In the last three years, cyber criminals increasingly targeted law firms of various sizes. In 2017, the DLA Piper data breach left one of the top US law firms inactive for two days with lawyers struggling to retrieve files up to nine days. Moreover, two smaller law firms have been sued in court, New York County and Northern District Court of Illinois, for not maintaining data security. In short, maintaining secure data environments is not simply a “best practice” but increasingly becoming a legal requirement for protecting attorney-client confidentiality.
You’re an attorney, so you want the cold, hard facts. You’re regulated even if you don’t always realize it.
From a legal standpoint, you’re a regulated entity that needs to consider cybersecurity and its financial implications.
One of the fundamental principles of the law is to keep your client’s confidential discussions with you private. The law prides itself on the trust between attorneys and their clients.
You’re maintaining your client’s confidential information in digital form today. Whether you began your career with a stenopad or with a smartphone, you’re collecting, storing, and transmitting these communications by email or a website. The American Bar Association updated its Rule 1.1 Competence with comment 8 that specifically incorporates maintaining updated information about the benefits and risks inherent in relevant technology.
Setting aside regulatory fines, you also need to think about whether you’re maintaining data confidentiality, integrity, and availability to maintain your license.
Taking a look at the lawsuits brought forth so far provides insight into the legal issues that impact your firm:
If your contract states that you will maintain files on behalf of your clients, then data corruption arising out of a ransomware or malware attack can corrupt those files. Thus, you’re in breach of contract and potentially liable for malpractice under the contract’s data retention clause.
If you don’t maintain basic information security protections, you can be sued for negligence for not meeting the primary standard of due care. A data breach can place trade secrets, personal information, or financial information at risk leading to clients’ financial loss.
You’re collecting fees and have a fiduciary duty to act in your clients’ best interests. If you’re not maintaining a secure data environment and a breach occurs, you can be considered in breach of that fiduciary duty when cybercriminals obtain the information. Moreover, if you’re handling financial transactions on behalf of your clients, you’re putting that information at risk which increases the likelihood a court will find you in breach.
While the other causes of action listed above relate to malpractice, malpractice itself can be defined separately. Insecure email, which places your clients’ secure communications at risk, can lead to a man-in-the-middle attack. If that happens, then you can be sued directly for malpractice.
While the American Bar Association (ABA) has a cybersecurity task force, it does not offer specific best practices or IT audit requirements. Thus, you need to determine the security controls that protect client data.
The cybersecurity industry keeps saying that data breaches are no longer “ifs” but “whens.” As a lawyer, you know that the minute something goes wrong, people want to sue. Finding the right cyber insurance policy can protect your financial assets from the inevitable lawsuit.
While the Microsoft update notifications may get in the way of billables, you need to take the time to update all systems, software, and networks. Continuously monitoring your data environment can help you prioritize the time consuming and overwhelming number of alerts so that you focus on the most important updates first.
Your firewall acts as the first line of defense against cyber criminals by keeping them out of the data environment. However, you need to make sure that you update the software regularly and configure it appropriately.
Most people have poor password hygiene. Since cyber criminals can purchase downloadable programs on the internet that let them scan systems and networks for the most often-used passwords, weak passwords can lead to a data breach.
If you’re not using MFA, you want to start. Multi-Factor Authentication means that users not only login with a password, but that they also need to have secondary verification (like a code sent to a smartphone or a biometric) to complete the login process.
Encryption scrambles information so that even if a cybercriminal obtains it, they shouldn’t be able to read the data.You should be ensuring that all information is encrypted, whether in-transit (during sending) or at-rest (while storing). Thus, you want to encrypt all email conversations to ensure that only the intended party can read it.
Lawyers work long hours, and with the ability to work from home, you have more remote employees than ever. You want to use a VPN to help secure those connections. VPNs encrypt data over networks so that when employees are accessing databases and company documents, even if cybercriminals manage to obtain the information, they won’t be able to read it.
This seems like a basic protection. However, after installing the software you need to make sure that all computers update to the most recent notifications on a regular basis. You should also make sure that you’re running regular total system scans.
At Zeguro, we understand the financial, operational, and reputational impact a data breach can have on a law firm. With that in mind, we offer a comprehensive end-to-end solution that helps find the IT risks, shows you how to close the gaps, and directs you to right cyber insurance policy.
Protect yourself and your firm today.