Law Firm Risk Management: Cyber security and Beyond
Most people, and the majority of companies, seem to believe that financial and healthcare sectors are the only two that really need to be concerned with a data breach. However, law firms are certainly not immune. The breaches that occur at law firms generally do not make the news, because publicizing those events would be detrimental to the firm.
Unfortunately, there are significant problems with the under-reporting of data breaches at law firms. The main concern is that this under-reporting means that other law firms are not aware that they may be at risk.
The lack of knowledge often translates to a false sense of security, and can lead law firms to believe they are not vulnerable to cyber attacks and other security problems. That, in turn, means that law firms generally fail to take the right steps toward protecting themselves from data breaches. They do not take the right steps, and they do not use the proper technology, to ensure that all of the information they collect will be stored in such a way that it cannot be located by outside parties. The idea that not hearing anything about data breaches is good news is not necessarily true in this case.
It is true that data breaches are not as commonly seen in law firms as they are in some other industries, but that does not mean they are as unlikely as they may appear to be. They are still a significant concern and, what is more, they are a growing concern for all law firms around the globe. The intrusion of hackers is a big part of what causes data breaches, but that is the not the only problem. There are other causes and other sources that also have to be considered. When a law firm decides to ignore the risk it can mean a lack of responsibility to ethical and legal duties, but there are inexpensive and unobtrusive options that can be used to make things safer. And quite aside from data breaches, another tangible threat is sabotage.
Security and Privacy of Data are Growing Concerns
As far back as 2011, the FBI was meeting with law firms to let them know that they were the targets of hackers, and that the threat to them would continue to grow in the future. Many firms wondered why this would be the case, but the answer is relatively simple: law firms have some of the largest collections of sensitive documents. The information they hold in their records can provide hackers with names, social security numbers, arrest records, marriage and divorce information, financial proceedings, custody battle results, and nearly anything else that is or could ever become a legal matter.
With that wealth of data at their fingertips, it is not surprising that law firms are targets of hackers and others who are attempting to collect data they are not authorized to view. As cyber attacks become more complex and hackers become more savvy, more law firms will be targets. Many of these firms have already been targets, and most of them either did not discover the problem until it was brought to their attention, or did not notice there was an issue until months later. Naturally, that is not considered acceptable to the law firm, or to the people who entrust that firm with their data and believe that it will be safe there.
It is not just outside attacks for which law firms must be prepared, either. There are many breaches of law firm data that come from inside the firm itself. A stolen laptop or a lost smartphone could mean that dozens or even hundreds of clients are suddenly vulnerable to having their personal information collected and misused. A number of law firms are also allowing attorneys and other who work at the firm to use their own devices to access records. While that makes sense from a business standpoint, it also allows for many more points of entry for anyone who would improperly obtain and use confidential information.
And yet, many law firms are not aggressive enough in pursuing cyber security and risk management measures. Just four years ago Jeffrey Brandt, of LegalITProfessionals.com, reported the following numbers emerging from an ILTA survey:
- 86% do not use or require two factor identification
- 78% do not issue encrypted USB drives
- 76% do not automatically encrypt content-based emails
- 58% do not encrypt laptops
- 87% do not employ any laptop tracking technology
- 61% have no intrusion detection tools
- 64% have no intrusion prevention tools
- 94% don’t bother to track iPhones and Android smart phones
According to LawPracticeToday, part of the problem is a mindset. Compliance is not security – crossing off a checklist simply to obtain ISO 27001 compliance, for example, misses the point of by considering the list all-inclusive, and failing to address idiosyncrasies unique to one’s firm. Lack of lawyer acceptance of security processes – such as email encryption – can create exploitable gaps. An internal culture that embraces cybersecurity as a necessary fact can go a long way in identifying and preventing risk.
Data Breaches Can Cost Law Firms More Than Just Money
There is a heavy cost to a data breach. Data breaches in 2013 cost the company that experienced the breach an average of nearly five and a half million dollars. That is a staggering figure, and one that can vary depending on the size and kind of company, the size of the breach, and the type of data collected. While the idea that a law firm could have to pay out that kind of money is undoubtedly a frightening prospect for any firm, it is also important to note that the financial cost of the breach can be much more than just what the firm actually must pay out to solve and recover from the breach.
If word of the breach gets out, the law firm may also face lawsuits, fines, penalties, and a loss in consumer confidence that can mean current clients choosing to take their business elsewhere. It can also mean that potential future clients will choose a different law firm, thus costing that firm even more in unrealized revenue. Consumers want to do business with companies they can trust, and not being able to trust your attorney to keep your data safe is a significant issue that can become trouble for any law firm that has a publicized breach, or that must notify its current clients of a breach of their personal information.
Data breaches in 2013 cost the affected company an average of nearly $5.5 Million. Click to tweet this
The reputation that a law firm has is generally perceived to be its most valuable asset. Without that reputation that it has carefully built over the years, clients will seek out the services of another firm. It only takes an instant for someone to breach the law firm’s data, and with that breach comes the potential to damage or even destroy the reputation that the firm has so diligently created over a period of time. There is far more than just money at stake when it comes to any law firm and whether the data it collects is properly protected to avoid hacking or other types of breaches from taking place.
Seize Opportunities to Improve Security
John Kuttler, CIO at Finnegan, Henderson, Farabow, Garret & Dunner, relates a story of being told, back in the early days of the Internet, that under no circumstances should he send an email to a client. It’s hard to read that sentence today without a smirk rising in one’s face. Likewise, the cloud is still viewed today with apprehension, but more and more aspects of litigation workflow and case management are migrating to the cloud. It is therefore critical that law firms have judicious processes to protect cloud-based litigation software solutions from data breaches.
