Like all businesses, law firms must be vigilant when it comes to cybersecurity, particularly when protecting client data. Suffering a data breach may not only compromise sensitive business and client information, but can also be an ethics and public relations nightmare.
While law firms are increasingly in the crosshairs of cybercriminals, many are not prepared for an attack. According to the American Bar Association’s 2017 ABA Legal Technology Survey, 22 percent of over 4,000 respondents reported their firms had experienced a data breach in 2017, compared to 14 percent in 2016. Of all survey respondents, 25 percent reported having no cyber policies, while 7 percent of all respondents stated that they didn’t know about their firm’s security policies.
While the legal industry has made strides to address data security in recent years, many firms have been slow to make it a priority. Below are five key mistakes that could make your firm vulnerable to a cyberattack:
(1) Underestimating Your Value to Hackers: Cybercriminals are increasingly targeting law firms because they have access to a wealth of confidential information, such as trade secrets, strategic plans, patents, and financial transactions. A few years ago, hackers infiltrated the computer networks at some of the nation’s largest law firms in an attempt to gain access to confidential information and exploit it using insider trading schemes. Hackers also tend to target the low-hanging fruit. They know that many small firms likely don’t have robust safeguards in place and can easily target those vulnerabilities.
(2) Thinking Employees Won’t Fall for Scams: Cyber attacks are becoming increasingly sophisticated, which makes them harder to detect. For instance, email phishing scams no longer feature bad grammar and fictitious entities, which easily tip off recipients. Instead, perpetrators often monitor and gather information about their victims for several months prior to launching an attack. Accordingly, the emails are well written and specific to the business being victimized. They may even purport to come from a trusted contact. In schemes involving fraudulent requests for funds, the dollar amounts requested are similar to normal business transaction amounts in an effort to avoid suspicion. Given that your staff and lawyers are the first line of defense to a cyberattack, regular training regarding the firm’s policies and procedures on preventing cyberattacks is critical.
(3) Failing to Regularly Evaluate Procedures and Risks: Cybersecurity is a never-ending battle. Cyber threats, legal requirements, and technology are continually evolving, and it is imperative for law firms to keep pace. For instance, before storing data in the cloud, law firms should be sure that they fully understand both the risks and benefits. Just like firms advise their clients to conduct audits in other areas, regular reviews of your cybersecurity protocols and incident response plan are essential to ensuring they will hold up when you need them. Law firms should also regularly scrutinize third-party vendors to ensure that they are also taking the proper steps to safeguard client data.
(4) Not Devoting Sufficient Resources: Adequately protecting your firm from cyber attacks can be costly, particularly for small and mid-sized firms. However, retaining experienced security consultants and/or vendors can pay for itself, as the expense of having strong security protocols in place will almost always be less than the monetary and reputational costs of a breach. Law firms should also consider evaluating their existing insurance coverage to determine whether a cyber insurance policy is warranted.
(5) Assuming Clients Won’t Ask: Given that attorneys can provide an alternative means for cybercriminals to gain valuable data of corporate clients, businesses are increasingly asking tough questions when retaining outside counsel. Potential clients will want to know how the firm safeguards its clients’ proprietary information, including the cybersecurity measures it employs and how regularly they are evaluated.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam M. Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.