July 01, 2022//Isa Jones
Last Updated: July 25, 2022Law firms have exactly what cyber attackers want – confidential and sensitive data, PII, intellectual property, contract details, trade secrets and important case information – with (typically) little security. Lawyers are bound to the attorney-client privilege, which means they must make every effort to keep all client information confidential. This would include prioritizing cybersecurity since much confidential client data is held within digital and technological systems.
The ABA released a Formal Opinion stating that “when [not if] a data breach occurs,” lawyers must take reasonable steps to stop and contain the breach, notify clients, and take action to mitigate the risk of a breach happening again.
All this to say, for legal institutions that handle sensitive and confidential client information, managing cyber-risk should be highly prioritized.
The reality is, it’s not.
1. Building Client Trust
The ABA takes attorney-client privilege seriously. Clients are the lifeblood of any business, but for lawyers, their clients trust them not only to defend them in court and within the case but also with their sensitive and private information. If that trust is broken, it could be the end of the case and the client-attorney relationship.
2. Impacting Billable Hours
This might be the biggest implication for lawyers. If a law firm experiences a cyber-attack, it could affect billable hours. When a system experiences downtime and attorneys aren’t able to access their client/case information and systems needed to conduct work, their billable hours will suffer.
3. Avoiding Your Own Legal Battles if a Breach Happens
If a cyber-attack hits a law firm, it risks going to court. Just take a look at the law firm Johnson and Bell. The firm was taken to court because the plaintiff argued their web portal was outdated and vulnerable to a cyber-attack. This just happened because the portal was vulnerable – think of the implications if an attack actually happened.
Several industries have had to make drastic reforms to their security structure based on new risks and the evolving threat landscape, and law firms shouldn’t be any exception.
Critical infrastructure, for example, has had to restructure its cybersecurity practices based on threats seen and even experienced devastating attacks like the Colonial Pipeline cyber-attack. The Strengthening American Cybersecurity Act of 2022 requires that critical infrastructure organizations report cyber-attacks to CISA no later than 72 hours after the attack occurs. The federal government also released an Executive Order with a set of practices mandated for critical infrastructure, recommending best practices like fine-grained access controls, restricted network access, authentication methods and third-party vendor accountability.
Law firms can look to critical infrastructure organizations by implementing some of the same best practices they should and shore up any security gaps that could lead to damaging, extensive, real-world consequences like system downtime, loss of productivity, or suffering revenue.
Like any business, the cyber-threat landscape for law firms has expanded. Just think of all the digital activity that involves sensitive information: sending private and confidential information as email attachments (that may or may not be encrypted and secured), discussing case matters within internal messages or entering client information into a customer relationship management (CRM) system. Hackers can exploit all of these activities to attack an entire firm. All they need is a digital foothold to access a wealth of confidential and substantial data.
This article originally appeared in Info Security Magazine.