Keep Law Firm Data Protected from Damaging Cyberattacks
Data breaches can damage your law firm’s reputation and lead to costly consequences. Learn about ABA guidance on cybersecurity and how to protect client data
As cyberattacks on law firms continue to increase, attorneys are smart to heed recent industry guidance on keeping systems and data secure. The ethical obligations lawyers have to keep sensitive client information protected should guide decisions on which technologies are necessary to keep data safe.
What Is the State of Cyberattacks on Law Firms?
According to the American Bar Association’s 2019 cybersecurity report, 26 percent of law firms responding had experienced a security breach, ranging from more severe assaults such as hacking activity and website exploits to more routine issues such as lost or stolen laptops. As alarming is the ABA data that shows 19 percent of respondents didn’t know if their firms had experienced an attack.
The impact of those attacks was notable, with respondents indicating the following costs:
- Repair consulting fees (37 percent)
- Downtime and loss of billable hours (35 percent)
- Hardware and software replacement (20 percent)
- File destruction or loss (15 percent)
- Client notification (9 percent)
Thirty-six percent of respondents had dealt with a virus, spyware or malware. Such infections resulted in the following consequences:
- Repair fees (40 percent)
- Downtime or loss of billable hours (32 percent)
- Loss of network access (23 percent) or website access (17 percent) temporarily
- Hardware or software replacement (15 percent)
- Loss or destruction of files (14 percent)
With so many potential risks and consequences, your law firm is taking on significant risk if it does not have a cybersecurity strategy in place.
What Are ABA Guidelines on Cybersecurity?
The American Bar Association’s Standing Committee on Ethics and Professional Responsibility in 2018 issued Opinion 483, which expands on earlier guidance regarding attorney responsibility in the event of a cyberattack. As the opinion brief states, “When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps.”
The key elements of the opinion include:
- Lawyers need to make reasonable efforts to undertake monitoring to detect a breach and to avoid data loss. Failure to do so is an ethical violation
- When lawyers suspect or detect that protected client information has been compromised, they must act promptly to stop the breach, mitigate damage and restore systems
- Lawyers must determine whether files were accessed, and if so, which ones. Reasonable efforts must be made to determine what happened during a breach, investigate that the breach has been stopped and evaluate which data were accessed or lost
- Lawyers need to maintain confidentiality and the privacy of clients and their data
- Lawyers have to notify clients when there is a significant likelihood that a breach involves client information
- Notifications need to provide clients with the ability to make an informed decision about representation
- Descriptions of breaches and affected records must be fully and actively described
- While lawyers do not have an obligation to inform former clients of a breach but must be mindful of contractual obligations that may include a duty to inform in the case of a breach
What Should Law Firms Do to Enhance Cybersecurity?
Your law firm needs a comprehensive approach to cybersecurity that keeps each component of systems and networks protected. Among the solutions to consider:
- A comprehensive cybersecurity assessment by a managed services provider to assess vulnerabilities
- Staff education on phishing, spam, malware and ransomware and how hackers use email and other social behavior tools to launch attacks
- Multifactor authentication tools to access apps and systems
- Firewalls and other network security tools
- Encryption on client files both when in transit and at rest
- Credential screening for client accounts
- Automated anti-spam software
- Password protection for all devices, including firm-issued and those supplied by employees, partners, suppliers or others who access networks or systems
- Regulatory and compliance monitoring and reporting
- Document retention policies and management protocols
- Compliance mandates and monitoring for all employees, especially top attorneys and partners