Compliance is a priority for law firms. And legal software can be a key tool in helping you meet your firm’s compliance requirements.

In this article, we’ll cover major compliance issues that law firms need to monitor and solutions that can reduce your risks.

What online compliance risks does my law firm face?

A primary compliance concern for law firms is staying on top of compliance related to both data and processes: for example, storing firm and client data safely in the cloud, managing online client portals, processing online payments, handling trust accounting issues, and following ethical requirements relating to online advertising and marketing.

In this section, we’ll go over a few major buckets of compliance risks in the digital world that your firm should recognize and address.

Ensuring cloud security

When it comes to storing data, security is the top compliance priority. Law firms must make “reasonable efforts” under ABA Model Rule of Professional Conduct 1.6 to prevent the disclosure of client-related information. That means law firms must understand what client data they store, where they are storing it, and what the potential entry points for data loss and disclosure are. Additional compliance requirements vary depending on the size and type of law that your firm practices, but it’s best practice to review applicable requirements and make sure that your firm’s cloud infrastructure has the robust protections necessary to safeguard your clients’ data.

Choosing a reputable provider of cloud-based legal platforms is the first step in ensuring compliance. The provider should have a proven track record and, ideally, have suffered zero data breaches in the past. Make sure that it offers robust security features like encryption and access control, such as password policies, two-factor authentication, and role-based permissions.

Sharing data in online client portals

Much like the cloud, client portals require firms to pay special attention to how they secure client information. Your law firm should implement strong access controls, such as two-factor authentication and secure file transfer protocols, to prevent unauthorized access to client data. Law firms that use client portals also must comply with the ABA Model Rules of Professional Conduct, which include requirements for maintaining client confidentiality (Rule 1.6), establishing competence (including with technology) (Rule 1.1), and keeping clients informed of matters (Rule 1.4).

Processing client payments online

There are a host of considerations when deciding how to accept online payments from your clients. Clients overwhelmingly prefer to have the ability to pay online and to pay with credit cards. Turning to legal software to do the behind-the-scenes work of processing online payments for your law firm is your best bet.

The right legal technology platform can ensure that all online payments accepted follow the ABA Model Rules, Interest on Lawyers’ Trust Accounts (IOLTA) guidelines, and Payment Card Industry Data Security Standards (PCI DSS). The right legal payment and accounting software will ensure that your legal team does not commingle client trust account funds with the funds they use for operations.

Following rules for online law firm advertising

Law firm websites must meet certain ethical requirements set forth by their state bars. For example, websites shouldn’t advertise a lawyer as an “expert” or as “specialized” in a particular practice area unless they hold a specific qualification permitted by their state. They should also not hold themselves out to be the “best” lawyer to handle a type of matter. Attorneys may also need to include a disclaimer noting that the information on their website should not be considered legal advice. Lawyers should check their state bar’s requirements to ensure compliance. In some states, the bar may require or permit the submission of the law firm’s website content for ethical review.

Additionally, prospective clients want to see that your law firm is capable of handling matters like theirs. One of the best ways to highlight your expertise is through the words of satisfied clients. But there are limits to what you can share online — and you also need to prepare for how to handle a negative review. ABA Model Rule 7.1 requires that all communications about a lawyer and their services must be true and not misleading. Marketing statements, such as testimonials, could be misleading if they set an expectation that a lawyer can obtain the same results as another client without reference to the specific factual and legal circumstances of each client’s case.

Finally, law firms should make sure that their websites meet the requirements of the Americans with Disabilities Act. That means your site’s design and visual and audio content need to be accessible to everyone, including people with disabilities.

A digital marketing company that focuses on helping law firms can help identify and avoid online marketing pitfalls and help you comply with your state bar’s requirements.

What other steps should my firm think about for compliance?

True compliance starts with your people. Your law firm should have a data protection plan (especially when it comes to client data) that outlines steps and safety procedures. It should include policies on who can access client data, how and when they can access it, and how data is retained and backed up. Also, make sure that your attorneys and staff are trained on how to handle sensitive data and best practices for compliance.

