Cybersecurity Best Practices for Law Firms

Law firms need to implement data security and cybersecurity best practices urgently. These firms are being targeted by bad actors like never before. This is primarily due to the sensitive information so many of them keep. Attorneys often have access to trade secrets, private data & intellectual property, and privileged inside information about their clients. Sizable law firms may be able to afford a sophisticated cybersecurity employees and consultants. However, most small and medium-sized law firms either do not invest much in the way of cybersecurity or have not yet gotten around to prioritizing it.

This is an imperative blind spot to address in order to protect your clients, guard the firms assets, evade costly fines and comply with the obligations that many firms ignore. Those avoiding basic data security methods (i.e. periodic cyber risk assessments, cyber solutions like MFA, EDR, RMM define RMM, cybersecurity insurance and more).

Risks of Attack

The growing threat landscape for smaller and medium-sized law firms, and generally for many of their clients. has skyrocketed in recent years. We all conduct so much of our daily lives and professions online.

Imagine if you will how many of your firm’s top attorneys start their days, and how they spend their time online during work and everyday life activities. Perhaps they start the day by checking scores or news, reading email, hitting Starbucks and updating their status on a social media site, making a few client calls, and maybe shooting an email or to with sensitive information attached. Not one, not two but every single one of these actions is exposing data online that knowledgeable bad actors use to easily breach your law firm. These everyday events can invite spyware, monitoring tools, phishing and spoofing campaigns, compromised credentials and the threat of ransomware. Simple cybersecurity solutions exist to allow this behavior to be conducted safely, but too many are unaware and not taking their obligations seriously.

Is Your Firm Ignoring These Issues?

Many are, and putting their clients businesses at risk, as well as their own.

While cyber attacks on law firms are not a new development, the rate of incidence and year-over-year growth is staggering. In fact, according to the ABA, up to 42% of law firms with up to 100 employees have experienced a data breach. Recently a study was released with some staggering statistics showing just how few firms are meeting their responsibilities to protect data and safeguard client confidentiality. Most may not know what those duties look like.

Your Firm’s Obligations & Responsibilities

The ABA Committee of Ethics and Professional Responsibility has defined its position on Data Security, Cybersecurity Best Practices and Ethical Obligations.

The American Bar Association (ABA) holds lawyers to ethical & model rules of professional conduct and govern interactions with clients. Here is where the ABA chimes in on data security;

Rule 1.6 speaks to confidentiality of client information. The rule states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This is where your firm must be able to demonstrate efforts to protect client data, something that can best be evaluated by a third party cyber risk assessment.
Formal Opinion 483 addresses the importance of data protection, and discusses methods to handle any security breach. The opinion states that when evaluating the risk of a law firm experiencing a data breach, it is not as helpful to discuss the hypothetical if, but instead to consider when this may happen. 483 outlines requirements for before, during, and after a cyber attack targeting law firms;

Specific Duties Under Formal Opinion 483

Duty of Competence– not only in representing your client, but protecting confidential information with the same rigor. Can your firm meet this duty with all clients?
Obligation to Monitor– The firm should continuously evaluate their systems and ability to assess policies, products and procedures. Is your firm presently doing so?
Stopping The Breach– It is each attorney’s responsibility to take urgent action in the event of a breach. Its important to find a way to stop the breach and prevent further disclosure of information. Are your attorneys taking this duty seriously?
Notice of Breach– whenever a breach is suspected and detected, it is critical to inform clients in a timely manner to allow clients to make an informed decision. Are you aware of whether or not a breach has already occurred?

What Should My Firm Be Doing?

The average small to medium-sized law firm can do many simple things to effectively evaluate whether or not their data security practices are sufficient. Here’s a list for starters;

Get An Independent Cyber Risk Assessment

The best place to start is a simple, pragmatic cyber risk assessment conducted by an independent third party. These are available in many forms through a long list of vendors, so focus on fast, easy and affordable to begin. They will provide recommendations which should be followed, and these should be performed periodically, at least annually. Many states and regulatory bodies require this process, so it ticks a compliance box as well.

Invest In Best Practices & Strategies

The specific recommendations that any cyber risk professional can provide are worthy of consideration. Not all of these processes and tools are a distraction, nor an enormous cost center. Consider pragmatic solutions for your business, and ways to manage them without the need for new staff. If necessary, evaluate a temporary or fractional cybersecurity professional.

Regularly Check and Update Policies

Not every person in your firm needs a key to every door, nor access to all information. Evaluate what level of access each person should have, and consider the minimum level of access possible. This is called least privilege access, and applies to computers and servers as much as doors and garages. This is extremely important when employees leave or resign, and your firm should consider an annually scheduled review of all permissions granted within the company.

Enforce Strong Access Controls & Credentials

Hackers exploit insecure passwords in seconds. Obvious words or reused passwords as a standard account login are very common. 65% of business people reuse passwords across their accounts. Tools can help you do things better. Ensure your system has access controls in place to reject passwords that do not meet minimum criteria. It is generally recommended to have employees, clients, and anyone else with access to your system reset their passwords regularly.

Use Multi-Factor Authentication

Many breaches can be avoided by simple, pervasive use of multi-factor authentication to confirm their identity. MFA tools are used when a user is logging into software systems or a portal. A unique code will be sent via SMS or authentication apps to verify the person has quick access to the credentials. MFA is a strong and effective basic cybersecurity tool, and should be enabled and enforced everywhere possible.

Learn and Follow Government Regulations

Data and privacy regulations are being enforced in many regulatory environments all over the world. From NYDFS in New York and GLBA & NAIC in parts of the US, GDPR in Europe and CCPA in California, a good understanding of how to comply wherever you practice law is becoming critical to protect your clients and their data. Many do not pay much attention, and fines are escalating for ignoring these issues.

7. WISPs and Incident Response Plan

The Written Information Security Plan (WISP) and Incident Response Plan are becoming commonplace cybersecurity table steaks, and help your team learn and practice how they will handle various phases of attack. These include;

Detection: Discovery of the event through software tools, unusual activity, or reports by staff or outsiders.
Containment: The triage stage where the compromised component is identified and isolated.
Investigation: Determine the entry point and scope of the attack.
Remediation: Repair systems affected by the breach & notify affected parties.Report to law enforcement if necessary, and conduct a post-mortem of the attack.
Recovery: Use the lessons learned from this attack to iterate your process and improve.

Final Thoughts

Law firms are under a constant threat of cybercrime and must take steps to defend their clients’ data. Don’t wait until it’s too late, take steps today to create cybersecurity policies and procedures. If you hope to prevent future data breaches and the consequences that follow, you must build resilience to these issues. Law firms need good data security & cybersecurity best practices in place to better protect their clients, their reputation and their company assets.