With all the sensitive data law firms store, it’s no surprise that law firm cybersecurity threats are at an all-time high. But while cyberattacks against law firms are not new, the rate of incidence and year-over-year growth is staggering.
Founder and Chief Executive Officer INVISUS
In a report by Law360 Pulse, data breaches more than doubled last year for firms with fewer than 50 lawyers. And according to the American Bar Association (ABA)’s Cybersecurity Report, 42% of law firms with up to 100 employees have experienced a data breach. The odds are now about one in four that your firm will suffer a cyberattack or data breach.
Unfortunately, for many firms (particularly smaller ones), cybersecurity is not a top consideration until the firm is the victim of a cyberattack.
Law firms must begin to think differently about cybersecurity. It’s not just an IT problem to be solved; it’s a business and financial risk that must be proactively managed. Having a comprehensive cyber risk management game plan led from the top down is now more important than ever.
WHO’S IN CHARGE?
Virtually all cybersecurity regulations and industry standards require the appointment of a cyber risk manager, chief security officer or data privacy officer — someone in an executive-level position to oversee the implementation and maintenance of the firm’s information security and compliance plan.
Because of their broad operational responsibilities, law firm administrators, directors, chief operating officers or chief information officers are ideally positioned to properly manage this cyber risk management effort for the firm and coordinate among the executive team, IT, human resources, finance, physical facilities and more.
Instead of going it alone, many firms are also working with outside cyber risk management providers to create and maintain a reasonable plan that keeps the firm compliant with the necessary security and privacy requirements.
OBLIGATIONS AND RESPONSIBILITIES FOR LAW FIRMS
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard client information. And increasingly, they also have client contractual and government regulatory obligations to protect confidential data.
1. ABA Resolutions and Model Rules
ABA Resolution 109 encourages all firms to develop, implement and maintain an appropriate cybersecurity program that complies with current best practices and legal obligations. Several ABA Model Rules — such as Rule 1.6 — also direct attention to safeguarding client data.
Additionally, there are currently three opinions from the ABA (as well as others from state bars) that you should be familiar with, including:
Confidential and sensitive information collected by law firms must be protected under various federal cybersecurity laws, such as HIPAA-HITECH for medical and health-related information and the Gramm-Leach-Bliley Act for financial data. While law firms are not considered “covered entities” under these laws, they can be required to adhere to these standards as a service provider to their clients.
Be aware that all 50 states have enacted cybersecurity and/or data privacy laws that require the protection of personal and confidential information, although data security laws vary from state to state.
3. Client Contractual Requirements
Increasingly, law firms are being required to meet specific industry cybersecurity standards included in client contracts. These industry standards can be based on a variety of cybersecurity frameworks such as NIST, ISO 27001/2, and SOC2. Firms that have international clients or handle international consumer data may also be asked to prove compliance with various international regulations such as the European Union’s GDPR data protection regulation.
Proof of compliance with these varying regulations and standards can be challenging for firms that do not have a formalized cyber risk management and compliance plan.
TAKE ACTION TO SAFEGUARD YOUR FIRM
Here’s a high-level checklist you can use to assess how your firm is doing to manage cybersecurity and compliance responsibilities:
✓ Management Commitment: An executive or administrator should be appointed as cyber risk and compliance manager.
✓ Cybersecurity Policies and Procedures: Draft a complete set of best practices that defines how the firm protects data, trains employees, communicates with clients and responds to incidents.
✓ Risk Assessment: A cyber risk and compliance assessment and report must be conducted, at a minimum, annually.
✓ Technical Safeguards: Enact IT security policies and procedures ranging from antivirus, system patches and email security, to encryption, data backup and multifactor authentication.
✓ Vulnerability Testing: Conduct regular scans of the firm’s firewalls, servers and website for new hacker exploits that need to be patched or fixed.
✓ Remote Work Security: Create a plan for cybersecurity and technical support for remote work.
✓ Third-Party Risk Management: Ensure outside service providers and business associates are secure and following minimum required data security standards.
✓ Business Continuity: Draft a plan for data security and availability during an adverse event such as a power outage, natural disaster or ransomware attack.
✓ Cybersecurity Audit Readiness: Formalize a process to prepare and respond to audit requests.
✓ Incident Response: Determine procedures for discovering, containing and recovering from a cybersecurity incident, including cyber insurance.
✓ Reviews and Updates: Review and update all policies and procedures, at a minimum, annually.
Cybersecurity and compliance is not something you “set and forget;” it’s an ongoing process that must be maintained, tested and updated. Fortunately, there is expert guidance and assistance here. Getting a full outside risk and compliance assessment done may take you a couple hours, but you’ll quickly be able to identify critical security and compliance gaps that need to be addressed.
You don’t have to go it alone. Guidance, assistance and oversight from outside experts is available to help take the bulk of this work off your desk in this critical area of the business of law.
Remember: You don’t have to go it alone. Guidance, assistance and oversight from outside experts is available to help take the bulk of this work off your desk in this critical area of the business of law.
For more info on IT disaster preparedness and business continuity planning, check out ALA’s white paper, “Business Resiliency: 7 Steps to Successful Incident Management, Business Continuity and Disaster Recovery Planning.”
About the Author
James Harrison is the Founder and Chief Executive Officer (CEO) of the cyber risk management company INVISUS. As chief strategist and product visionary for INVISUS, he led the development of the company’s cybersecurity, identity theft and InfoSafe® data breach compliance and breach response program that protects law firms, businesses and organizations throughout the United States and internationally. Harrison frequently writes for, speaks and trains in a wide variety of industries and trade groups. As the head of an ALA VIP business partner, Harrison has presented and trained at several national ALA conferences and chapter meetings.