Legal software is critical to your law firm’s compliance

Legal software plays a critical role in helping law firms remain compliant with laws and regulations. As touched on throughout this article, the laws related to compliance are plentiful, and navigating those waters yourself is unnecessarily risky.

With advanced legal software, your firm can ensure data security through the cloud, keep client information confidential, and process online payments both quickly and while fulfilling your legal and ethical requirements. By leveraging legal software, your firm will streamline compliance processes, reduce the risk of data breaches and other violations, and ultimately protect your law firm’s reputation.

Almost nine in ten Americans use some form of digital payment. It’s no wonder, then, that law firm clients expect to be able to make payments online. Not only does this make handling bills easier and faster for your clients, but it’s also good for your law firm’s cash flow. Online payments close the gap between the time a client is billed to when that client makes good on payment.

In this article, we’ll cover how your law firm can accept online payments while remaining compliant with applicable law and ethical guidelines. We’ll also note some of the best features to look for in your payment solution software.

Do clients expect online payment options? 

Yes! Clients expect law firms to deliver a memorable client experience, which includes making payments quick and easy by offering a variety of payment options. Clients want the flexibility of making payments via credit cards, e-checks, and digital transfer services like ACH. In fact, a recent study found that 40% of clients would never hire a lawyer who didn’t take credit or debit cards.

This variety of payment options is also good for your firm and its bottom line. By offering several convenient payment methods, law firms incentivize their clients to pay invoices faster and completely. When you expand your firm’s acceptable methods of payment, you’ll likely find that you spend less time waiting for checks in the mail, less time hounding clients for late payments, and more time on billable work.

Is accepting online payments complicated?

Accepting online payments isn’t complicated, but it does require planning and a little help from technology. It’s not inherently risky for your law firm to accept online payment. Nearly every jurisdiction in the United States has given the green light for law firms to accept credit card payments for legal fees and expenses. But, as with all legal fees, your firm must comply with applicable legal requirements and ethical responsibilities.

In broad strokes, your firm must comply with the rules requiring the separation of client and third-party funds from your law firm’s operating funds. What is the best way to do this? Use payment software developed for attorneys with this exact ethical issue in mind. Without it, your firm might not be compliant.

While your law firm accepting online payment isn’t dicey, using a non-legal payment solution is. These software options often fail to properly handle law firm transactions according to the trust accounting principle noted above as well as Interest on Lawyers’ Trust Accounts (IOLTA) guidelines. The result can be noncompliance, which is bad for everyone — including your law firm’s reputation. The right technology ensures that your law firm has separate operating and trust accounts and ensures that processing fees are deducted from your operating account only.

If you set yourself up correctly, your firm will never have to worry about an inadvertent ethics violation and can focus on delivering exceptional client work.

What makes online payments compliant or noncompliant? What can I do in my firm to ensure compliance?

With the various rules and regulations regarding legal payment, fee collection comes with a host of unique considerations, especially when accepting credit card payments. The right legal payment processing platform will do the behind-the-scenes work for your law firm, ensuring that all online payments accepted comply with the ABA Model Rules of Professional Conduct and IOLTA guidelines.

When picking a payment solution, we recommend looking for the following four features to ensure compliance and improve ease of use.

1. Manage multiple trusts/retainers under a single matter

Not only do clients expect to be able to pay online, but they also expect that your firm will manage their multiple trusts and retainers. Rather than falling short of their expectations, with the proper tools, you can easily manage multiple trusts and retainers under one or many matters and even track them at the client level.

By having the power to track both your firm and client finances in one central place, you can keep an eye on money moving in and out of your firm with complete faith in your firm’s compliance.

2. Separate earned revenue and unearned revenue

Under most state laws, law firms must keep earned revenue and unearned revenue separate. The right payment tool recognizes when payment revenue is unearned (that is, applied to a trust replenishment) and when it is earned (applied to a billing entry) and deposits it accordingly.

