Law firms are prime targets for hackers. Why? Because their computer networks contain highly concentrated, high-value information about many parties that is often not well-protected. One often-overlooked vulnerability is the security of computer networks operated by third-party vendors employed by the firm. By asking tough questions of vendors that handle client information and by scrutinizing the cybersecurity language in all contracts, diligent law firms can go a long way toward giving clients the data security protection they are legally and ethically entitled to have.

Vendors Provide Access to Client Data

Law firms are under attack today, often indirectly through the vendors that provide software and other technology services supporting their operations.

Several prestigious law firms recently notified their clients that confidential information was likely compromised by a data breach at Accellion, a California-based provider of file-sharing technology. Accellion announced that the security vulnerabilities have been remediated, but the firms using that service will still struggle with potential repercussions

Recently, federal prosecutors in New Jersey brought money laundering charges against a hacker who gained unauthorized access to a law firm’s email network. Once he gained access to their network, he sent an email message directing one of the firm’s clients to wire $560,000 to an account under the hacker’s control. The client obliged, believing that the wire transfer instructions had come from the law firm.

Law firm computer networks are a treasure trove of valuable information. All firms possess highly-sensitive information pertaining to clients and employees and many firms have protected health information and confidential or proprietary information that can, if leaked, cause devastating damage to their clients.

Neither are small firms immune from the risk of security breach. Although niche and general practice firms might not be safeguarding multimillions in business capital or have advance knowledge of public offerings, they are all exposed to the threat of significant remedial costs, business interruption losses, and the reputational damage that inevitably follows a data breach.

Today’s hackers are sophisticated. They’re looking to maximize the value of each exploit with a goal monetizing either access to the compromised systems or the exfiltrated data itself. Entities like law firms that possess a large body of highly-valuable information across a multitude of clients are much more attractive targets than any single company that hosts data pertaining to itself alone.

Common Vulnerabilities Faced by Law Firms

Broadly speaking, the legal profession does not yet give cybersecurity the attention it deserves. In 2018, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 (PDF), which outlines an attorney’s ethical obligation to safeguard client information and identifies cyber threats as presenting “a major professional responsibility and liability threat” to the legal profession.

According to cybersecurity experts who spoke at the ABA’s recent National Legal Malpractice Conference, the five leading threats to law firms are:

1. Ransomware. Typically a bad actor encrypts a device with a promise to decrypt in exchange for money or cryptocurrency. Newer ransomware exploits and also steals network credentials and/or network data and threaten release of that data.
2. Business email compromise. Often accomplished via phishing, bad actors mine email accounts for valuable information and to impersonate lawyers and firm employees. 
3. Spear phishing. A bad actor sends an email to specific and well-researched targets while purporting to be a trusted sender. Their objective is either to infect devices with malware or to convince victims to hand over information or money to an unauthorized party.
4. Lost or stolen laptops and mobile devices. Valuable information commonly stored on these devices falls into the wrong hands. These threats can be partially addressed through compensating controls such as whole disk encryption, Mobile Device Management, and other technologies.
5. Third-party risks. Lawyers are responsible for safeguarding client information shared with third-party service providers.

Danielle Roth, claims manager in the cyber and technology group at insurance provider AXA XL, said during the ABA event that the amount of work necessary to meaningfully address cybersecurity issues can appear daunting to law firms.

“This is the part where people think there’s nothing to do to manage their risks,” she said. “And that’s really not the case. There are many things that organizations can do to make themselves less attractive targets, to manage that risk, and to transfer some of that risk.”

For example, all law firms should carefully inventory the data they possess: What data is held by the firm, why it is being held, who has access to it, and for how long? “Having a good handle on the data held and retained is correlated with better and less costly outcomes after an incident,” she said. 

Taking the time to categorize data is also valuable, particularly if the firm experiences a data breach, Roth said. “You don’t want to ‘over-notify,’ which is expensive and can also lead to increased claims and lawsuits.”

Conducting Due Diligence With Vendors

Another area where law firms can meaningfully reduce their exposure to cyber threats is in carefully managing relationships with third-party vendors. Network providers, email providers, accounting services, employee benefits providers, and litigation support vendors all process valuable client information. As a result, these third parties represent both a potential security risk and conversely the opportunity to minimize those risks to law firm clients by the proper application of InfoSec best practices.

Alyssa R. Watzman, a partner and vice-chair of the data security and privacy group at Lewis Brisbois Bisgaard & Smith in Denver, stressed that it’s important for law firms to vet all parties that have access to the firm’s information environment. “There is a lot to think about in terms of third-party risk when you are entering into a relationship with a service provider,” she said.

When hiring a service provider that will have access to client information, Watzman said “firms should do their due diligence thoughtfully. Do not make hiring decisions based on word of mouth alone, or hire simply because the service provider is well-known. Talk to them about what their own security measures are and what their own employee training practices are.”

Watzman recommended that law firms scrutinize the contracts they are signing with service providers. Law firms should make sure they are comfortable with:

• Limitations of liability in the contract.
• Service provider obligations to notify the firm in the event of a breach of their network.
• The amount of cyber insurance the service provider is holding.

It’s also a good idea to revisit contracts with existing service providers, Watzman said. Law firms should make sure existing contracts meet current data security needs.

In a recent ethics opinion on virtual law practice (PDF), the ABA underlined the need for law firms to take care when hiring service providers that may be handling client confidential information:

Lawyers will understandably want and may need to rely on information technology professionals, outside support staff (e.g., administrative assistants, paralegals, investigators), and vendors. The lawyer must ensure that all of these individuals or services comply with the lawyer’s obligation of confidentiality and other ethical duties. When appropriate, lawyers should consider use of a confidentiality agreement, and should ensure that all client-related information is secure, indexed, and readily retrievable.

State bar association websites contain a wealth of information for law firms just embarking on a data security program. These resources are tailored to the ethics rules in place in those jurisdictions, along with any other state laws governing information security and privacy practices. Another good resource is the ABA Cybersecurity Legal Task Force, which summarizes the ABA’s own work in this area and also includes checklists and best practices that any firm can adopt.

Third-party vendors are a necessary part of modern law practice. Vendors have capabilities that law firms do not, and it is often the case that cybersecurity measures in place at a vendor are better than those in place at the law firm itself. However, that is not always the case and no law firm should assume that a vendor’s cybersecurity measures are adequate for the assigned matter.

“Trust but verify” is a useful mantra when dealing with outside vendors. In practice, this means having candid discussions with each vendor regarding the technology, policies, and procedures that will be used to deliver services to the firm. Law firms should review each vendor’s contract — both current and prospective vendors — and decide whether they are comfortable with the cybersecurity protections contained in those arrangements. If not, they should either re-negotiate with the vendor or seek out other vendors whose security programs properly mitigate relevant risks