annually. Update them as needed.
- Require all employees to undergo security training. Circulate info on breaking threats. Remind everyone of the need to be wary of suspicious emails, texts and links.
- Have a business continuity plan.
- Have a disaster recovery and incident response plan.
- Have a password policy.
- Revise your employee manual to cover consequences for cyber-policy violations.
- Use encryption where appropriate.
- Develop a “Bring your own device/bring your own network (BYOD/BYON)” policy. Make sure everyone in the office understands it and complies.
- Consider paying an outside consultant to come in and assess your security.
- Document your security measures.
- Purchase cyber insurance for protection in the event of a data breach.
What cyber-safety steps have you taken? Are any of your clients asking for proof that their data will be safe in your hands? Let us hear from you.
- New York Times, Matthew Goldstein http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/?_php=true&_type=blogs&_r=0
- ABA Law Practice Division http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html
Jay Reeves a/k/a The Risk Man has practiced law in North Carolina and South Carolina. Formerly he was Legal Editor at Lawyers Weekly and Risk Manager at Lawyers Mutual. Contact him at 919-619-2441 or firstname.lastname@example.org.