Three Surprising Cybersecurity Mistakes Law Firms Make
Law firms once considered themselves to be immune from cyber attacks. However, this is no longer true. In fact, last year alone, cyber attacks against law firms increased. One report estimated that one in four law firms in America had suffered a significant data breach. In the UK, a recent PwC report states that 62 percent of the UK’s law firms were breached by cyber thieves.
In an industry where confidentiality is of utmost importance, many consumers believe that these numbers are unacceptable. Surely there must be a way to stop the increasing number of attacks against law firms. Though many firms are scrambling to get in front of any new attacks, others believe they are not in any real danger.
Attacks against two well-known law firms in New York have resulted in class action lawsuits. Those affected have sued the firms for not providing better protection to their highly confidential information. When you consider how important a law firm’s reputation is, it’s hard to visualize why so many law firms haven’t implemented stronger security measures to date.
Jay Edelson, the founder of Edelson LLC in Chicago, is handling one of these big class action suits. He states: “We’ve been saying for a long time that law firms are major targets.” He believes that “In certain instances, a breach in and of itself can mean the firm violated ethics or acted negligently.”
All experts agree that the threat of cyber breaches won’t just go away. This is something that every business in America must be prepared to deal with. Just last year, data breaches occurred in a long list of retail establishments, medical offices and hospitals, restaurant chains, cellphone carriers and many others. Though the public expects a certain level of protection from places like Verifone and Saks Fifth Avenue, consumers demand greater protection from their attorneys.
As we move forward, will the past repeat itself? Or will businesses across America finally take the necessary precautions to prevent any further data breaches? For those involved in the legal field, greater protection is essential for their business to survive.
Below, we discuss the three most surprising mistakes that law firms make that increase their chances of a data breach.
Mistake Number One: Small Law Firms Are Not A Target
Smaller law firms almost without exception, believe that they won’t become a target of cyber thieves. After all, if a firm only has one or two lawyers, why would anyone want to spend the time and money breaking into their files? The answer is simple: Your attorney has a great deal more personal information about you than a retailer might. Not only do they possess all the standard information such as name, address, phone number and social security number, they also possess confidential data.
Your lawyer probably has personal and business financial information. A law firm often has confidential info about your spouse, children and business partners. They most likely have the contents of private emails that you wouldn’t want to be disclosed to anyone. Cyber thieves can use this information in any number of ways.
One major online threat that has recently increased is Ransomware. In this scam, cyber thieves lock your data records and refuse to release control until you pay the ransom. Even a small law firm would have a difficult time explaining how all their records and files were just published online for the whole world to view. A cyber breach like this might mean the end of your law firm. Your reputation would be ruined. You might have a hard time even getting hired by other law firms.
No matter the size of your law firm, protecting your client’s confidential information is of paramount importance.
Mistake Number Two: Standard Cybersecurity Is Not Enough
The second mistake many law firms make is believing that the standard methods of preventing a cybersecurity attack will be sufficient. In some cases, the firm doesn’t want to spend the money to increase its security. In other cases, attorneys believe that firewalls and antivirus programs are good enough to stop thieves. Standard perimeter security technology such as antivirus software and firewalls are only the first step in preventing attacks. Don’t stop there!
Often, cyber attacks come as a result of an uninformed employee clicking on a link in a bogus email. Just one employee who doesn’t understand what’s at stake can open the door for a full cyber breach. Disgruntled employees have been known to purposely steal documents from the firm before leaving. These are just a few of the growing number of ways cyber thieves can get at your confidential documents and ruin your reputation in the legal world.
All law firms large and small should employ some type of governance technology. This technology allows certain types of information to be viewed only by those in managerial positions. This one step alone could prevent the leakage of critical data. Lower paid employees doing menial tasks have no business with open access to the law firm’s confidential records. All sensitive client information should be partitioned off so that only those with an authentic “need-to-know” have access.
Mistake Number Three: Law Firms Forget About Third-Party Vendors
Many companies including law firms, forget about third-party vendors. All those companies you do business with are a potential gateway that cyber thieves can enter through. In one breach, the resumes of people with top security clearances were left unsecured on an Amazon server for months. This can happen if your law firm (or any business) uses a staffing agency. These agencies often have a substantial amount of personal information about past and present employees. How good is their security? In the future, we will all have to ask ourselves these tough questions.
From the company that performs janitorial services to the one you buy office supplies from, you must consider whether they have sufficient cybersecurity programs to protect their files from intrusion.
The Future of Law Firms and Cyber Theft
These cautionary tales remind us of how costly any data breach can be. Consumers expect banks, government agencies, and law firms to be better protected than say, a restaurant chain or a retailer. The customer files a law firm handles might include information about a divorce or a paternity issue. They might have information about adulterous affairs. It’s important to think about the damage that could occur if data like this is made public.
It wasn’t that long ago that we learned about the Sony breach of 2014. This breach revealed a massive amount of information including the salaries of Sony executives, private emails from actors, photos of Sony employees and their families, and much more. This breach was not only extremely embarrassing for Sony, but it was also expensive, and it caused distrust between actors, Sony executives, and other employees. It’s still considered one of the worst corporate data breaches in history. Though it should have been a wake-up call for everyone, many companies, including law firms are still not prepared to deal with cyber breaches.
How to Protect Confidential Data
Remember that firewalls and antivirus programs are only the first steps. Even a small law firm needs the help of security professionals these days. Though it can be expensive, it’s a necessary expense for those who understand what’s at stake. Experts recommend doing your research to make sure you’re dealing with a reputable security company using today’s best technology.
It’s also important to remove older files that no longer need to be online. This should be done on an annual basis. Reduce the data you share with third-party vendors. Share only what is absolutely necessary to them. Never assume that just because you’re spending lots of money on cybersecurity, your measures are effective. It’s a good idea to ask for regular reports from those responsible for providing your law firm’s security. If you don’t have a background in this area, hire someone who does understand the jargon.
Institute a program that effectively monitors the information that employees have on their phones and laptops. In one Texas lawsuit against a law firm, client records were discovered on a laptop in a pawn shop. In another incident, thieves broke into the law firm and stole laptops over the weekend. There is an endless number of ways that cyber thieves can wreak havoc. We must all begin to think about the many ways data can be lost or stolen. We must be more diligent in protecting sensitive documents. Law Firms must work with law firm managed IT service providers.