Lawyers and law firms are prime targets for cyber attacks.
Few other lines of business have access to, and guardianship of, so much personal, private, sensitive, and confidential information. Cyber criminals know this, and are looking for ways to steal this data for financial or strategic gain, or simply hold it for ransom. Historically, the legal community has been behind the curve on taking cybersecurity seriously, but this is changing. According to a Robert Half Legal survey in 2019, 76% of firms surveyed are planning to increase their investment in cybersecurity. Is your firm keeping pace? Let’s look at some of the key cybersecurity issues in a typical law firm.
It Can’t Happen to Me: First off, let’s agree that the threat isn’t simply theoretical: a Cybersecurity Ventures report predicts that a business will fall victim to a ransomware attack every 11 seconds by 2021. A busy law office has a host of potential targets, including private health information, financial details, intellectual property, or access to client trust funds. Consider the recent “MAZE” ransomware attacks on five U.S. law firms: million-dollar ransoms are being sought from the firms, and those that refuse to comply have had their computers shut down or had their confidential client data published on the Internet. And no size firm is safe: large firms are an obvious target because of the potentially higher-value or profile matters they handle. But small firms and sole practitioners are in the crosshairs as well, as they may not have the time or resources to adequately defend themselves from sophisticated attack.
Data Security and Privacy: Lawyers have extensive experience in maintaining client confidentiality. This must extend to electronic data, with clear and consistent policies on how to manage clients’ digital information securely. This includes maintaining a comprehensive inventory of client and staff data, setting secure methods of logging into systems inside the office and out, encrypting client data, and more. Even details like the secure destruction of old client files and the responsible disposal of obsolete equipment are important for a lawyer – as a business professional – to consider.
Training is Essential: Phishing scams are among the most common ways for breaches to occur. A 2019 Data Protection Report by Shred-it identified human error as the top cause of data breaches in the legal industry… and that cybersecurity training in many law firms is sorely lacking. While big firms should have the resources to conduct regular training exercises and staff awareness testing, many smaller firms and sole practitioners feel they don’t have the time or money to train their staff. This can be a devastating mistake. Read our blog post about cybersecurity training for more information on how to construct a program even with a limited budget.
Business Continuity: Law firms must have plans in place to handle business disruptions before an incident arises. The current COVID-19 crisis has taught us that the more prepared, resilient law firms are the ones that are able to withstand a sudden shock to operations. Similarly, firms must have a playbook outlining the response procedures if a data breach is discovered, or the office’s computers are suddenly locked up and held for ransom. Are you confident you would know what to do?
Cyber Insurance: Many law firms are considering insurance as part of their defense against cybersecurity incidents. In Ontario, for example, lawyers can make use of the limited cyber coverage provided by their mandatory professional liability insurance program. All law firms should at least consider cyber coverage in order to benefit from the protections offered in breach response, remediation, reporting, and litigation defense. Review our article on cyber insurance to learn more and assess whether coverage is right for your firm.
Business/Reputational Impact: As privately held businesses, law firms do not generally have to report to a regulator, or even their local bar association, in the event of a cybersecurity breach. But provincial/state privacy laws now oblige firms to notify their clients in the event of unauthorized disclosure of data. Ignoring these privacy regulations can be costly: under Canada’s PIPEDA legislation, the privacy commissioner can levy stiff fines on law firms not following the requirements. And evolving GDPR requirements are making compliance and reporting even onerous.
Furthermore, consider the time, expense, and business impact of tracking down and notifying all of your clients about losing control of their data. The reputational damage a law firm can suffer in the event of a breach can last for years, not to mention the financial costs of defending actions by clients individually, or in a class action suit. This loss of goodwill not only lingers among prospective clients, but within the legal community, hampering potential recruitment efforts. Cybersecurity is a fundamental part of running a modern law practice, and may even be considered as an obligation under the rules of professional conduct, so sanctions could follow for firms abdicating their responsibilities for taking reasonable measures to safeguard client data.
Staying informed: The American Bar Association has an excellent catalogue of articles and resources for lawyers. In addition to their own publications, they have curated top articles from government and private sector sources as well. The ABA’s TECHREPORT 2019 provides a detailed look at current cybersecurity issues for law firms. In Ontario, LAWPRO offers resources for lawyers and law firms of all sizes through its practicePRO program. The Law Society of British Columbia offers a central resource page for cybersecurity news and tips. The Government of Canada also has a wealth of general resources for small to medium-sized business to adopt cybersecurity measures.
You’re Not in This Alone: Many law firms recognize that cybersecurity is beyond the scope of what they can handle internally, due to lack of time, resources, or availability of top talent. Outsourcing cybersecurity to a managed service provider can provide peace of mind and round the clock protection of a firm’s valuable assets. A cybersecurity firm can help assess your areas of risk, recommend areas of focus, then implement and maintain cybersecurity services. ISA can help with all of these areas, as well as guiding breach response activities and assisting with cyber insurance claims handling. With over 28 years of demonstrated industry excellence, ISA’s team of experts can work with you to put together a cybersecurity program that can protect your critical client data and let you concentrate on running your law practice. Please visit our website to contact us anytime: despite the challenges of the COVID-19 epidemic, we are maintaining our services and support, and we would welcome an opportunity to discuss your cybersecurity concerns.