Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

INSIGHT: Four Steps Law Firms Should Take to Reduce Cybersecurity Risks

Dec. 16, 2019, 9:00 AM

Law firms are in an especially interesting place vis-à-vis cybersecurity—many are expanding cybersecurity practices to help clients, but at the same time they themselves are attractive targets for cyber criminals.

Many law firms are building and expanding practice areas around cybersecurity as clients look for legal counsel on breach preparedness and response, regulatory requirements, and risk management. But cyber criminals are targeting law firms because they are aggregators of sensitive client information.

Confidential corporate deals, privileged communications, non-public personal information and intellectual property are just some examples of the sensitive information law firms collect every day that are of prime interest to hackers or malicious insiders looking to monetize, blackmail or identify insider trading opportunities.

In addition, like any other organization, law firms are targets for attacks that focus on exposure of employees’ private and personal information. In fact, according to the ABA 2019 Legal Technology Survey Report, 26 percent of respondents said their firm experienced a data breach.

For any firm, a breach can be devastating. For those selling their own expertise in mitigating cyber risk and dealing with breach response, it can be catastrophic. A key point that cannot be overlooked is the concern that a breach may violate the professional and ethical obligations lawyers have to protect privileged client information from unwanted access and disclosure.

While there is no such thing as “hack-proof,” law firms can take steps to reduce the risk of a serious cybersecurity incident.

Know the Score—Conduct Regular Security Audits

Too often, law firms have a poor understanding of the assets they manage and the level of cyber risk they face. As the American Bar Association states, “Information security starts with an inventory and risk assessment to determine what needs to be protected and the threats that it faces.”

Every firm must conduct a security audit, and ask and answer hard questions such as:

  • Does the firm have a data governance plan in place?
  • Can the security team quickly locate and secure privileged data, and sensitive client and firm intellectual property?
  • Can the security team identify, manage and track who has access to sensitive information, and for what purpose?
  • Is your firm’s information secure for employees with mobile and/or BYOD devices?
  • Can you ensure that employees do not use unsecured solutions—like personal email—to do their work?
  • What technology solutions are deployed to protect sensitive information?

Appoint a Dedicated Security Expert

A C-level sponsor is a key requirement for success for almost any project, including cybersecurity.

A dedicated chief information security officer (CISO) with deep security experience will ensure cybersecurity strategy is aligned with the firm’s overall strategy, generate support for the resources needed and provide ongoing direction to cybersecurity efforts.

That said, not every firm needs a large full-time security staff or a dedicated security operations center (SOC). Cybersecurity plans should strike the correct balance between in-house and third-party sources to support planning and execution.

Another impetus for hiring a CISO—your customers may demand it, as 48% of law firms have been subject to a data security audit at the behest of a client during the previous year. And the complexity of audits of outside counsel’s technical competency and systems is increasing with each passing year.

Manage the Risk of Insider Threats

Verizon’s 2019 Data Breach Investigations Report found 34% of all data breaches were caused by insiders. Breaches can result from malicious activity or mistakes such as a misconfigured server or an employee clicking on a phishing email link.

Moreover, insider threats can go undetected for long periods of time, making them expensive to remediate.

Security training and device security can help mitigate these risks. Managing insider threats must also include the implementation of technology solutions to identify and mitigate the risk of malicious activity.

Stopping an authorized user with access to systems and information and malicious intent is no easy task, but there are best-practices that will reduce the risk of insider attacks, including:

  1. Identity access management applications to manage user access to only the firm information that the user needs to perform a job function is critical.
  2. Endpoint detection applications deployed on all endpoints, particularly on the endpoints of senior executives since they most-often have access to high-value information.
  3. Leveraging encryption at the device level, but also with information at rest. By encrypting information at the document level, you can ensure complete control over information access from content owners.

It’s a Matter of When, Not If

Having a well-defined incident management and response strategy is critical to ensure your business is prepared when, not if, a breach occurs. Internal teams can partner with external resources to craft response playbooks and implement the necessary technology, middleware and workflow automation to ensure you are prepared when the inevitable incident strikes.

In addition to regular information risks assessments, third-party teams can conduct comprehensive scans of networks and systems to expose any hidden threats. These scans can be done quickly via cloud-based tools without the need for arduous deployments or interruptions to operations.

Threats do not always equal a breach. If a security scan detects a threat, security teams trained in digital forensic incident response can triage and remediate the issue through a complete forensics investigation before data can be stolen, client trust is breached, or the firm’s reputation is impacted.

Retain Client Confidence and Trust

As technology evolves and the threat of data breach continues to rise, law firms are recognizing the importance of operationalizing cybersecurity protocols to protect sensitive client and employee data.

Taking the steps outlined above are now fundamental business practices of the modern law firm not only to strengthen and defend the perimeter, but to maintain their hard-earned place as a reputable services provider. By implementing these security protocols, law firms can avoid potential disciplinary actions and maintain client confidence and trust.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Andy Teichholz is the global legal industry strategist at OpenText. He is responsible for leading vertical industry marketing activities relating to the entire EIM portfolio across the organization and has over 20 years of experience in the legal industry as a litigator, in-house counsel, consultant, and technology provider.

Hope Swancy-Haslam (CSPO, CEDS) is the senior director of product marketing for OpenText’s security & forensics business unit and is responsible for the oversight/management of product marketing for the OT EnCase and Tableau product lines. She is a member of the SedonaConference, Working Groups 1 & 6, Duke’s TAR and EDRM Groups, and has been a general advocate of the Texas General Counsel Forum since 2000.