SAN FRANCISCO — There are two kinds of law firms: those that know they have been hacked and those that don’t know they’ve been hacked.
That according to Vincent Polley, president of Know Connect PLLC, an information technology and knowledge management consultancy, and co-author of the just released book The ABA Cybersecurity Handbook. Polley was on a panel at the ABA annual meeting Friday afternoon discussing cybersecurity for lawyers and law firms.
“We are all vulnerable,” he said. “Even government lawyers in high-security environments.”
Law firms of all sizes are attractive targets to hackers because of the high volumes of important information they have. In addition, often once into a law firm system, it can be used as a gateway into the systems of connected clients.
The purpose of the book he co-authored with Jill Rhodes is to help lawyers “know what they need to know” about identifying risks and taking the appropriate actions to protect their data. Awareness is the primary concern, he pointed out.
According to Rhodes, the biggest security threats are internal. Not because employees are malicious, but often simply because they are ignorant and “putting your information at risk unknowingly.”
The internal threats could be anything from having apps on mobile phones that can compromise security to employees not locking down their computers when they leave their desks or working remotely on confidential documents via the local coffee shop’s open Wi-Fi connection.
With so much digital information there are many more opportunities for the bad guys to get at your data and the consequences of information getting into their hands is much greater, said Thomas Smedinghoff, a partner in the privacy and data protection group of Edwards Wildman LLP.
So what can you do to protect your firm’s data? Here are 10 tips from the handbook:
- Evaluate the firm’s current cybersecurity risk profile including data and device controls as well as ethical and legal obligations regarding data protection.
- Evaluate client-specific data security considerations.
- Create and empower an information security and data governance committee within the firm.
- Appoint or hire a chief information security officer to lead the day-to-day operations.
- Create a standardized, auditable, risk-based information security program.
- Establish stringent rules for data security around software, cloud and other data service contracts.
- Develop a data security incident response protocol or plan (including plans for notifying clients, government, etc. in case of a breach).
- Developed controls on Internet access and the use of personal devices by members and employees of the firm.
- Educate lawyers and staff on their obligations regarding cybersecurity and their roles within the firm’s information security program.
- Conduct routine audits of the firm’s information security risks and vulnerabilities.
On top of all that preparation and ongoing maintenance be sure you have insurance in place that will cover cybersecurity breaches.
“All law firms need to make an assessment of your cyber risks and make policies based on the presumption that you have insurance,” said insurance lawyer Wesley Sunu, who penned one of the chapters in the handbook.
He noted that you wouldn’t buy a car without checking out the insurance situation but lots of law firms essentially run their whole practices without any thought to insuring their cyber-assets.
“Bring your insurer in to do an audit,” he strongly urged. That will show what your regular errors and omissions policy may or may not cover in terms of data security/breaches.
Quotes and audits of your insurance coverage are free, so there’s not reason not to do it, said Sunu.
The handbook is American but much of the information can be transferred to Canada and covers the issue from the perspectives of private practice, in-house counsel, and government. It includes sections on obligations to clients, understanding the practice setting, and best practices for incident response and cyber coverage.