Cyberattacks are on the rise. In 2017, several high-profile cyberattacks occurred involving companies such as Yahoo, Uber, and Equifax (Isaacson, 2017). While every industry is at risk of a cyberattack, law firms are attractive targets. ‘Cybersecurity is evolving. This is more than just a technology issue or an added clause in the retainer agreement–it’s the biggest risk that law firms face in 2017 (Sobowale, 2017).” However, many law firms find themselves struggling to manage cybersecurity. While preparing for cyberattacks is expensive and an often difficult task, cybersecurity is a major issue law firms must address as more clients, as well as the government, demand improved security measures.
Obstacles Involved in Developing a Cybersecurity Plan
Historically, law firms have had weak defenses against cyberattacks, including lack of employee training. A cyberattack could be detrimental to the future of a law firm. An attack could not only impact a law firm financially, it could ruin their reputation if not handled properly. Despite this fact, many law firms are not prepared for such an attack. Cost and available resources may be impeding some law firms’ ability to have a cybersecurity plan in place. The need for updated software can result in high costs to the law firm that cannot be passed on to the client. In addition, law firms may have limited staff or no resources such as an internal IT department to handle cybersecurity. However, despite these obstacles, having a cybersecurity plan is crucial to a firm’s long-term success.
Types of Risk
Hackers are sophisticated when it comes to crafting phishing emails. They typically target select individuals in a law firm, often making those emails appear to have come from another employee in the firm. An employee who has not had proper cybersecurity training may inadvertently open an email attachment which contains malware. Once that malware enters the system, it is designed to go undetected while it is gathering and storing information. If the law firm does not have proper security, the malware can result in data theft of both the law firm’s and their clients’ information.
Not all cyberattacks come from the outside. Data leakage can occur through several means. An employee who has lost a laptop or mobile device that is not encrypted could put the law firm at risk of a data breach. Downloading unapproved software or visiting websites that are not secure can also infect a law firm’s system.
What Law Firms Can Do
Pressure from clients for law firms to upgrade their cybersecurity measures have resulted in law firms becoming slightly more prepared for a cyberattack (Isaacson, 2017). Client demand however is not the only factor driving the need for better security. Nearly every state has ethical rules dealing with protection of client information. In addition to those ethical rules, there are statutory, regulatory, and contractual regulations that law firms must comply with. Attorneys could even potentially risk losing their license should they not have a cybersecurity plan in place and their clients’ data is hacked (Hood, 2018).
Create an Incident Response Plan
‘Planning for a data breach may seem less fun than preparing for a serious traffic collision, but it comes with benefits that include knowledge, prevention and better response. Contemplating the consequences of a serious cybercrime allows us to properly allocate time and money toward avoiding it (Bandler, 2018).”
There are many resources available to law firms to help them with their plan. From industry standards and guidelines provided by the Department of Justice, to guidance provided by the American Bar Association. Law firms may also rely on outside sources to assist in assessing their systems. Risk assessments and testing of systems need to be performed so that the law firm understands their risks and vulnerabilities. How and where their data is stored, and who has access to that sensitive information, should be evaluated. Once the risks are identified, a plan should then be formed detailing how the law firm will respond to an attack.
Each firm and situation are unique; therefore, each firm’s response plan will be different. Whatever a law firm’s plan is, it should be practiced periodically and kept up-to-date.
Employees are typically the first line of defense against cyberattacks. The actions they take, or don’t take, could mean the difference between avoiding an attack or being a victim of an attack. Therefore, all employees need to be properly educated on cybersecurity. ‘Law firms may want to begin approaching cybersecurity education as an opportunity to make each user a willing and enthusiastic protector of the firm’s confidential information (Burton, 2018).” Employees need to be educated not only on what information they are protecting, but why they are protecting it. If employees understand the reasoning and importance of cybersecurity, they will be more likely to play an active role in the law firms’ cybersecurity plan.
Cyber insurance can provide additional assistance in offsetting the costs associated with a cyberattack and recovery. If a law firm decides to purchase cyber insurance, there are a few items they need to ensure are covered in the policy. They need to determine if the risks are correctly identified, if the amount of insurance is appropriate, and the conditions of the policy (Isaacson, 2017). They should also consider whether to require third party vendors to purchase cyber insurance. Increasingly, vendors are being required to be subject to the same security measures as law firms. Every vendor a law firm conducts business with should have an incident response plan laying out their roles and their duties when a breach occurs.
Recovering from a Cyberattack
Once it has been determined that a law firm has been the victim of a cyberattack, there are several actions that need to take place. The first thing that needs to be done is to contain the infected devices. This may involve disconnecting them from the internet and your network.
Attorneys have an ethical and legal duty to keep their clients’ sensitive information safe. Not preparing for a cyberattack will have a negative impact financially and reputably and could shut down an entire law firm. Law firms need to recognize that cybersecurity is not only the responsibility of the IT department. Cybersecurity should be an organization wide effort. Law firms who have a solid cybersecurity plan in place have the potential to set themselves apart in the industry while protecting their clients as well as themselves.
- Bandler, J. (2018, July). Prepare for and plan against a cyberattack. Retrieved from http://www.abajournal.com/magazine/article/prepare_plan_against_cyberattack/P1
- Burton, J. M. (2014, September 15). 4 Steps to Getting Serious About Law Firm Cybersecurity. Retrieved from https://www.lawpracticetoday.org/article/4-steps-getting-serious-law-firm-cybersecurity/
- Hood, V. (2018, July 17). Law Firms and Cyber Attacks – What’s a Law Firm to Do? Part One. Retrieved from https://www.natlawreview.com/article/law-firms-and-cyber-attacks-what-s-law-firm-to-do-part-one
- Hood, V. (2018, August 2). Law Firms and Cyber Attacks – What’s a Law Firm to Do? Part Two. Retrieved from https://www.natlawreview.com/article/law-firms-and-cyber-attacks-what-s-law-firm-to-do-part-two
- Isaacson, D. (2017, December 10). The State of Cybersecurity in the Legal Industry: Are Things Improving? Retrieved from https://www.law.com/sites/ali/2017/12/10/the-state-of-cybersecurity-in-the-legal-industry-are-things-improving/
- Sobowale, J. (2017, March). Law firms must manage cybersecurity risks. Retrieved from http://www.abajournal.com/magazine/article/managing_cybersecurity_risk