What Law Firms Need to Know About Cybersecurity

Law firms have exactly what cyber attackers want – confidential and sensitive data, PII, intellectual property, contract details, trade secrets and important case information – with (typically) little security. Lawyers are bound to the attorney-client privilege, which means they must make every effort to keep all client information confidential. This would include prioritizing cybersecurity since much confidential client data is held within digital and technological systems.

The ABA released a Formal Opinion stating that “when [not if] a data breach occurs,” lawyers must take reasonable steps to stop and contain the breach, notify clients, and take action to mitigate the risk of a breach happening again.

All this to say, for legal institutions that handle sensitive and confidential client information, managing cyber-risk should be highly prioritized.

The reality is, it’s not.

Why Law Firms Need Strict Cybersecurity Standards

1. Building Client Trust
The ABA takes attorney-client privilege seriously. Clients are the lifeblood of any business, but for lawyers, their clients trust them not only to defend them in court and within the case but also with their sensitive and private information. If that trust is broken, it could be the end of the case and the client-attorney relationship.

2. Impacting Billable Hours
This might be the biggest implication for lawyers. If a law firm experiences a cyber-attack, it could affect billable hours. When a system experiences downtime and attorneys aren’t able to access their client/case information and systems needed to conduct work, their billable hours will suffer.

3. Avoiding Your Own Legal Battles if a Breach Happens
If a cyber-attack hits a law firm, it risks going to court. Just take a look at the law firm Johnson and Bell. The firm was taken to court because the plaintiff argued their web portal was outdated and vulnerable to a cyber-attack. This just happened because the portal was vulnerable – think of the implications if an attack actually happened.

Law Firms: Take a Note From Critical Infrastructure

Several industries have had to make drastic reforms to their security structure based on new risks and the evolving threat landscape, and law firms shouldn’t be any exception.

Critical infrastructure, for example, has had to restructure its cybersecurity practices based on threats seen and even experienced devastating attacks like the Colonial Pipeline cyber-attack. The Strengthening American Cybersecurity Act of 2022 requires that critical infrastructure organizations report cyber-attacks to CISA no later than 72 hours after the attack occurs. The federal government also released an Executive Order with a set of practices mandated for critical infrastructure, recommending best practices like fine-grained access controls, restricted network access, authentication methods and third-party vendor accountability.

Law firms can look to critical infrastructure organizations by implementing some of the same best practices they should and shore up any security gaps that could lead to damaging, extensive, real-world consequences like system downtime, loss of productivity, or suffering revenue.

• Be proactive. Responding reactively to a cyber-attack isn’t a security strategy. Implement proactive measures such as user access monitoring and recording of user sessions so you’re always in the know of what’s happening within your digital environments.
• Streamline your security technology, especially when it comes to your third parties. Law firms use many third parties to handle sensitive information, like contract and documentation software, accounting programs and software that connects attorneys to large, corporate clients. Secure remote access is the key to locking down and protecting the information that third parties are accessing on a daily basis.
• Restrict all access. Anyone who doesn’t need access to certain confidential assets shouldn’t have access to it. Make it a practice to regularly review access permissions to ensure employees have access to only the systems they’re actively using and revoke any access that’s no longer needed. Also, look at your network, systems and software that holds sensitive data and ensure only authorized and verified parties have access and no one else.

Like any business, the cyber-threat landscape for law firms has expanded. Just think of all the digital activity that involves sensitive information: sending private and confidential information as email attachments (that may or may not be encrypted and secured), discussing case matters within internal messages or entering client information into a customer relationship management (CRM) system. Hackers can exploit all of these activities to attack an entire firm. All they need is a digital foothold to access a wealth of confidential and substantial data.

This article originally appeared in Info Security Magazine.