Many law firms are vulnerable to cyberattacks. The costs to prevent and prepare for a cyberattack are high, but law firms are starting to realize the importance of cybersecurity to their clients and to the reputation of the firm.
Lawyers are bound to protect the confidences of their clients, and clients are starting to demand law firms have policies in place to ensure the client's information is protected from a cyberattack.
The risk of a cyberattack on a law firm
How can a law firm become a victim of a cyberattack?
- Malware: This malicious software breaches information systems. A user clicks on a link or attachment that installs malicious software. Examples include spyware, ransomware and viruses. The malware can block access to the law firm's network or parts of the network, or it can copy data from the law firm's hard drive. Ransomware locks users out of the firm's system or data, and the hacker demands the firm pay an online fee to get the decryption key.
- Phishing: The hacker impersonates a legitimate company or firm and attempts to steal personal information or login credentials.
- A MITM (man-in-the-middle) attack: In this scam, also known as an eavesdropping attack, the scammer intercepts and relays messages between two parties who believe they are communicating with each other.
Why law firms need cybersecurity
Clients entrust law firms with information about trade secrets, financial reports or healthcare information. If a lawyer breaches that trust, the client may end the firm's employment or sue the firm for legal malpractice if a breach damages the client.
Federal law does not regulate a law firm's cybersecurity practices, but federal law may regulate the firm's clients, such as hospitals or banks. Clients may demand that the law firm have adequate policies to prevent, mitigate and respond to a cyberattack.
On the state level, boards regulate the conduct of lawyers and establish ethics rules, the violation of which may result in the reprimand, suspension or disbarment of an attorney. The state boards issue ethics opinions establishing guidelines for attorneys, which may include what actions lawyers should take to protect a client's data.
The American Bar Association (ABA) also issues ethics opinions. In May 2017, the ABA issued Formal Opinion 477R giving lawyers guidance to assess the security necessary to protect client information. The opinion states that a lawyer may be required to take special precautions when an agreement with the client, the law, or the nature of the information requires a higher degree of security. ABA formal opinions are not binding, but state boards use them as models.
Surveys on law firms and cybersecurity
American Lawyers Media (ALM), an intelligence media company, conducted annual surveys on the state of cybersecurity in the legal industry. The 2017 survey showed improvement in cybersecurity in most areas at law firms:
- 90 percent of law firms had formal security assessments in 2017, as compared to 77 percent in 2016.
- 89 percent of law firms had data breach plans in place in 2017, as compared to 66 percent in 2016.
- 70 percent of law firms had forensic expert partnerships in 2017, as compared to 77 percent in 2016.
- 48 percent of law firms had drills of their cybersecurity systems in 2017, as compared to 46 percent in 2016.
About a third of law firms were not comfortable with their cybersecurity readiness.
Cybersecurity standards for law firms
The National Institute of Standards and Technology (NIST) provides standards and guidelines for cybersecurity used by the federal government. The NIST standards are voluntary, but the implementation of the standards should be sufficient for most law firms to defeat a malpractice suit by a client whose data is breached. Higher standards may be necessary for some firms.
The standards require seven essential steps:
- Identify the firm's system that houses sensitive data.
- Segregate sensitive data.
- Limit access to sensitive data.
- Encrypt all data.
- Monitor who has access to sensitive data.
- Train all lawyers and legal personnel on cybersecurity practices.
- Conduct regular cybersecurity assessments.
A law firm's preparation for a cyberattack
Large law firms can hire chief information security officers to assess the firm's vulnerabilities and to prepare plans in the event of a cyberattack. The IT service provider of a small law firm can perform a risk assessment, or the firm can use a major service provider, such as Microsoft or Clio. The law firm should establish a good relationship with law enforcement officials. The firm can host a mock attack with the FBI. The firm should have cybersecurity insurance.
The law firm should have a cyberattack response plan in place before a breach occurs. The plan should include contact information for technical experts, vendors and clients. The plan should include how to communicate information to lawyers and legal personnel in the firm. Using email could cause more harm, so the firm needs a procedure to inform affected employees by phone or text.
The law firm must manage the cyberattack to protect its reputation. The firm should have a crisis team – the firm's spokesperson, the firm's crisis communications expert, legal counsel to the firm, and the IT security lead – in place. The firm should monitor social media and respond to fears or criticism. The firm should have a media strategy to put out positive news on the firm.
Once the cyber threat is over, the law firm should assess what happened and why. The firm should evaluate the strengths and weaknesses of its response. The firm should get feedback from outside security experts to prevent another attack and to improve the response.
The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, Second Edition gives practical information, guidance and strategies to law firms of all sizes.
The importance of a law firm's cybersecurity
Some clients require a law firm to complete a detailed data security questionnaire. The client may send a due diligence team to the firm to inspect the technology and security of the firm. Not only can a data breach or cyberattack subject a law firm to a legal malpractice suit, but some firms have been sued because its security measures allowed the possibility of a cyberattack. A law firm's inability to protect client information can tarnish the firm's reputation and result in the loss of current and potential clients.