Law Firm Data Breaches: Prevention and Mediation

News stories of high-profile data breaches capture the public’s attention. Huge troves of data at retailers, financial institutions and web services fall victim to theft and ransomware. But are smaller companies, like the majority of law firms, vulnerable to data breaches as well? What forms might a breach take, and how can firms mitigate and…

BY Ryan Conley STAFF CONTRIBUTOR

Law Firm Data Breaches: Prevention and Mediation

LISTEN

News stories of high-profile data breaches capture the public’s attention. Huge troves of data at retailers, financial institutions and web services fall victim to theft and ransomware. But are smaller companies, like the majority of law firms, vulnerable to data breaches as well? What forms might a breach take, and how can firms mitigate and respond to breaches?

A data breach occurs when confidential information is accessed by someone without authorization, whether intentional or unintentional, targeted or random.

Motives for perpetrators often include financial gain, but not always. Vectors for data breaches are most commonly outside attacks on networked computers or emails with malicious links or attachments. Others include disgruntled employees, stolen devices and even simple human error.

Ransomware is a uniquely nefarious type of software that holds a computer and its data “hostage” until a “ransom” is paid to the perpetrators, usually in the form of hard-to-trace cryptocurrency such as bitcoin. It is most often the result of someone opening links or attachments in spam emails. This lets criminals cast a wide net which, combined with the potential for financial gain, makes this a popular attack vector, especially for amateur hackers.

Ransomware might be considered one type of data loss, and it is mitigated similarly to other types: through data backups. (See “A Word on Data Loss” below.) If a recent and complete backup of important data is readily available, inaccessibility due to ransomware or another cause is merely a temporary inconvenience, although you should find and fix the point of failure that allowed the ransomware in.

How Can Firms Mitigate Risk?

Data encryption: Data encryption, aka whole-disk encryption for computers or device encryption for phones, mitigates the risk of data breach due to stolen devices and unauthorized access. This encrypts a computer or phone’s entire contents, offering far superior data security than a password-protected login alone.

Training: Everyone at a law firm should be trained in basic cybersecurity  precautions,such as recognizing emails that may be phishing or ransomware attempts. Third-party online training courses are widely available.

Professional cybersecurity consultation: Every law firm can benefit from professional assistance in evaluating and improving data security. The scope of a cybersecurity assessment and solution package will depend on the firm’s budget and perceived risk. It may include:

  • Digital
    penetration testing

  • Physical
    facility penetration testing

  • Social
    engineering testing

  • Employee
    training and evaluation

  • Remediation
    and readiness planning

  • Data
    loss prevention software, advising and implementation.

  • Incident
    response planning

  • Protocol
    on help during an incident

The Incident Response Plan (IRP)

Having a plan in place in advance of a data breach will pay big dividends in saved time, effort, stress and even client retention. If you choose to hire professional security consultants, make an incident response plan a key deliverable of that process. Implement a process to review the plan annually.

The plan should prescribe step-by-step, prioritized procedures for various types of data breaches and should contain all of the following at a minimum:

  • Internal
    notification and communication plans

  • Contact
    information for key IT personnel

  • Security
    vendors: contact information and details of any contracts in place

  • Law
    enforcement contacts

  • Process
    for client notifications

  • Technical
    details of all data backups and restoration processes.

  • Data
    security software — full details of implementation.

IRP Pointers

Make sure that your IRP addresses the following areas:

Follow the law. Most states have statutes concerning data breaches. Your state’s law is unlikely to hold any surprises, but due diligence requires a thorough reading and strict following of the law’s requirements.

Notify the regional FBI office in addition to the local police. Too many firms fail to notify the FBI, instead relying on local police to handle the matter completely.The truth is, most local police departments are ill-equipped to properly handle data breaches and may not have well-defined procedures in place.

Hire expert investigators. Few firms have IT staff with the technical expertise necessary for forensic analysis of a breach. You need to know how the breach happened and what data was accessed.

Notify clients at the right time. Waiting too long to disclose a breach looks bad and will not give clients peace of mind. On the other hand, firms should be careful not to rush to notify clients before gathering all the facts and formulating a response plan. When the nature of the breach and a path forward are clear, it is time to go public

A Word on Data Loss

While not always regarded as a type of data breach, data loss deserves mention, because it is common. Data loss can be the result of misplacement of a device; breakage, destruction or failure of a device; loss of password; vendor failure; and viruses, malware and ransomware.

Data redundancy is essential. Think about the different kinds of data on your various computers and electronic devices. How much of that is stored locally on that device — and only that device? Everything that matters should be stored in at least two places.

File storage and sync services like Dropbox and Google Drive provide actively synchronized folders between the user’s local machine and cloud-based servers. This also permits greater mobility, as your files are accessible from anywhere, on any device. The absolute loss of data due to breakage or misplacement is rapidly decreasing as users adopt cloud-storage products and services. However, this does not provide full protection from data loss.

Access redundancy is as important as data redundancy. If your data only resides on one company’s servers, you should consider that a single source regardless of that company’s own data redundancy has a single point of failure in the form of access rights (credentials)that can be lost, stolen or revoked. Such data should be mirrored to a device you control.

Ryan Conley

Ryan Conley is a staff contributor to Bigger Law Firm Magazine and a legal content strategist for U.S. based law firms.

MORE STORIES

How YouTube Recommends Videos for Law Firm Homepages

How YouTube Recommends Videos for Law Firm Homepages

Have you wondered how videos get views? As you likely guessed, there is a process for YouTube’s recommendation engine.

LinkedIn’s New Features and How They Can Benefit Law Firm SEO

LinkedIn’s New Features and How They Can Benefit Law Firm SEO

Thanks to Articles For Pages, law firms are no longer restricted by a character count when they want to publish content.

10 Tips for Successful Video Content for Your Law Firm

10 Tips for Successful Video Content for Your Law Firm

So many interesting stories can be told in the legal field that creating great videos may be easier than you suspect.