Written by Leeza Garber, Esq.
Law firm practice groups entitled “Privacy and Cybersecurity,” “Cybersecurity Task Force,” “Global Privacy,” and “Data Privacy and Cybersecurity” are cropping up every day, across the globe – and with good reason. Cyberlaw is the new legal frontier, as hackers, malware, cyberattacks and data breaches dominate the latest news headlines. Many law firms are working alongside cybersecurity consultants, like Capsicum Group, to help clients understand that proactive prevention is always preferable to a reactive cure.
But what about the law firms themselves? How can attorneys become more proactive in protecting their own practices and ensuring that their client lists and communications, trade secrets, intellectual property and entire network systems are secure? Law firms are a prime target for hackers – their systems contain rich data that require careful protection and vigilance. Yet still, law firms are generally hesitant to invest in the necessary technology and constant monitoring that proactive cybersecurity requires. In fact, a 2014 law firm cyber survey conducted by Marsh USA indicated that while 79% of respondents viewed cyber/privacy security as one of their top ten risks in their overall risk strategy, a resounding 72% said their firm had not assessed or scaled the cost of a data breach based on the information it retains. Just as retailers large and small are targeted for payment card data, law firms are targeted for corporate financial reports, software secrets, and C-suite emails. And further, there are many types of hackers that would benefit from getting their hands on law firm data: not just black market criminals, but opposing counsel, business competitors, and state actors (think China and Russia) as well. In May 2014, a grand jury in the Western District of Pennsylvania indicted five Chinese military hackers in a case involving an AmLaw 100 firm.
The FBI first recognized that law firms were being targeted by hackers in November 2009, and the threat has only increased since then. Unfortunately, many law firms may not become aware that they have been hacked for some period of time – sometimes discovery of an incident takes “a minute or months or even years.” In addition, devices containing sensitive data may be lost or stolen from firms, and that type of exposure is very harmful. Last week, a laptop computer was stolen from a California-based personal injury law firm, containing sensitive client data. That law firm filed a disclosure with the state’s attorney general.
So it is obvious that law firms face cybersecurity threats and data breach issues from many vectors. Capsicum can perform a security assessment and determine your firm’s strengths and weaknesses. But in the meantime, here are a few basic tips to remember:
- Update all passwords, change them every one to three months, do not reuse passwords, and make them strong (at least twelve characters). When Sony was hacked, its company passwords were stored in a folder named “Passwords.” Pro tip: don’t do that. Try a password storage tool like KeePass or LastPass.
- All law firm laptops should be secured with full disk encryption in order to best protect your data.
- Smartphones require the same security care and concern as laptops: don’t forget to create and regularly update your PIN; ensure that you can remotely wipe the data from your smartphone if you have to; and update your operating system consistently.
- Ensure that your firm’s antivirus security is up-to-date and patches are continually uploaded.
- Remember that your firm’s copiers contain a hard drive that stores an electronic version of all copies that have been made on it – and must be wiped and/or removed before the machine is sold or trashed.
In addition to staying current with your law firm’s cybersecurity protocol, creating an ongoing conversation within your firm about internal data security and investing in a proactive security culture is necessary. When faced with competing priorities, investments in security rarely rank high. The legal powers-that-be may argue that the law firm has not experienced any hacking incidents – so the security measures in place must be just fine; or that the law firm is not a target because who would want the internal musings of associates chatting with WestLaw reps – so investing in a penetration test is unnecessary; or that the firm’s physical office is protected by locks and passkeys – so an on-site security assessment is a waste of time. But the statistics do not lie: the most recent Ponemon Institute analysis revealed that the average cost of a data breach in 2014 in the United States was $5.9 million. Even worse, the analysis determined that more customers terminated their relationship with the company that had a data breach in 2014 – and thus lost business costs increased from $3.03 million to $3.2 million. Could your firm afford the literal cost of a data breach? Maybe. But the reputational damage? Definitely not. The conversation regarding cybersecurity preparedness needs to take place within your law firm – it cannot wait any longer.
“More Cyber Preparedness Needed, According to 2014 Law Firm Cyber Survey,” Marsh USA, 15 Jan. 2015. Web. 20 Jan. 2015.
Conte, Andrew. “Unprepared Law Firms Vulnerable to Hackers,” Trib Total Media, 13 Sept. 2014. Web. 19 Jan. 2015.
Bender, Hannah. “Do as I say, not as I do: Most law firms lack adequate cyber protection,” Property Casualty 360, 16 Jan. 2015. Web. 20 Jan. 2015.
“Spear Phishing E-Mails Target U.S. Law Firms and Public Relations Firms,” FBI, 17 Nov. 2009. Web. 19 Jan. 2015.
Goldstein, Matthew. “Law Firms Are Pressed on Security for Data,” New York Times, 26 Mar. 2014. Web. 20 Jan. 2015.
Grande, Allison. “Calif. Personal Injury Firm Discloses Client Data Breach,” Law 360, 14 Jan. 2015. Web. 20 Jan. 2015.
Mathews, Lee. “Sony hack: Icing on the stupid cake was a folder called ‘Passwords’,” Geek, 05 Dec. 2014. Web. 19 Jan. 2015.
Bolson, Andrew. “Preventing a Data Breach: Considerations for Law Firm Security,” New Jersey Law Journal, 30 Oct. 2014. Web. 19 Jan. 2015.