Some degree of risk has always been inherent in the legal profession. These days, however, your law firm must tread carefully, and not just for fear of courtroom missteps. After all, law firm online security concerns threaten to derail the most trusted practices—even those that have implemented strict security measures.
Unfortunately, attacks are increasingly common among law firms of all sizes, as evidenced in an October 2020 report from the American Bar Association (ABA). This alarming survey revealed that 29 percent of respondents had suffered security breaches, compared to 26 percent as of 2019. Meanwhile, 36 percent of law firms questioned by the ABA claimed that their systems had been infected by viruses, spyware, or malware.
Research from the ABA also indicates that law firms are woefully unprepared to handle today’s cybersecurity threats. To help, we’ve compiled a guide that breaks down the scope of the problem and the measures that will help you mitigate these risks.
Why is ransomware such a huge threat for law firms?
From the attacker’s perspective, your law firm provides a wealth of potential. Whether you serve large corporate clients or focus on individual concerns such as personal injury or divorce, your legal team is tasked with handling and protecting a high volume of sensitive data.
This responsibility is detailed in the ABA’s Rule 1.6 regarding confidentiality of information. The rule states that your firm must make reasonable efforts to prevent “the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Given both the ethical implications of law firm data breaches and the practical considerations, it’s easy to see why these incidents are so devastating. In the short term, adverse events may render systems unusable. In both the short- and long-terms, the confidentiality of client records is put at risk. This is particularly worrisome during ransomware attacks, in which crucial resources may be unavailable until you acquiesce to attackers and pay the ensuing ransom. Even if these ransoms are ultimately avoided, downtime can impede legal discovery and critical communications with clients.
Not only can the initial breach prove catastrophic, but it can also lead to future attacks. Referencing hazards faced by the firm Campbell Conroy & O’Neil, P.C. following a devastating attack, cybersecurity expert Neil Jones explains, “An initial breach or ransomware attack can reveal third-party providers’ IT vulnerabilities that can be capitalized on by attackers at a later date.”
Over the long term, cyberattacks can destroy the reputation that your law firm has worked so tirelessly to build. After all, prospective clients are unlikely to place their faith in practices with a history of breaches. In severe cases, breaches can even prompt closure. For example, Mossack Fonseca (known for its role in the Panama Papers scandal) cited “reputational deterioration” following a data breach as the chief reason it closed.
How can law firms avoid ransomware attacks and security breaches?
No one initiative is sufficient for preventing every law firm cyberthreat. Between vishing, smishing, pharming, and ransomware, the scope of these hazards is simply too vast for a single initiative to address.
Rather, law firms must implement a layered approach that encompasses everything from audits and incident response plans to everyday company culture. The following are a few of the most important strategies for limiting risk.
Build a company culture that emphasizes security
Targeted law firm cybersecurity initiatives are crucial, but they must be implemented under the umbrella of a practice-wide culture of security. Your firm could be so focused on individual vendors or technologies that you fail to see how a practice-wide lackadaisical approach to security can compromise the specific initiatives you’ve worked so hard to implement.
Rather than relying exclusively on IT departments or outside providers to handle security concerns, it’s crucial to teach all employees, vendors, and even clients how their behavior can either prevent or lead to attacks.
Security training should not be regarded as a one-and-done event. Rather, it is an ongoing process that keeps all parties aware of—and prepared to address—new security issues as they arise. That being said, early awareness is also key, especially as employees sign acceptable use and data classification policies.
Use strong passwords and multi-factor authentication
It seems obvious, but effective password protection is a critical component of law firm data security. Passwords provide an initial barrier to entry for many types of accounts, ranging from email addresses to file-sharing applications.
Unfortunately, many law firms fall short on this most basic of security measures. Common issues include:
- Short or simple passwords that can easily be cracked during brute force attacks
- Recycling the same passwords across several accounts
- Failing to change passwords on a regular basis
In addition to high-quality, original passwords for each account, all employees should commit to using multi-factor authentication. This practice provides an extra layer of protection by requiring users to confirm their identity with a numerical code received via text message or voicemail. Biometric identification can also be integrated in the form of fingerprinting or even retina scans.