Additionally, sending unencrypted data is also a poor choice, because it is far too easy for anyone with some hacking savvy to get hold of the data that is being sent. Without even the need to attempt to break the encryption on that data, it can be used for nefarious purposes right away. Reconsidering the ability for employees to use their personal cell phones and laptops, along with carefully vetting vendors, are also important steps.
While a data breach can still happen even with the best security, the lower the risk the better the law firm will be able to operate. Clients and potential clients will have more confidence in the firm, as well, which will keep its reputation intact. By working with the in-house capabilities the law firm already has and offering a professional level of technical support, it is possible for IT vendors and contractors to provide solutions at the enterprise level that protect the firm as strongly as possible. In the event of a breach, the incident response plans that are already in place will mitigate the damage quickly and efficiently.
5 Dumb Mistakes to avoid:
Here are 5 mistakes that could create nightmares for your law firm:
- Don’t keep unnecessary client data
“in case you need it someday.”
- Don’t forget to encrypt
- Don’t leave your access paths unsecured
- Don’t delay in patching known weaknesses and vulnerabilities
- Don’t neglect re-configuring badly configured server & databases
Safeguard your law firm: Best practices in cybersecurity and risk management. Click to tweet this
A List of Best Practices for you to Consider:
Law firms that are concerned about cybersecurity and risk management have some steps they can take in order to help protect themselves and their clients from data breeches. An excellent article published by CNA lists the following best cyber-security practices:
- Encrypt everything – no data should be sent anywhere if it is not encrypted, as doing so simply puts that data at too much risk.
- Be careful what goes into the cloud – the cloud is great for storage, but it is also hackable and out of the control of the law firm when it comes to security.
- Consider ending the BYOD program – allowing employees to bring their own devices to work only adds to the growing risk of hacking, as the law firm has less control over those devices.
- Be sure to vet every vendor – vendors who work with a law firm may not exercise the same security precautions as that firm does, and could be weak points in the security chain.
- Train staff properly – the more a law firm’s staff knows about the risks and how to avoid them, the more likely they will be to do so.
- Understand the risks of working wirelessly – wireless technology is highly beneficial, but it also has its risks, and understanding and mitigating these is vital to security.
- Have a policy for your passwords – passwords that are too easy, used in other places, or that do not get changed often enough are weak points for security, and every law firm should have a policy on this issue.
- Insure your firm against cyber attack liability – cyber liability insurance does exist, and it can be worth getting for any law firm that wants to be sure to protect its financial health from harm in the event of a breech.
- Use the right cyber security standards – there are standards and guidelines for cyber security today, and any law firm that is dedicated to data protection should learn these and then meet or exceed them.
- Be prepared for problems to happen anyway – even with the best of security a breech can still happen, so law firms should have a plan for what they will do if their data is breached.
As a wider measure, Jody R. Westby, a coauthor of four books on cybercrime and cybersecurity, recommends the development of an ESP (enterprise security program). Follow the link to the article that describes the process in detail.
Additional cyber security measures to consider:
- Keep antivirus programs and spam filters up to date – man law firms fail to keep their programs updated, and something as simple as regular updates can help reduce risk.
- Be sure leadership is aware of the risks – the leaders of the firm should be the ones most aware of the risk and dedicated to ensuring protection for the firm, but that is often not the case.
- Use host-intrusion protection (HIP) programs – programs that look for unusual changes in the system can be an excellent detection method for data breaches.
By following these guidelines it is easier to keep a law firm safe from security breeches. Until law firms use the right kind of legal docketing software and the proper level of protection from hacking and other types of attacks on their data, there will always be an unnecessary level of vulnerability with which they must deal. By choosing to work with the best companies and products to protect their firms, much of this vulnerability, and the resulting risk that comes with it, can be eliminated.
The Bigger Picture: There is More to the Risk Management Story
Risk management for law firms extends well beyond the concern of cybersecurity, or being “hacked into” from an outside source that is attempting to collect and misuse data. In order to properly and completely provide the highest level of risk mitigation needed by a law firm, that firm must protect itself from outside threats as well as human error and flaws in the process. Certainly, hackers, competitors, ex-employees, and others who would get into the files and cause a problem are significant concerns. It is only that there is more to the issue than only worrying about what is coming in from the outside.
Are your manual, decentralized docketing workflows exposing you to legal malpractice suits?
The docketing workflow is also a potential area for risk mitigation. If there are flaws in the processes or an egregious level of human error found within the firm, that can open the law firm up to legal malpractice lawsuits.
Few difficulties will damage a law firm’s reputation like being sued for legal malpractice and losing due to human mistakes or problems with the process the firm uses for its cases.
A law firm’s risk mitigation efforts should include improving and centralizing legal docketing and calendaring. Human error in docketing can be very damaging for clients, and for the law firm as a whole – as it can lead to missed dates and deadlines. One famous such case happened in 2014, when AT&T faced a loss of 40-Million in a lost appeal because of a docketing error.
Law firms are already adopting case management software, and the time has come for them to also adopt legal docketing software. The manual calendaring processes used by most law firms have inherent flaws, and they are decentralized and inefficient, as well. By replacing a manual docketing workflow with a robust legal docketing software solution such as eDockets Critical Dates, a law firm can reduce exposure to malpractice suits that stem from missed court dates and other deadlines.
A law firm’s risk mitigation efforts should include centralizing docketing & calendaring. Click to tweet this
Robust and court-rules-based, our docketing & calendaring platform is designed to ensure that the law firm stays up to date and on top of any scheduling and docketing issues, further protecting both its data and its hard-earned reputation.