What are your law firm's data security risks?
Product information, banking details, customer lists, intellectual property – because of the sensitive information they hold on their clients, law firms are an attractive target for hackers and cyber criminals.
When George Socha began practising law in the late ‘80s, if a law firm had a computer system, it was secure by nature of its simplicity. “There was little opportunity to get at that data,” he says. “You would need to break into a server room, physically connect to that server in that room and get the data that way.”
As the technology advanced and law firms moved more and more online, there has become more and more opportunity for cyber crime. And as people develop advanced protective mechanisms, others keep devising new and creative methods to overcome them, which the first group then learns how to anticipate and prevent, and the cycle continues. “It has been a cat and mouse game all along the way,” says Socha, who is a lawyer, ediscovery expert and senior VP of brand awareness at Reveal.
Hackers may want to steal a law firm’s data to sell it to third parties or to hold it hostage until a ransom is paid. In Clio’s “2022 Law Firm Data Security Guide: How to Keep Your Law Firm Secure,” author Teresa Matich suggests firms protect themselves with an incident response plan.
She recommends that such a plan covers the following bases: “Contain the damage and begin any recovery protocol; Connect with a data breach expert; Notify your insurance provider; Report the incident to law enforcement; Ensure all third parties are notified; and make compliance a top priority.”
The incident response plan must be reviewed and updated regularly, and Matich adds that having an IT consultant take a look could be helpful too.
In recent years, law firms have been moving their data from an on-site server, or nearby data centre, to the cloud, says Socha. The cloud allows the user to manage processing speed and storage, tightly control who has access to which data, and more easily install software. And while it may appear more expensive, in the long run, it could cost much less than the alternative, he says.
The cloud is also the more secure option, says Socha.
“The major cloud providers, they spend more on security in a year than most law firms make in a decade. There's no way a law firm can keep up and deliver the same level of security that the major cloud providers can.”
Whether the data is in the cloud or in the basement, if a malicious actor figures out someone’s password, they will have access to all of it. That is why is “critically important” that firms use two-factor authentication, which is also a key protection when providing people outside the firm with access to content, says Socha. And firms need effective password requirements, he adds.
Firms must also ensure that anytime someone is connecting to the internet through their system, they are doing so through a secure path, says Socha. This can be done by using HTTPS, instead of HTTP, as well as using a virtual private network (VPN), where appropriate.
But in addition to simply having these protocols in place, management must ensure lawyers and staff know how to employ them.
“You need to go beyond just the systems you put in place to making sure that the people who are working with the content are appropriately trained, and their training is tested on a regular basis.”
It is not only those on the law firm side who need training, but clients too, adds Clio’s Matich. Law firms bear all the risk for exposing client information, so law firms need to train their clients on how to prevent a security breach. Clients should know who will be contacting them, which communication methods they will use, what steps clients should take to preserve confidentiality, and how to report anything suspicious, she writes.
One of the common mistakes law firms make is trying to do cyber security on the cheap, says Socha. If they have an IT professional on staff, oftentimes they think they have it covered. But an IT professional’s primary role is to keep the network up and running, he says.
“To expect someone who's expert in building and maintaining IT systems also to be expert on data security is asking a lot,” says Socha. “So don't think your IT guy is going to be able to do this for you. That's not a fair thing to ask.”
“Find someone with expertise in cybersecurity to help you out.”