Simply informing employees of password best practices is rarely sufficient. A better approach? Developing—and enforcing—a strict password policy. Requirements may include:
- Automatically being required to update passwords every 90 days, or more frequently if needed.
- Sending email notifications to let employees know that their passwords are about to expire.
- Maintaining a password history to prevent employees from recycling former passwords.
- Encouraging employees to utilize password managers. Paste functionality should be enabled to make these managers easier to use.
Implement least privilege access
Not all law firm employees need to access all available data. This concept especially rings true for large law firms that employ legal clerks, paralegals, and other entry-level professionals. With increased access to sensitive data come more opportunities for these employees to either purposefully or inadvertently compromise critical information.
This problem can be addressed through the concept of least privilege access, in which users, applications, and devices receive sufficient access to perform required tasks—and no more.
Least privilege is the preferred model of the Association of Corporate Counsel (ACC) and is recommended by the ABA. The ABA also suggests “creating an administrator user with full privileges…and individual, non-administrator accounts for each user.” From there, files can be shared based on the need for specific users to access privileged information.
Develop and update your incident response plan
While the strategies outlined above can limit the potential for ransomware attacks or phishing scams, it’s also important to know how your firm will respond in the worst-case scenario. Therein lies the value of the incident response plan, which highlights how adverse events will be detected—and who will be responsible for responding to and mitigating such problems.
Ransomware-oriented response plans should highlight whether any situations exist in which the ransom should be paid. If negotiation is preferred, these plans should identify who will handle communication and which tactics will be used.
The National Institute of Standards and Technology (NIST) outlines preferred structures for responding to cybersecurity incidents, including the following essentials:
- Preparation. This should encompass thorough training for all users, plus a security protocol that addresses key elements such as email attachments and macros. NIST also recommends endpoint antivirus protection.
- Detection and analysis. Data collection efforts should aim to identify precursors to attacks, as well as indications that breaches are currently occurring or have taken place recently. A baseline for the typical activity should be developed, as well as signs of deviations from this norm.
- Containment and recovery. An ideal containment strategy will stop attacks before they cause widespread damage. Once incidents are contained, steps such as malware removal or password reset should be taken to restore full data security.
- Post-incident activity. Every response plan should include procedures for drawing insight from previous attacks. Only then can law firms make necessary changes to avoid similar events in the future.
Perform regular audits
In all likelihood, your practice’s chief vulnerabilities are hidden in plain sight. These issues can be uncovered during the audit process. Audits can take many forms, including both internal audits and external audits provided by outside vendors. Both can be useful, although relying exclusively on internal audits could limit your ability to detect weaknesses beyond your limited expertise.
All audit results should be closely examined, no matter how “successful” they may seem. The intent is not a pat on the back for achieving a passing grade, but rather, addressing the vast and ever-changing scope of security threats that practices might face.
Compliance assessments are also worth considering, depending on where your practice is located or which types of clients and cases you take on.
Currently, a variety of regulations influence your ability to collect and utilize data about employees, clients, and potential clients. The European Union’s General Data Protection Regulation (GDPR) is among the most noteworthy and will have a discernible impact on law firms that handle international cases. Other laws that warrant attention include the California Consumer Privacy Act (CCPA) and the Stop Hacks and Improve Electronic Data Security Act (SHIELD).
Without proper auditing, your law firm risks not only attacks but also legal challenges. This threat became abundantly clear with Shore v. Johnson & Bell, Ltd. In this landmark cybersecurity case, the plaintiff alleged that the firm Johnson & Bell failed to use necessary safeguards and, therefore, “systematically expose(d) confidential client information.” No evidence indicates that the plaintiff’s data was ultimately accessed, but they’re still seeking a court order to declare the defendant’s conduct legal malpractice.
Summing it up: the need for swift action
If there’s a reason for hope, it’s that data from the aforementioned ABA cybersecurity report indicates incremental improvements. Your firm is likely part of this trend—and you’re ready to take action.
As ABA experts point out, however, incremental isn’t good enough. If you build cybersecurity into the fabric of your practice, you’ll stand a better chance of avoiding breaches, and, ultimately, gaining a competitive edge over the vulnerable firms that continue to neglect key digital safeguards. Only then can you assure clients that their data is safe.