News stories of high-profile data breaches capture the public’s attention. Huge troves of data at retailers, financial institutions and web services fall victim to theft and ransomware. But are smaller companies, like the majority of law firms, vulnerable to data breaches as well? What forms might a breach take, and how can firms mitigate and respond to breaches?
Motives for perpetrators often include financial gain, but not always. Vectors for data breaches are most commonly outside attacks on networked computers or emails with malicious links or attachments. Others include disgruntled employees, stolen devices and even simple human error.
Ransomware is a uniquely nefarious type of software that holds a computer and its data “hostage” until a “ransom” is paid to the perpetrators, usually in the form of hard-to-trace cryptocurrency such as bitcoin. It is most often the result of someone opening links or attachments in spam emails. This lets criminals cast a wide net which, combined with the potential for financial gain, makes this a popular attack vector, especially for amateur hackers.
Ransomware might be considered one type of data loss, and it is mitigated similarly to other types: through data backups. (See “A Word on Data Loss” below.) If a recent and complete backup of important data is readily available, inaccessibility due to ransomware or another cause is merely a temporary inconvenience, although you should find and fix the point of failure that allowed the ransomware in.
How Can Firms Mitigate Risk?
Data encryption: Data encryption, aka whole-disk encryption for computers or device encryption for phones, mitigates the risk of data breach due to stolen devices and unauthorized access. This encrypts a computer or phone’s entire contents, offering far superior data security than a password-protected login alone.
Training: Everyone at a law firm should be trained in basic cybersecurity precautions,such as recognizing emails that may be phishing or ransomware attempts. Third-party online training courses are widely available.
Professional cybersecurity consultation: Every law firm can benefit from professional assistance in evaluating and improving data security. The scope of a cybersecurity assessment and solution package will depend on the firm’s budget and perceived risk. It may include:
- Digital penetration testing
- Physical facility penetration testing
- Social engineering testing
- Employee training and evaluation
- Remediation and readiness planning
- Data loss prevention software, advising and implementation.
- Incident response planning
- Protocol on help during an incident
The Incident Response Plan (IRP)
Having a plan in place in advance of a data breach will pay big dividends in saved time, effort, stress and even client retention. If you choose to hire professional security consultants, make an incident response plan a key deliverable of that process. Implement a process to review the plan annually.
The plan should prescribe step-by-step, prioritized procedures for various types of data breaches and should contain all of the following at a minimum:
- Internal notification and communication plans
- Contact information for key IT personnel
- Security vendors: contact information and details of any contracts in place
- Law enforcement contacts
- Process for client notifications
- Technical details of all data backups and restoration processes.
- Data security software — full details of implementation.
Make sure that your IRP addresses the following areas:
Follow the law. Most states have statutes concerning data breaches. Your state’s law is unlikely to hold any surprises, but due diligence requires a thorough reading and strict following of the law’s requirements.
Notify the regional FBI office in addition to the local police. Too many firms fail to notify the FBI, instead relying on local police to handle the matter completely.The truth is, most local police departments are ill-equipped to properly handle data breaches and may not have well-defined procedures in place.
Hire expert investigators. Few firms have IT staff with the technical expertise necessary for forensic analysis of a breach. You need to know how the breach happened and what data was accessed.
Notify clients at the right time. Waiting too long to disclose a breach looks bad and will not give clients peace of mind. On the other hand, firms should be careful not to rush to notify clients before gathering all the facts and formulating a response plan. When the nature of the breach and a path forward are clear, it is time to go public
A Word on Data Loss
While not always regarded as a type of data breach, data loss deserves mention, because it is common. Data loss can be the result of misplacement of a device; breakage, destruction or failure of a device; loss of password; vendor failure; and viruses, malware and ransomware.
Data redundancy is essential. Think about the different kinds of data on your various computers and electronic devices. How much of that is stored locally on that device — and only that device? Everything that matters should be stored in at least two places.
File storage and sync services like Dropbox and Google Drive provide actively synchronized folders between the user’s local machine and cloud-based servers. This also permits greater mobility, as your files are accessible from anywhere, on any device. The absolute loss of data due to breakage or misplacement is rapidly decreasing as users adopt cloud-storage products and services. However, this does not provide full protection from data loss.
Access redundancy is as important as data redundancy. If your data only resides on one company’s servers, you should consider that a single source regardless of that company’s own data redundancy has a single point of failure in the form of access rights (credentials)that can be lost, stolen or revoked. Such data should be mirrored to a device you control.