Attorneys handle a wealth of sensitive information daily. Confidentiality is a core tenet of the legal profession. Clients need to know that whatever they say to their lawyer is protected via client-attorney privilege.
Unfortunately, data breaches are becoming increasingly common, threatening both the privacy of clients’ sensitive information and firms’ reputations. Consider data from ABA’s Cyber Security Report, which states that 25% of law firms have previously suffered a data breach.
Cyber security must be an ever-present priority for law firms. This article explains why lawyers have a duty to protect their clients’ information, highlights the main risks to the average law firm, and offers top tips on optimizing your firm’s cyber security approach.
Why do law firms need cyber security?
Law firms are ripe targets for potential hackers. They store incredibly valuable, sensitive information, while they may even have access to trust accounts filled with their clients’ money. This makes them susceptible to theft and ransom.
Consider when Grubman Shire Meiselas & Sacks was the victim of a $42 million ransom in 2020.
When such breaches occur, law firms are put in a tricky position: Acquiesce with the ransomer’s demands (and lose a significant amount of money), or risk having their clients’ dirty laundry aired publicly.
Firms might also have additional obligations to protect certain types of information, such as personal health information under HIPAA, or New York’s SHIELD, which stipulates that law firms must implement “reasonable” security safeguards to protect their clients’ information.
Unsurprisingly, data breaches can have a devastating effect on both law firms as well as their clients. The firm might face fines, legal action, and their reputation will obviously take a massive hit. The takeaway is clear: No firm—regardless of its practice area, size, or location—can afford a data breach.
What duties do lawyers have to protect their information?
At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” This resolution covers all law firms.
That said, beyond resolutions alone, firms understand it’s their ethical and professional duty to protect their clients’ data—and if a breach occurs, to report it as soon as possible to the relevant bodies. Consider Rule 1.6: Confidentiality of Information of the American Bar Association (ABA), which states that lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.
However, the precise nature of your firm’s responsibilities might vary depending on the nature of the information—for example, if it falls under HIPAA. Your firm must also consider state-specific requirements, such as those outlined in BakerHostetler’s Data Breach Charts guide.
What cyber security risks does my law firm face?
There are various ways in which sensitive information could fall into the wrong hands. Human error is often the main culprit—for example, when attorneys accidentally lose their computer, smartphone, or briefcase (or if these are stolen from them). Meanwhile, firms may also suffer from an online hack, their website might be exploited, or they might be on the receiving end of a physical break-in.
It’s worth considering that the larger the firm, the larger the risk (generally speaking). ABA statistics shows that in 2021, 17% of firms with 9 or fewer employees suffered a data breach, 35% of firms with under 10 – 49 employees, and 46% of firms with between 50 – 99 employees. This is hardly surprising—the bigger the firm, the more sensitive data it likely holds.
Top tips for cyber security for law firms
Right, enough of the theory—let’s explain how firms can optimize their cyber security approach and safeguard their clients’ sensitive data going forward.
Conduct a risk assessment
Conduct regular risk assessments to identity if your firm has any key vulnerabilities/weaknesses that could risk your clients’ data privacy. No firm wants to discover it’s at risk of a breach—but it’s far better to know your blindspots before one occurs so you can take the necessary steps to prevent it.
Consider hiring a third party to conduct an independent audit, helping you identify cyber security gaps, create an Incident Response Plan, implement security measures, and train your staff on the latest best practices.
It’s also worth obtaining security certifications to understand your firm’s risk and prove your security credentials. For example, ISO 27001 certification teaches firms everything they need to know, while also demonstrating their data security prowess to potential clients.
Get law firm cyber security insurance
Cyber security insurance provides an additional level of security for firms that suffer from a data breach. While insurance does little to protect the data that was stolen, some policies do recompense certain financial impacts of a breach, such as any fees associated with restoring the data, loss of income due to downtime, crisis management, or forensic investigations.
Alternatively, you could opt for third-party cyber liability insurance, which protects firms from liability claims in the event of a data breach.
Develop a robust law firm cyber security policy and incident response plan
Unfortunately, too many firms lack robust cyber security policies and incident response plans. ABA reports that 53% of firms have policies to manage the retention of information/data held by the firm, while 36% have an incident response plan. 17% of firms lack any policy whatsoever, with 8% stating they didn’t even know about cyber security policies.
Firms can’t simply adopt a copy-and-paste approach to implementing a cyber security policy. Each policy must be designed around the firm’s unique, specific needs—therefore, no two policies will be alike. It’s important for firms to thoroughly audit their potential risk areas. Additionally, create a customized policy taking these weaknesses into account, and ensure everyone on their staff is aware of their cyber security duties.
There’s little point in implementing a robust cyber security policy if nobody is aware of it, understands it, or knows their own role within the framework.
Use cyber security tools
Firms must use comprehensive, up-to-date tools to safeguard their data security. These tools range in complexity from the spam filter, to software-based firewalls, to hardware-based firewalls. But adopting the right tools is just the first step—firms must also implement robust encryption and protection, such as by using multi-factor authentication and encrypting data in storage.
Work with practice management providers who prioritize security
Cyber security must be a key consideration when firms choose a practice management provider. Indeed, the best providers understand its importance and bake cyber security best practices into everything they do.
Take Clio, for example. Our internal security team is available 24/7/365 to respond to security incidents. The platform leverages in-transit and at-rest encryption. Moreover, Clio uses industry best practices (such as HTTPS and TLS), and the web interface is verified by DigiCert, a trusted certificate authority. Clio complies with GDPR, HIPAA, and PCI legislation. On top of this, Clio’s data hosting facilities are audited annually for security certifications (such as SOC 2 and ISO27001).
Conclusions on cyber security for law firms
While you can’t guarantee a breach won’t occur, you can optimize your firm’s cyber security approach. Remember to prioritize cyber security before it’s too late. Focus on working with vendors who are also committed to keeping your data safe and secure (such as Clio). Take your cyber security approach to the next level with this 2022 law firm data security guide.