Insidious foreign hackers are not the only people carrying out dangerous cybercrime. Today’s cyber threats can come from attorneys or staff with full access to a law firm’s systems. Survey data from earlier this year revealed that since 2021, there has been a 28% average monthly increase in insider-driven data exposure, loss, leaks and theft events according to Code42. And when personal desperation comes into play, any law firm employee can quickly become a cyber security liability.
The New Hampshire Supreme Court disbarred attorney Justin Nadeau in April following accusations Nadeau destroyed his computer prior to an ethics hearing. According to ABA Journal, Nadeau was also found to have changed metadata to make it seem like he provided conflict letters to a client when borrowing $275,000 from her. Nadeau’s paralegal’s computer and his file server were the sources for disciplinary counsel’s identification of discrepancies.
To most, maintaining data in a law firm and the integrity of its data is common sense. But when even the most trusted attorney makes a rash or malicious decision, it is crucial that data is properly stored, easy to find and safely secured.
Leveling up your data security defenses
Protecting a firm from cybercrime should be one of leadership’s key concerns. Without an intentional approach to data security, law firms could be risking millions of dollars, potential lawsuits and irreversible reputational damage.
- Establish protocols: Proactive data security measures can help deter hackers and protect sensitive data and its integrity. Depending on a law firm’s location, they may be required by law or per their insurance requirements to abide by data related laws such as the California Consumer Privacy Act or the Stop Hacks and the Improve Electronic Data Security Act in New York. Law firm leaders should work with insurance professionals who specialize in the legal space and understand cyber risk to establish an effective, compliant data security program.
- Training and cooperation: Once protocols have been established, firm leadership should ensure every employee and vendor is made aware of the requirements and trained to understand them. Employees and third-party vendors can easily fall victim to phishing hacks, for example, but with proper training, they can easily identify suspicious communications or data discrepancies. In Nadeau’s case, proper storage and compliance from fellow employees uncovered his wrongdoing. At minimum, training should take place at the time of hire, annually thereafter and whenever there is a cyber event.
- Insurance: Even with the best data security defenses, a cyber-attack or rogue employee can quickly wreak havoc on a law firm’s data. As such, all law firms should be equipped with cyber insurance that can help pay for investigating a cyber incident, cover lost business revenue, internal and external communications assistance and more.
Whether a law firm’s data is threatened by hackers thousands of miles away or a rogue attorney just down the hallway, data security should be leadership’s top priority. Law firm leaders can take the first step by speaking with knowledgeable insurance professional who work with law firms to make certain they have adequate cyber insurance and effective data-security protocols in place to ensure compliance with their insurance coverage requirements.