To say that law firms handle a lot of data would be an understatement. Firms must manage case information, communication records, and myriad documents shared with courthouses, notaries, and other legal entities. It’s almost impossible to conceptualize the physical space that would be required to hold this immense amount of documentation.
These logistical concerns (and technological shifts) have caused most firms to digitize their processes. While digitization solves plenty of challenges, it does create a few new ones — primarily with regard to cybersecurity and privacy.
In 2017, Washington, D.C., offices of DLA Piper were the unfortunate victims of Petya malware. The attack resulted in the entire firm shutting down global operations with weeks of disruption, millions lost in business and recovery costs, and painfully public press.
In general, 2018 was the year of the data breach — and confirmation that the legal industry hasn’t given data security the prioritization it deserves. Law firms are a prime target for cybercrime because of the amount of highly sensitive and confidential data they retain for their clients. This sensitive data is very valuable on the dark web.
Law firms have a solemn responsibility to protect client data as rigorously as possible. The American Bar Association’s professional code of conduct states that lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” For law firms, a data breach could result in regulatory fines and possible malpractice suits.
Protecting client data is a collaborative effort between the law firm and information technology professionals; hiring a cybersecurity professional is key.
The Obvious (and Hidden) Costs of Data Breaches
In January 2018, security researchers revealed that computer chips commonly used in devices from Microsoft, Amazon, Apple, and other major tech companies were vulnerable to hacking. These hardware flaws mean law firms’ sensitive data may, in turn, be vulnerable to malicious hackers.
Many firms face the additional complications of poorly patched operating and network systems, outdated firewalls, and equipment nearing the end of its lifecycle, increasing the risk of technical failure. These weak spots provide opportunities for cybercriminals to hijack communications or hack sensitive data. The threat is so extensive that a 2017 Ponemon Institute survey found that 69 percent of respondents viewed their company’s security infrastructure as outdated.
In addition to outside threats, law firms must also contend with employee-generated vulnerabilities. Even if a company implements a thorough security infrastructure, employees are still susceptible to phishing or malware attacks. PhishMe reports that an alarming 91 percent of hacks begin with phishing scams, often because employees have not received the necessary cybersecurity training.
Employee error can have severe consequences when client data is compromised. Firms may have to contend with lawsuits, reputational damage, and employee and client churn. This is all while coping with the financial costs of downtime, repairs, and data restoration. In the case of DLA Piper, it took the firm months to fully recover and cost millions of dollars between lost billables and recovery expenses.
The severity of a breach may seem abstract to people who don’t work in IT, but the financial consequences can cripple even the healthiest firm. For breaches involving 1 million to 50 million lost records, IBM reports that companies can face $40 million to $350 million in associated costs. Depending on the size of your firm — and data breach — one small oversight can be devastating from a financial and longevity standpoint.
Four Ways to Start Securing Sensitive Data
Fortunately, IT professionals have a firm grasp on properly safeguarding legal professionals and businesses. Here are some ways to take action:
1. Organize your data storage.
You cannot protect your clients’ data if you don’t know where it is. Cloud services have enabled users to store client data in multiple locations without IT’s knowledge. Choose one storage method, such as Microsoft SharePoint or Google Drive, and implement firm-wide consistency.
Gaps between systems create unnecessary liabilities and inefficiencies, so having everyone work within the same structure will make it easier to retrieve and systematize data. More importantly, you’ll only need to monitor one system for security updates and potential breaches. Cloud providers like Microsoft have controls in place to encrypt data, monitor its use, and add digital rights to documents.
2. Implement managed security solutions.
Set up next-generation firewalls, spam filters, and anti-virus tools. These solutions will monitor your network activity and alert your IT team to malicious vectors and compromised devices. Considering the amount of data your firm generates and stores, you need solutions that continuously scan for potential threats.
3. Regularly train employees on security.
Turn your employees into assets rather than liabilities. Train them to spot phishing attempts and educate them on digital hygiene standards that will curtail the risk of a data breach. By cultivating your team’s awareness, you’ll decrease the likelihood hackers get anywhere near your client data.
4. Have a response plan in place.
Work with your IT and security teams to create data protection and recovery policies. Establishing a response plan well in advance of an attack can slash the time it takes to remediate a potential breach and recover lost time. Your response plan also should include a public relations strategy to minimize consequences such as client churn and a damaged reputation.
Cyber threats aren’t going anywhere—and hackers are constantly discovering new ways of accessing data. Law firms must protect client information, and the best way to do that is by empowering their IT teams to build a robust defense from the inside out.