Cravath Swaine & Moore, Weil Gotshal & Manges, Mossack Fonseca, Johnson & Bell. Prestigious names indeed, but you don’t want to be on this particular list. In 2016, law firms became a prime target for hackers intent on stealing sensitive client data and intellectual property, exposing corruption, and obtaining lucrative intelligence for insider trading. The hackers include Russian and Chinese actors who have targeted many other firms, with varying degrees of success. Attack vectors included spear-phishing, malware, Trojan horse viruses, and ransomware.
The American Bar Association’s (ABA) 2016 Legal Technology Survey Report indicates that 14% of respondents reported a data breach at their firm; for larger firms (500+), the percentage rose to 26%. An even higher percentage of firms reported virus or malware infections (45% overall), and while such infections do not always result in a breach, data compromise consequences are often impossible to track or remain undiscovered for a period of time (see Yahoo’s multi-breach debacle). Other consequences can be incurred whether data was leaked or not: loss of productivity and billable hours, security consulting and equipment replacement expenses, and destruction or loss of files.
Law firms have a clear and compelling duty to protect their clients’ information; confidentiality is the heart of their practices, and firms’ reputations depend on their ability to uphold it. Even so, most law firms are not information technology specialists, and many are too small to hire sufficient IT security teams. As firms become increasingly reliant on connected devices and digital communications, they must place a higher priority on cyber security and follow through with investments in security technology, security awareness training, policy enforcement, and regular assessments.
ABA Model Rules, updated in 2015 to acknowledge cyber security concerns, require attorneys to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” as well as to, “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Firms are also being challenged to comply with regulations their clients must follow (e.g., healthcare, financial, international). If your firm is not meeting these standards, or you aren’t sure, form a committee tasked with assessing cyber risk and implementing cyber security best practices.
In the event of a data breach (often unavoidable despite security measures), the following steps will enable incident response, compliance with reporting requirements, and preservation of client relationships.
Get Started With An Acceptable Use Policy
Do you have an acceptable use policy that every staffer must sign? This document stipulates the constraints and practices that users must agree to for accessing corporate networks or the Internet. Security awareness training can also help keep information security top of mind. Law firms of every size should have an acceptable use policy and limit access privileges as tightly as is practical.
Focus On Controls Management For Due Diligence
Policies can be used to mold associate behavior toward sound information security practices. Controls are central to the “trust, but verify” approach. Controls govern policies and access to data with stipulations like encryption, use of personal devices, and approved application lists. Consider, for example, your firm’s password policy. The policy might spell out character count, upper and lower case use, and special character requirement, and regular password changes. The technological control enforces the password policy.
Address Cyber Threats With Vulnerability Management
Cyber threats aren’t going away. In fact, they mutate and adapt to defense tactics so quickly, even experts struggle to keep up. Address them with an information security solution that scans and reports on vulnerabilities. You need a plan for prioritizing vulnerabilities, so that the most urgent are addressed first.
Manage Your Cyber Defense With A GRC Platform
A good litigator never enters a courtroom unprepared. Likewise, strong cyber security requires layered, integrated measures that include governance, risk management, and compliance (GRC) activities. Many law firms use a blend of GRC processes and user-generated spreadsheets and emails to manage information security, comply with regulations, and manage risk. That is, until they experience a data breach or conclude that there has to be a better approach.
Effectively managing GRC activities by spreadsheet or committee is not possible in today’s cyber environment. To be prepared, implement a comprehensive GRC solution designed to manage information security and IT risks. These cloud-based software platforms act as a central, integrated repository for policies, controls, and compliance mandates. The platform connects with third-party technologies that specialize in scanning for vulnerabilities and configuration issues. This front-line reporting feeds into the platform where the data can be analyzed, prioritized, and managed, as well as linked to regulations, controls, assets, vendors, and risk registers. Analytics help set benchmarks and identify trends using aggregate data from across departments. Reporting through dashboards and heat maps increase visibility, collaboration, and accountability. Automated workflows and systematized assessments streamline compliance and audit tasks. These integrated tools will not only protect your firm more extensively, they will boost overall efficiency and optimize operations, resulting in a more resilient and competitive business overall.
While 2016 was a rough year for data breaches, there is little reason to think 2017 will be any easier for law firms. Hackers will continue to build on the profitable exploits of their cybercrime compatriots and learn from their mistakes. It doesn’t matter how big or how small your firm is. Now is the time to implement security best practices to ensure your firm is ahead of the curve and making the headlines for winning cases rather than security failures.