Cybersecurity: does your small law firm address this serious business risk?

In this first of a two-part series on small law firms addressing cybersecurity and planning to prevent it, we address the critical reasons why solo and small law firm owners must confront this business risk. By now, you recognize that data breaches are an unavoidable fact of life for most businesses. You’ve seen nearly regular news stories about Biglaw firms experiencing them, and law firm data breaches are on the rise.

Today, most cybersecurity experts have adopted the mantra, “When, not if” and, in 2012, then FBI director, Robert Mueller said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

No business today is too small to experience a data breach, and that includes solo or small law firms. Data breaches range from simple, like a stolen laptop or mobile device to major, like deep penetration of law firm networks giving hackers access to everything there, sometimes for over a year.

Firms also risk website exploits and network and device hacking attempts. But, external threats are not all law firms face. Many avoidable data breaches relate to employee negligence, third-party subcontractor activity and data transport by the firm’s attorneys and staff.

In fact, according to the ABA’s 2015 Legal Technology Survey Report, around 15% of law firms experienced some form of data breach.

Experts suggest while attorneys specialize in helping clients avoid and manage legal risk, many are not doing well protecting themselves from risks associated with security breaches. The costs of their failure to manage these risks effectively are high.

What you don’t know will harm you

The ABA report also revealed that 23% of law firms didn’t know whether they’ve had a data breach. That latter statistic should be troubling for small firms owners who may be among that number. Ignorance won’t absolve you from legal and ethical responsibility because you’re a solo or small firm.

“Small firms often don’t realize that they do not necessarily have as much flexibility as other small businesses in establishing cybersecurity programs, says Jody Westby, Esq., CEO of Global Cyber Risk, LLC in Washington, DC.

“That’s because first, they have ethical obligations to protect the confidentiality of their clients’ data, and second, they have to meet compliance requirements associated with client data, such as HIPAA and breach notification laws,” she explains.

As evidence of those obligations, Westby points to new commentary to Rule 1.1 of the Model Rules of Professional Conduct, specifically Comment 8 on Maintaining Competence and Model Rule 1.6(c), on Confidentiality of Information. They require attorneys to know how to and take specific steps to protect client information.

In cases of breach, Westby reminds lawyers of Rule 1.4 on Communications. “Attorneys must inform clients about any circumstance requiring their consent like disclosure of confidential or attorney-client communications.” That includes informing clients when their when a security breach discloses their information.

Thus, not only do data breaches lead to significant downtime for law firm IT systems and lost billable hours for attorneys, but they can also lead to costly lawsuits and ethics complaints by clients.

Clearly, it’s critical for solo and small firms to make cybersecurity one of their business risk management strategies. You might be more encouraged to take those steps if you understand why hackers might breach your small firm’s data.

What data is at stake in small law firms?

Cybercriminals only have an interest in data that’s valuable enough for resale. Because they retain significant client personal data, law firms are prime targets for hackers. Called “personally identifiable information” or PII, this is information that others can use, directly or indirectly, or in combination with additional information, to identify a specific individual. According to the Ohio State Bar Association, this includes:

• A name, identifying number, symbol, or other identifier assigned to a person;
• Any information that describes anything about a person;
• Any information that indicates actions done by or to a person; and
• Any information that indicates that a person possesses certain personal characteristics.

What PII law firms must protect from compromise or disclosure or varies by state law. But, in his September 2014 article in the ABA’s Law Practice Today, Joseph Burton, Esq., a partner at the San Francisco office of Duane Morris LLP identifies law firm PII as:

• case and litigation strategy information, including settlement parameters and argument weak points;
• confidential client business information (this information may be either retrospective information about the circumstances of the matter at hand or prospective information about future plans and initiatives – or both);
• attorney-client privileged communications and other legally privileged information (such as attorney work product);
• client intellectual property, such as patent, copyright, and trade secret information;
• a range of personally identifiable information (PII) of all kinds for employees, clients and third parties, such as personal health information and various account and account-access information that include customers’ name and address information; and
• payment card information, including card numbers and PIN numbers.

It’s clear why hackers see law firms as high-value targets and the easier the target, the more likely it is to be breached. Solo and small practices often haven’t implemented security measures to prevent a breach. If yours is one of those, how do you fix the issues and avert the disaster a breach represents? We answer that question in part two of this series next week.