Law Firms Services
Preserve Your Firm’s Stellar Reputation Within the Community
“Has my law firm been breached?”
“What can we do to best safeguard our clients’ information?”
“How can we protect ourselves in a practical manner?”
“How do I maintain my firm’s reputation after we have had a data breach?”
Maintain your firm’s stellar reputation
Keep client information safe
Reduce cyber insurance premium costs
Meet client security/document storage requirements
Law Firms Often Do Not Even KNOW When They Have Been Breached
Hackers could steal your data and your client’s data, and you might not even know it. If most law firms are in the dark about being breached or not, it means the numbers you read below of reported breaches are much lower than the number of actual incidents. According to the 2018 ABA Legal Technology Survey Report, the larger the law firm, the more likely they are to say they “don’t know.”
- 18% of respondents indicated they “don’t know” if they have been breached
- 57% of respondent firms with 100-499 attorneys indicated they didn’t know if they have been breached
- 61% of respondent firms with 500 or more attorneys indicated they didn’t know
Law firms stand a lot to lose when they publicize a cyber breach. Companies and individuals entrust some of their most sensitive information to law firms. They expect the data to remain confidential, as it is one of their most significant assets. News of a security breach can severely damage a firm’s reputation.
Law Firms Are Lucrative Targets for Cybercriminals
Law firms become targets of hackers for several reasons:
- One-stop shopping: If hackers can break into a law firm’s systems, they can access sensitive and valuable data of multiple companies – all the law firm’s clients.
- Law firm servers may hold valuable information, from businesses’ intellectual property to medical records to government secrets. For a cybercriminal, it makes sense to hack where the rewards are worth the trouble.
- Many law firms have not adequately guarded themselves and their clients against cyber-attacks.
- In 2016, the FBI issued a Private Industry Notification to law firms indicating that a cybercrime insider trading ring is targeting “international law firm information used to facilitate business ventures.” According to the FBI, “The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information. This information gained prior to a public announcement is then used by a criminal with international stock market expertise to place bids and generate a monetary profit strategically.”
Attorneys’ Cyber Standard of Care
Lawyers have been required to protect the confidential data of clients for quite some time. What has changed is how law firms must protect their clients in today’s climate of cyber threats. The commentary to Rule 1.1 of the Model Rules of Professional Conduct directs attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” A recent article on the ABA website says: depending on various factors, law firms must “monitor network activity, review IT reports, and perhaps employ a chief information security officer (CISO) in developing, implementing, and maintaining appropriate cybersecurity programs.” Failure to do so could result in legal malpractice claims.
Ethical and Legal Considerations Regarding Cybersecurity
The 2019 ABA TechReport discussed fundamental ethical rules of competency, communication, and confidentiality which underscore the importance of cybersecurity to the profession. Those rules remain very much applicable and should be ingrained into daily practice. In addition, this TechReport noted ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483 “Lawyers’ Obligations After an Electronic Data Breach or Cyber-attack” (October 17, 2018), which provides that “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The Opinion also states that “As a matter of preparation and best practices… lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.” In addition to ethical obligations of the profession, lawyers and firms are bound as well, of course, to any applicable state and federal laws governing information security and data breach obligations—a point recognized explicitly by Opinion 483. Legislative attention in this area is rampant, as evidenced by the Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act enacted by New York in 2019 and the California Consumer Privacy Act (CCPA), which became effective in January 2020.
The Damage Cyber-Attacks Cause Law Firms
Access to client data is only part of the havoc caused by cybercriminals. Of those who reported breaches in the 2020 ABA Legal Technology Survey Report:
- 34% of respondents said cyber-attacks had cost their firms downtime in terms of billable hours
- 11% reported loss or destruction of files
- 27% reported replacement of hardware or software
- 32% reported consulting fees for repair
How Cybercriminals and Hackers Are Attacking Your Law Firm
Ransomware is increasing as a threat to law firms. Hackers encrypt a firm’s data and then demand to be paid in Bitcoin for the decryption key. Any size firm may fall victim to this. Ransomware usually enters a law firm’s systems through phishing. It encrypts data, and thieves demand a ransom in exchange for a decryption key.
In a well-known incident in 2017, global law firm DLA Piper, which positions itself as an expert on cybersecurity, was attacked by ransomware called Petya. The firm lost access to its data for a time and had no phones or email for three days. It lost access to old email for a considerably longer time.
Another prominent example includes the widely publicized ransomware attack on the law firm Grubman Shire Meiselas & Sacks, whose clients include numerous high-profile celebrities. Reports indicate the firm has rebuffed demands for payment and faces the threat that confidential client data was to be auctioned off in the summer of 2020.
Malware and Spyware Hackers sometimes infect law firm computer systems with malware that spies on the law firm. Severe consequences of malware infection include loss of data and loss of data confidentiality.
The 2018 ABA Legal Technology Survey Report showed:
- 40% of respondents reported infections
- 37% reported no infections
- 23% reported they did not know
Reported infections were
- Highest in firms with 10 to 49 attorneys (48%)
- Lowest in firms of over 500 attorneys (20%)
Cryptojacking is relatively new. Thieves use software to hijack devices such as laptops and cellphones and convert them into cryptocurrency harvesting devices. When new communications technology emerges, it often presents new opportunities to hackers. It is up to the law firm to keep up to date on technology and protect against threats.
Increased Challenges in Obtaining Cyber Liability Insurance
In contrast to the continuing slow adoption of security tools, the 2020 ABA Technology Review report does indicate an increasing number of firms committing to cyber liability insurance policies: 36% percent of respondents, compared to 33% in 2019, 34% percent in 2018, and 26% in 2017. Firms ranging in size from 10-49 attorneys are most likely to have cyber liability insurance (40%), followed closely by firms of 100+ attorneys (38%). One notable trend is the increase in the number of smaller firms with such coverage, with firms of 2-9 attorneys (36%) and solo attorneys (33%) up, respectively, from 27% and 19% since 2017. However, insurance companies are becoming more cautious in issuing cyber policies. While just a year ago, clients were only required to fill out a short survey consisting of a couple of questions. There has been an increasing requirement for in-depth assessments of a firm’s security posture before a policy is issued.
Our Services Include:
- Cyber Assessments: We examine all aspects of an organization’s information system, accounting for people, processes, and technology. We let you know the risk profile, help investors develop a risk appetite strategy, and develop a roadmap to move the organization to a better security posture.
- Cyber Planning and Implementation: Our team of technology and investigative experts works with your firm to develop a comprehensive strategy to reduce information security risk. Working with the IT department and existing infrastructure, our solutions are a thoughtful balance between security and operations, using a framework of personnel, processes, and technology.
- Cybersecurity Training Programs: When we help law firms with cybersecurity, we always focus on security awareness for attorneys and other firm employees. Cybersecurity for law firms must require good cyber awareness sessions to be effective.
- Incident response: Responding to a significant breach is a precarious moment for a law firm. Money, data, and your reputation are at stake. Our team works hand in hand with legal counsel, management, and the IT department to quickly isolate the problem, remediate affected systems, and restore operations while maintaining confidentiality.
- Business Continuity: Our digital forensics team is capable of backing up data of the largest networks, ensuring quick restoration of operations in the event of cyber-attack or other disasters that affect the company.
- Cyber Liability Insurance: Using our framework-based risk assessment, we work with insurance companies to find the cyber liability coverage that is most appropriate for your firm.