Here are five common misconceptions that may be holding your firm back from taking the necessary steps to properly manage data-breach risks and protect the firm and its clients.
Information security is an IT issue. There are roughly 10 categories of information security best practices and compliance that affect virtually every part of a business, including less-discussed areas such as human resources, physical facilities, vendor risk management and breach response. To be clear, IT has a vitally important role to play in preventing a breach, but if your information security plan does not include all the other best practices, your business is not only out of compliance but also at high risk of suffering a data breach. Cyber risk management is an executive or administrative responsibility, not an IT problem.
Hackers are the biggest threat. According to several recent studies, you have a greater risk of suffering a data breach due to employee error and insider theft than being directly attacked by a hacker. Without a robust employee training program to help keep everyone on their toes, employees can fall for fake emails and phone calls or use their mobile devices insecurely, giving access to your network and data or locking up your systems with ransomware. While hackers are a major threat, they’ll more often use your attorneys and staff to breach your firm and get access to confidential data.
We have a plan in place, so we are prepared. Your information security and compliance plan is only as good as its execution and your ability to keep it current. When was the last time you updated your policies and practices, reviewed your security agreements for vendors and business associates, or updated your employee training program? Data security best practices, client expectations and regulatory requirements are constantly changing. If it’s been a while since you’ve done a formal review and update of your plan, do it now. Make it an annual priority.
It won’t happen to our firm. According to the most recent ABA Data Breach Survey, one in four law firms with more than 100 attorneys have experienced a data breach incident. And if you’re thinking your firm isn’t large enough to fall prey to the statistics, the same survey revealed that one in two firms with fewer than 50 attorneys reported having a cybersecurity or data breach incident. It’s the data that makes law firms attractive targets, not the size. If your firm has highly valuable information such as Social Security numbers, dates of birth, financial- or health care-related records, business transactions or intellectual property, it is a target.
Cybersecurity is too expensive and complicated. It doesn’t have to be. While every firm needs to follow all the necessary industry and regulatory best practices for safeguarding confidential information, a reasonable approach should be taken to assess risks, identify contractual or regulatory requirements, implement appropriate security policies and procedures responsive to those risks, and ensure that security measures are continually updated. What is reasonable to your firm may be different from other firms of different size and scope. To determine what is reasonable and necessary for your firm, you may need to seek outside expertise from a cyber risk management service provider specializing in law firm information security and compliance.
Cyber risk management is an important new responsibility in the business of law. Unfortunately, these common misconceptions are used far too often to justify doing business as usual and hoping for the best. With law firms specifically targeted by cybercriminals, this is not a wise strategy.
Successfully implementing and maintaining a proper information security plan starts from the top down with management commitment and the understanding that data security and privacy is a firm-wide responsibility, not just something you expect IT to handle.
Law firm administrators, directors or chief operating officers are ideally positioned to coordinate this effort and properly manage the firm’s overall information security and compliance plan. Instead of going it alone, firms may consider working with outside cyber risk management providers to identify reasonable and affordable ways to protect the firm and its clients.
ABOUT THE AUTHOR
James Harrison is the Founder and Chief Executive Officer of INVISUS, and has partnered with ALA VIP Partner BreachPro to provide the InfoSafe Certification program to ALA member firms. He is INVISUS’s market strategist and product visionary, responsible for the development of the company’s cybercrime, identity-theft and data-breach prevention and compliance product lineup.