Not sure where to start? These 5 practices will get you going.
Law firm cybersecurity incidents have risen in 2023, with 27% of firms experiencing a security breach, according to the ABA’s 2022 Legal Technology Survey Report. Notably, there were several high-profile data breaches at Am Law 100 firms.
Law firms are particularly vulnerable to cyberattacks, due largely to the wealth of sensitive data they possess, which can include information on government entities and corporations. The consequences of these attacks—particularly data breaches resulting in loss of confidential client information—can be costly, with 36% of firms reporting lost billable hours. Some firms pay millions in recovery and reparation costs and even close down after facing significant reputational damage, loss of clients, lawsuits, and regulatory inquiries.
A lawyer’s duty to protect client data is defined in the ABA’s Model Rules of Professional Conduct. Comment 8 to Rule 1.1 states a lawyer should keep abreast of “the benefits and risks associated with relevant technology,” while Rule 1.6 (c) indicates lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Essentially, Rule 1.6 means lawyers must safeguard client information against inadvertent and unauthorized disclosure or by the lawyer or others.
While Comment 18 to Rule 1.6 provides some insight into the “reasonable efforts” required to preserve confidential client information, it doesn’t set forth concrete actions you can take as part of managing your practice. Unfortunately, many law firms don’t adhere to best practices for cybersecurity, exacerbating the problem. We offer just some of the proactive measures you can take to prevent potential cybersecurity attacks and keep your client and firm data safe.
1. Update and patch your antivirus, anti-malware, and anti-spyware software
Purchasing subscriptions for antivirus, anti-malware, and anti-spyware software is an obvious and essential step in protecting your firm and clients. Ensure this software is installed on every device that sends or stores any confidential client information, such as your computer and phone.
But installing software is just a start—hackers are continually developing new viruses and malicious code. This is why keeping that software updated is vital. Resist the temptation to decline update reminders when they pop up, as bothersome as they might be. This includes timely security patching. Security patches are essentially software fixes designed to address any security weaknesses or vulnerabilities identified in a program or product. When vendors send updates, don’t put off installing them. You might not want to interrupt your current task, but the potential loss is a much greater risk.
The cyberattack against law firm Mossack Fonseca and the resulting leak of 11.5 million documents—known as the “Panama Papers”—is perhaps the most well-known example of disastrous consequences resulting from failure to update software. Prevent these incidents by ensuring security patches have been applied to all software relied upon by your firm.
2. Conduct an external risk assessment or engage a third-party monitoring service
External assessments are a great way to gauge the strength of your firm’s security policies and protocols. Although you can routinely conduct internal reviews of your firm’s security protocols, a third-party audit will provide an unbiased and fresh perspective.
An independent auditor will nearly always reveal potential vulnerabilities you might otherwise miss. They’ll also assist with implementing appropriate security measures and training your firm on best practices.
3. Educate third parties on appropriate security measures
You as a lawyer and any staff and assistants must understand risks associated with using technology and how to appropriately use it. But undertaking regular training and staying up-to-date on ever-changing technology and risks are just a start.
Any third parties using or accessing sensitive client data—such as consultants or expert witnesses—must also take steps to appropriately protect privileged and/or confidential information. You should also conduct due diligence on any vendors, such as software providers. Inspect your vendors’ security policies, hiring practices, and conflict check systems to ensure their credentials are legitimate and up-to-date, and whether they’ve had any issues in the past.
Vendor security programs should align with the NIST Cybersecurity Framework, which is a widely used resource for understanding and managing cybersecurity risk. Another resource is the Vendor Supply chain Risk Management Template published by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Casetext’s security program is an example of vendor compliance with industry standards (aligned with ISO 27001 and SOC 2 standards)
4. Consider cyber liability insurance
Cyber liability insurance isn’t a preventive step, but it’s one that can reduce the impact of attacks should they occur. Whether it’s worth it depends on what is and is not covered. For example, certain ransomware attacks aren’t defined as data breaches and therefore aren’t covered.
A thorough review of plan coverage is critical when considering insurance options. Insurance potentially covers litigation costs, response effort costs, and even preventative security measures. Be prepared for an assessment of your current cybersecurity practices, which will impact the insurance quote you receive.
5. Have a written incident response plan in place
The ABA’s 2020 Legal Technology Survey Report found that only 34% of respondents had a written cybersecurity incident response plan in place. Seventy-seven percent of large law firms—defined as firms with 100 or more attorneys—reported their firms have an incident response plan, while 38% of respondents from firms of 10-49, 23% of respondents from firms of 2-9, and 14% of solo respondents had written plans.
A written plan can help you minimize damage and take appropriate action quickly in the wake of a data breach or other cybersecurity incident. The plan should map out steps you can take to protect your clients’ data and prevent additional data loss. It should also detail relevant data breach disclosure obligations, such as federal, state, and client requirements.
Your plan might include identifying an in-house lead or team to helm the investigation into the breach, procedures, and methods for stopping additional data loss, among other actions. This team could also serve as the point of contact for regulatory inquiries.
CISA offers great resources for preparing a written plan, including its Cybersecurity Incident and Vulnerability Response Playbooks. The two guides are a solid starting point for creating your own incident response plan.
Investing the time upfront to protect your client and firm data pays off in the long run. Proactive steps—such as assessing potential threats, ensuring your software is up-to-date, and training your staff and vendors—are critical to preventing cybersecurity incidents such as data breaches. Additionally, creating a thorough incident response plan and obtaining insurance can mitigate the damage should an attack occur.
