Cybersecurity: Getting Proactive About Data Vulnerability
iStock.com/MousePotato
Lawyers, as custodians of information, are entrusted with personal and highly confidential information in their daily practice. Unfortunately, in today’s digital age, this information is vulnerable to unauthorized disclosure without definitive standards and practices in place for security control. Lawyers and their law firms may not even be the primary target of a cyber-attack, but rather a secondary access point to information within their control. With confidentiality a foremost concern, all lawyers must fully understand the risks and implications of failing to adequately protect confidential and personal data.
As a result, cyber-risk evaluation and risk management have become urgent needs for lawyers and their law firms. Underscoring the importance of this matter, recent data indicates that 80 of the 100 biggest law firms, by revenue, in the U.S. were hacked since 2011.1 Therefore, it appears that despite their relative size and considerable economic power, even the largest and most sophisticated law firms are vulnerable to risk.
In attempting to safeguard against the risk of a cyber-attack, identification of what confidential data exists within a firm, and where it is located, is the first step to any cyber-risk evaluation and resulting plan. Constant monitoring of this information and access points to this data, either remotely or by third-party vendors, is also essential to the continuing success of any cyber-risk plan.
Employees are typically where most data breaches begin. In the security world, a firm is only as strong as its weakest link, which is usually an employee who inadvertently opens malware or a suspicious attachment; statistically, 60 percent of security events are caused by such an inside attack.2 Illustrating the susceptibility of firms to inside attacks of this nature, recent data reflects that a surprising 61 percent of users with access to a company computer use the same login credentials on other noncompany social media websites, such as Facebook, Twitter, and Linkedin, which makes hacking of such identification credentials much easier to accomplish.3 Additionally, many firm employees will utilize public wi-fi signals when transmitting information electronically, unaware of the risk of third-party monitoring via public Internet connections. Thus, to ensure data confidentiality, many employees will require relevant training and continuing education regarding proper protection of personal identification information, which includes institution of a complex password policy at a bare minimum. Indeed, in most circumstances, firms should consider creating a broader social media policy governing all employees, to avoid sensitive information from being disclosed either voluntarily or involuntarily.
Further, while the risks of cyber-attack are clearly considerable, concerns regarding these risks are heightened by the fact that a single breach of secure information could damage a law firm’s reputation beyond repair. In the highly competitive legal environment, law firms are, therefore, often hesitant to publicly acknowledge security breach information for fear of damaging their reputation. Nevertheless, law firms need to create some clearinghouse or other mechanism to share vital security information for the benefit of the legal industry as a whole. Some firms have already begun this effort; earlier this year, The American Lawyer reported that at least five AmLaw 100 and Magic Circle firms were working to form an alliance that would allow them to share information with each other about cyber-threats and vulnerabilities.4 This type of proactive behavior recognizes that it is not a matter of “if” a law firm will experience cyber-breach, but rather “when.”
To safeguard the interests of their clients while meeting the ethical demands of the modern digital age, lawyers and their law firms need to become proactive about data security and establish a plan to meet not only the needs of their clients, but also the ever expanding needs of a technologically sophisticated legal profession. It is imperative that lawyers recognize their information is vulnerable to cyber-attack, just as any other enterprise, in order to protect their firm, their clients, and their data from falling into the wrong hands, and to ensure whatever ramparts are created will remain effective in the future against the evolving threats to the confidentiality of client data.
1 Erin E. Harrison, Heightened Risk of Cyberattacks Puts Pressure on Law Firms to Bolster Defenses, LegalTech News (Aug. 14, 2015), citing Mandiant, a division of FireEye, Bloomberg BusinessWeek, Mar. 19, 2015.
2 Joseph Marquete , Biggest Cyber Security Threat to Law Firms Is Not What You Think, Accelis Technology Group (Mar. 2, 2015), http://accellis.com/biggest-cyber-security-threat-to-law-firms-is-not-what-you-think/.
3 See id.
4 Erin E. Harrison, Heightened Risk of Cyberattacks Puts Pressure on Law Firms to Bolster Defenses, LegalTech News (Aug. 14, 2015).
Renée E. Thompson is a partner at the law firm of Mateer & Harbert, P.A., practicing in its Ocala office in the areas of complex business litigation and equine law, and is a certified civil mediator. She currently serves as the Fifth Circuit representative on The Florida Bar Board of Governors, serving on three of the Bar’s technology committees, and chairs the Bar’s Communication and Annual Convention committees.
