6 Cybersecurity Strategies Small and Mid-Sized Law Firms Should Implement
Six Cybersecurity and Regulatory Compliance Strategies Small and Mid-Sized Law Firms Should Implement Immediately to Prevent a Dangerous Data Breach
Law firms have historically been privy to the deepest, darkest secrets of the individuals and organizations they represent. Those details are now becoming a significant ethical, regulatory, and reputational liability for most lawyers given the increased focus on data governance, privacy protection, and brand management. In fact, in its highly-publicized October 2018 opinion, the American Bar Association emphasized that “Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession.”
Small and mid-sized law firms are especially vulnerable. The ABA’s 2018 Legal Technology Survey highlighted that 42% of firms with 50-99 lawyers reported a breach. To avoid a range of consequences, such as a short-term disruption or a long-term injury to their reputations, small and mid-sized law firms should implement the following key strategies.
1. Enlist All Employees in the Firm’s Security Strategy
While it is unreasonable to expect every professional within a law firm to know whether the firm had been breached, it is imperative for firms to involve every single employee in its data protection practices. For example, anyone with access to the network should complete various levels of cybersecurity training that addresses phishing, mobile protocols, password protection, and proper information transfers, among other topics.
Strong cybersecurity hygiene is critical since 40% of law firms that responded to the ABA’s 2018 Legal Technology Survey reported an infection from a virus, spyware, or malware infection, with firms of 10-49 attorneys experiencing the greatest incidence of this contamination at 57%. Each employee should also know how and when to report a potential problem, as well as the guidelines for addressing client directives in email correspondence.
2. Grant Responsibility for Security to Key Stakeholders
The importance of properly valuing data security is as much of an ethical concern for individual lawyers as it is a business priority for their firms. Practitioners have been formally aware of the importance of understanding the perils and promise of technology since the ABA approved a change to the Model Rules of Professional Conduct over six years ago. It updated the traditional duty to be competent in the practice of law with an understanding of the benefits and risks associated with technology.
Lawyers are now required to consider the likelihood of disclosure of client information and the cost of employing safeguards to prevent it, among other factors. Mid-sized firms in particular must focus on this trend because smaller IT services support teams may not be as familiar with the full array of unique obligations they face. To fuel this effort, they must assign knowledgeable employees with adequate accountability to monitor the firm’s data and privacy issues, with support from external resources for incident response, cybersecurity policy development, and procedure creation, such as the increasingly popular CISO-as-a-Service model.
3. Conduct a Comprehensive Vulnerability Assessment
As law firms continue to represent coveted targets for hackers because they have highly sensitive material with weaker safeguards to protect it, they should periodically conduct vulnerability assessments to establish and maintain a baseline of their threat landscape. It will expose any actual weaknesses that an experienced attacker could leverage to penetrate the system. A CISO-as-a-Service resource may also be able to enhance your risk and cybersecurity assessment efforts, especially since it allows firms to split their investment between leadership and IT infrastructure. It also independently monitors any attacks or breaches that impact your network, as well as your overall approach to information governance.
4. Study Your Outsourced IT Infrastructure and Management
Law firms are not required to have flawless security practices. Rather, they need industry standard protocols maintained by a minimal level of expertise and infrastructure while supplemented with outside support. While basic support teams focus on straightforward perimeter protection technology, generic anti-virus software, updated security tools, prompt patching and operating system upgrades, and routine backups, they are often not acutely aware of the responsibilities and laws to which your firm is subject. Small and mid-sized law firms in particular should collaborate with organizations that understand the nuances of working with personal health information or restricted financial details and the heightened regulatory requirements associated with each.
5. Hire Specialized Employees and Support Teams
Those who have specific responsibility for storing and protecting data, and ensuring that mobile and all personal devices that access your network are fully protected or prohibited from accessing your system, will create the safest environment and highest level of protection for the firm’s client data. Information security and information technology are very different disciplines. They are often treated the same and may share budgets or personnel, but it is essential for law firms to enlist the appropriate level of expertise for the specific type of problem.
6. Focus on Education
Providing guidance to employees through regular training programs, newsletters, phishing campaigns, and cybersecurity awareness initiatives can materially lower a firm’s risk profile. Beyond basic presentations, educate your staff about the value of adhering to physical security standards and all related policies, the need for using a virtual private network in public, e.g., coffee shops and airports, and the importance of taking specific steps to protect firm hardware and data when traveling overseas, particularly to China or Russia. Given that most security breaches are the result of employee mistakes, focusing on education is an absolute imperative.
Ultimately, the consequences of even a minor security incident could result in material financial losses and undesirable media coverage. Leverage these key strategies to achieve regulatory compliance, enhance client service, and ensure business continuity.
Dan Haurey is the founder of Partners in Regulatory Compliance, which provides an array of cybersecurity services, including policy creation and management, risk assessments, employee training, and cybersecurity consulting and regulatory compliance assistance to law firms in New York, New Jersey, and Connecticut.