Law firm data breaches are not so much an “if” as a “when” event, so prepare accordingly.
Table of contents
In a 2021 Cybersecurity TechReport, the American Bar Association observed that law enforcement officials now divide businesses into two groups: those that have experienced a data breach and those that will. That was its way of underscoring the gravity of the risk law firms face concerning the theft, loss or destruction of sensitive client information stolen.
Flash-forward to the ABA’s most recent report, which finds that 27% of surveyed law firms were at some point laid wide open to a data breach after losing a smartphone, suffering a network break-in, falling prey to a website exploit, downloading a virus, being hit with a ransomware attack, or some other consequential mishap or misdeed.
According to the association’s annual Legal Technology Survey, 17% of solo practices and firms of fewer than 10 attorneys had fallen prey to cyber crooks. Likewise for 35% of firms with 10 to 49 lawyers and with 100 or more attorneys. Meanwhile, nearly half — 46% to be exact — of firms with 50 to 99 lawyers also acknowledged a run-in with sticky-fingered bad actors.
The numbers suggest that lawyers are not likely to win awards for their ability to safeguard data entrusted to their care. Nor will they be feted for the speed with which they discover and react to data breaches. Generally, it takes roughly 200 days for the target of a data breach to realize a hole has been punched in its electronic records repository. From there, it will take an average of 69 days to figure out how to plug the hole.
Understanding External and Internal Data Breaches
Lawyers could begin doing a better job of keeping data safe by first understanding that breaches come in two main varieties:
- The first variety comprises all breaches that originate outside the law firm’s physical walls.
- The second variety is made up of all those that originate internally.
External Data Breaches
External data breaches transpire when someone outside accesses your computer systems. This someone could work alone or as part of a gang and be located anywhere on the planet.
An external breach can happen through hacking — an internet-originated attack against some vulnerability in your system’s software or your network’s architecture. These attacks usually require a significant investment of time and energy on the part of the hacker, who must painstakingly probe for system weaknesses that can then be exploited.
Phishing is another example of an external breach. Phishing is an attempt by a malicious actor to gain access to confidential information by sending out fake email messages that appear to be from legitimate sources. These messages usually contain a link that, when clicked, takes the recipient to a malicious website that will attempt to steal their personal information. This type of attack has become more common as hackers become increasingly sophisticated in their tactics.
Internal Data Breaches
Internal data breaches occur when someone with authorization to access your computers calls up the data and then does:
- Something illegal (like stealing it).
- Something stupid (like leaving data exposed to unauthorized eyes).
- Something malicious (like flushing data down the cyber equivalent of a toilet).
This someone is usually an employee but could also be a third-party contractor or vendor making a service visit to your office.
As a rule of thumb, external breaches are less daunting than internal breaches when it comes to their prevention.
For external breach defense, you need a layered security approach.
This can include beefed-up firewalls, data encryption technology, antivirus protection, anti-malware software, virtual private networks, and mobile device remote-disabling/destruction capabilities, to name a few.
Also, you must ensure your computer operating system, programs and apps are fully updated with the latest versions and security patches.
It sounds like a lot, but those defensive measures are straightforward and can be procured in a turnkey bundle from IT-managed services providers and other third-party sources.
Internal breach defense involves fewer elements, but it’s a bit trickier because of the human factor.
Lawyers and staff need to undergo training that teaches them not to fall for phishing scams, email compromise ploys or other forms of trickery designed to extract login credentials or welcome deadly downloads and other Trojan Horse-style cyberattack weaponry. People must be continually educated about today’s threats. Many firms believe one or two cyber training sessions per year suffice. They don’t.
Staff also needs their knowledge tested. For example, phishing simulations go a step beyond training how to spot a phishing email by testing everyone in the firm to see who clicks on links or enters their credentials.
Your Duty to Safeguard Client Data
Looming over this like a sword of Damocles is lawyers’ ethical duty to safeguard client data.
It is a duty enshrined in law (which varies from one jurisdiction to the next) and based on the ABA’s Model Rules of Professional Conduct 1.1 (attorney competence), 1.4 (communication) and 1.6 (confidentiality), but also 5.1-3 (dealing with supervision). Buttressing these rules are three ABA Formal Opinions: 477R (“Securing Communication of Protected Client Information,” 2017), 483 (“Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” 2018) and 498 (“Virtual Practice,” 2021).
Data Breaches Happen to the Biggest and the Smallest Law Firms
Consider yourself fortunate if a data breach hasn’t yet happened to you. If law enforcement is right, it’s only a matter of time before cybercriminals make their move against you — for the first time or yet again. Therefore, you owe it to clients — and yourself — to prepare for that likely inevitable cyberattack now.
Image © iStockPhoto.com
Don’t miss out on our daily practice management tips. Subscribe to Attorney at Work’s free newsletter here >
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.