Every day in the news, it seems, there’s another company that has had a security breach – perhaps sensitive client data, credit card numbers, or personal client records stolen. You may like to think that cybersecurity threats do not affect your law firm. But consider the following scenarios:
- You find that the opposing firm in a litigation matter seems to know your lawyers’ strategy even before they have a chance to implement it. Later, you learn that a financially-stressed employee of your firm downloaded some crucial documents from your server onto a flash drive, and sold the drive to the opposing counsel.
- One morning coming in to work, a member of the firm finds a flash drive labeled “Partner buyout offer – confidential” on the floor outside the entrance. Naturally, this person can’t resist inserting the drive, and this unleashes malware into the system that allows hackers easy access.
These are hypothetical situations, but entirely possible within law firms today. Yet many law firms take few steps to protect themselves from computer fraud. This false sense of security can come from the idea that they don’t have anything like the “Paradise Papers” data that would make them of interest to hackers. They don’t store medical patient records or have vast arrays of customers’ credit card numbers.
But with all the stories of computer security breaches in the news, many clients are starting to ask questions of the entities in their supply chain about their vulnerability and what they are doing about it. This includes asking questions of their law firm. They want to know how your firm is protecting their intellectual property, patents, settlement parameters and other documents. It’s wise for your firm to put steps in place to safeguard client data, document those steps, and have that information ready when clients ask what you are doing to protect their data.
And in fact, law firms do have electronic valuables on their servers that would be a lucrative haul for a hacker. Consider:
- Many law firms hold client funds in trust
- They are highly motivated to maintain their reputation for discretion – so that if they are hit by a ransomware attack, they are more inclined to pay up rather than risk adverse publicity
- They hold working papers describing their legal strategy in litigation, legal agreements made on behalf of clients, and other documents of interest to opposing legal counsel
- They record personal financial data on their members
Electronic and human defenses
Visualize your firm’s defenses as a gate with two halves: one side is the knowledge and alertness of your firm’s people, and the other side is the technical protection put in place by your IT team.
One aspect of the human side involves training, which must be ongoing, about the risks the firm faces – such as to not trust a voice on the other end of the phone, even if you think you know who it is, asking for your password. It’s also important to inform people about the risks that may be involved in the shortcuts they may be taking, such as using a mobile device that does not need a password, or using public Wi-Fi to upload confidential documents.
This information can be sent out as a regular email reminder, through lunch-and-learn sessions, and through training of new hires. There are commercially available online training programs about security, and employees can be required to take such courses regularly, and to be able to pass a test at the end.
The other aspect of the human side consists of instilling a mindset of caution as regards security – such as not allowing an unknown person to “tailgate” through a door that requires a security card to access.
As regards the “technical” half of your firm’s security gate, one thing to keep top of mind is that threats are constantly evolving – due to the powerful lure among hackers of making a “big haul” of lucrative data without having to do much work for it.
Much of your firm’s defense relies on setting the right procedures in place, and then making sure that those procedures are followed. These include setting new passwords for all devices, from the routers in the office to the mobile phones in partners’ suit pockets – no matter how much those partners complain about how much their time is worth and why they don’t need passwords.
This means that the two sides of the security gate work together to form a barrier to keep your firm’s data safe – and that of your clients as well.
Three questions will help you move your firm along the way to a more secure future:
What vulnerabilities do we face? This includes finding out what electronic “treasures” the firm has on its servers, and the source of risk – such as mobile devices, staff who work offsite and must rely on non-secure connections, and any devices that don’t require a password, or for which the password has not been changed from factory settings.
Who can help with this? Talk with your IT staff, but also see if external resources can bring specialized knowledge, up to date on the most recent threats, to bear on your situation
What steps have we taken? To show due diligence to clients and to understand where there may still be gaps, it’s important to document what you have done to protect your firm. This should include the technical aspects as well as the human aspects, including the required training program you have set up.