The next major hurdle in client acquisition and retention for law firms will be data security.
According to the American Bar Association’s 2017 Legal Technology Survey, 22 percent of law firms surveyed experienced a data breach. That’s an increase of 14 percent from the prior year.
Clients of all kinds, from large corporations dealing with global financial matters to elderly couples seeking estate planning services are increasingly demanding their law firms demonstrate they are taking a proactive approach to cyber security, and more specifically, protecting client’s data.
Even small law firms hold considerable confidential client information that, if a breach occurred, can cause irrevocable harm to the firm’s clients and permanently stain the reputation of the firm. Firms handling corporate matters, merger and acquisition transactions, personal injury cases and patent and intellectual property firms can be particularly at risk.
The ABA’s Legal Technology Survey found firms with 50 or fewer attorneys were most frequently attacked by hackers, followed by firms with fewer than 100 attorneys and finally by firms of 10 attorneys or fewer. Fortunately, most of these hacking incidents in 2017 resulted in little or no evidence that client data was exposed.
One of the most common approaches for these hackers is to employ spear phishing schemes, designed to have unsuspecting members of the firm or their clients click on seemingly legitimate links within an email to unleash malicious code into the system. According to a survey by the Ponemon Institute, phishing schemes make up 43 percent of attacks on small businesses. That same survey found malware (35 percent), code injection (26 percent) and compromised or stolen equipment (25 percent) are the other means hackers use to breach the security of a small business, or in this case, a law firm.
Ransomware is another major and growing cyber security threat for firms. If hackers are able to gain access to the firm’s network, they can encrypt files and demand a ransom for removing the encryption and returning access to the files. Firms that are subject to ransomware attacks can find themselves completely cut off from client files, billing records and virtually any type of digital resource the firm provides – even email.
Preventative Measures
First and foremost, law firms of every type need to have a strong and proactive information technology or cyber policy, as well as the appropriate expertise to drive that policy. This might mean employing an in-house IT department or, at minimum, hiring an outside consultant to conduct a vulnerability analysis with recommendations for redress. And this policy should be reviewed and, when necessary updated, every six months.
At a more basic level, law firms need to stay on top of their software. Failing to update software on even a single firm computer can provide hackers the means to infiltrate and potentially cripple the entire law firm. Use of data encryption tools as well as antiviral software and virus scanning tools can help to more rapidly identify potential breaches or malicious software or code installed on firm systems. Training employees on the proper manner in which to update software, cloud-based or otherwise, is critical to ensuring the security of firm and client data alike.
Our firm also recommends encrypted, off-site data back-ups as well as physical security (i.e., premises alarms, policies regarding non-firm technology, etc.) be employed.
Where third-party vendors are concerned, law firms should inquire about and review those company’s cyber policies as well as their related liability insurance coverage.
Finally, cyber security training is fast becoming paramount for any organization tasked with the safety of critical information. Ensuring all members of the firm review and are familiar with any and all compliance guidelines and regulations is vital. Developing response plans and protocols for potential data breaches – so that everyone from the managing partner to the receptionist know what steps to take when a breach becomes apparent – will help minimize damage and set the stage for the best possible outcome from any data breach situation. In addition, ensuring the firm’s professional liability insurance adequately considers the firms risk and provides both the coverage and tools to mitigate that risk, can mean the difference between a negative event and a business-ending catastrophe.
Systemic Response
However, even law firms that take all of the necessary precautions and plan accordingly can never be 100 percent safe. The threats posed by hackers continue to evolve to meet and exceed barriers put before them by the cyber security industry.
That said, firms that have taken the proper precautions and employed the appropriate professional liability insurance coverage are best positioned to respond effectively.
Property insured law firms, should they experience a data security breach, will find a team of experts available to them within 24 hours of notification.
These firms, when reporting a cyber security breach, will first be contacted by a breach coach. This trained cyber expert will conduct a rapid review of the situation, and based on the firms existing cyber security plan and policies, deploy additional resources. This typically includes the deployment of a data breach team to fully review both the breach itself and the other technology and software systems of the firm.
The breach team will assess how the breach occurred, patch the system according to prevent further breaches, and conduct a thorough, up-to-date analysis of other areas of the firm’s technology infrastructure to identify any other existing or potential vulnerabilities.
Having appropriate insurance coverage also means the firm will be able to effectively finance and provide credit monitoring and identity theft restoration services, should they be required, to all those affected by the breach. This coverage also provides funds to hire a public relations and/or advertising agency to both mitigate any negative publicity that might result.
Practical Reality
No institution, not a law firm or a Silicon Valley tech company, is impervious to the risks posed by cyber crime. However, there are measures that can be taken as described here that not only are proactive to guard against a cyber breach, but also measures that ensure a swift, timely and appropriate response – with resources – to a breach should one occur.
Most law firms fail to grasp the risk they are exposing themselves and their clients to by not taking a proactive approach. And too often these same firms don’t realize that their existing professional liability insurance does not cover cyber security issues or might only represent one small aspect of a cyber security breach.
According to IBM’s 2018 Cost of a Data Breach study, the average data breach costs an organization approximately $3.86 million. More serious “mega breaches” can reach well into the hundreds of millions of dollars. That same study estimated that each record impacted by a data breach represents a cost of about $148 to the organization that is hacked. The loss or compromise of thousands or more records could be catastrophic to an average-sized law firm.
Having the right policies, the right training and the right insurance to deploy critical resources on day-one of a breach event is rapidly becoming standard operating procedure for businesses of nearly every size. Law firms are no different. A proactive approach to cyber security is the best, and only reasonable defense against the rising tide of cyber crime.