You need a legal technology platform that can take an invoice payment and split it between two accounts, keeping your firm in compliance, saving your accounting team time, avoiding mistakes, and raising your collection realization rate. Avoid tools that require you to have either a trust account or an operating account and then require a bookkeeper to determine whether and how to apply and move the funds. That’s asking for human error and compliance woes.

3. Easily manage your IOLTA accounts

You need an efficient way to track multiple IOLTA accounts. With a robust legal platform, you can automatically assign accounts for each client trust so that you can track the flow of money, giving you visibility into where your firm and trust money meet at all times.

4. Apply available funds to pay off client bills automatically

Instead of waiting for that check to arrive in the mail, you can sweep through accounts to find matters with accounts receivable balances and available funds. With this information, your firm can quickly create bill payments and then write checks from your IOLTA account to an operating account. This way, you’re always efficiently applying your client’s money (and making them happy).

We’ll state it simply: making your legal website compliant with the requirements of The Americans with Disabilities Act (the ADA) is critical. It’s important for actual accessibility, it’s important for human dignity, and it’s important for legal reasons. You care about your law firm’s clients and potential clients. Ensuring that your law firm’s website is ADA compliant is another way to show that you care.

In this blog, we’ll cover the basics of the ADA and ADA compliance. We’ll also dive into how to make your law firm website accessible and why, above all, accessibility matters and should be strived for. Let’s get moving!

What is the ADA? What is ADA compliance?

The ADA is a federal law enacted in 1990. Its chief aim is to end discrimination based on differing abilities and it requires organizations to provide certain “reasonable accommodations” to folks with disabilities. For the physical world, this means wheelchair-accessible ramps and entryways, elevators, and other equal-access accommodations. For the world of the internet, it means something else, and that meaning is still evolving and changing.

The text of the ADA (even as amended) does not explicitly address website or online compliance. Because of this, it has fallen to the courts to determine how the ADA applies to websites. The courts have looked to Title III of the ADA, which requires that every owner, lessor, or operator of a “place of public accommodation” provide equal access to users who meet the ADA’s standards for disability. Many courts have ruled that commercial websites (like your law firm’s) are “places of public accommodation” and therefore are subject to the requirements of the ADA. Other courts have ruled using different reasoning, but have arrived at the same conclusion: websites must be accessible. The Department of Justice (the DOJ) supports the reading that websites are “places of public accommodation” and thus websites must be ADA compliant.

What this means is that your law firm’s website must achieve certain levels of accessibility as defined under the ADA. We’ll get into the nitty-gritty of accessibility and accommodation under the ADA below, but we also want to note that absent legal enforcement, ensuring that your law firm’s website is accessible is important. It shows clients and prospective clients that you treat everyone with dignity, that your law firm is committed to equity, and that all are welcome. Making your law firm’s website ADA compliant is good for everyone.

What makes a website ADA compliant?

In guidance on web accessibility and the ADA published in 2022, the DOJ states that it requires public accommodations to ensure websites are accessible per the ADA requirement of “general nondiscrimination and effective communication provisions.” The DOJ does not specify any explicit website accessibility standard; however, the DOJ does and has made it clear that Web Content Accessibility Guidelines (WCAG) are helpful guidance for companies to reference when making their own websites ADA compliant. The current golden standard is WCAG 2.0.

What is the WCAG?

Good question! At its most basic, WCAG is a series of guidelines that provide information about website accessibility. The guidelines give website owners clear instructions on how to make their website accessible to folks of all abilities. The WCAG standards have over ten guidelines and those guidelines are organized into four major principles which lay the foundation necessary for anyone to access and use web content.

Let’s get into the details! When thinking about your law firm’s website and the WCAG guidelines, think about the following:

In sum, your law firm has some flexibility in how it complies with the nondiscrimination and accessibility requirements of the ADA. What’s important is ensuring that your law firm’s website offers actual accessibility.

What are some tips for making my legal website ADA compliant?

Achieving ADA compliance for your law firm’s website means taking a step back and looking at what real accessibility looks like. Start by taking stock of your current website and reviewing the WCAG’s guidance. The WCAG guidelines seem complex at first, but when broken down into digestible bits, they are easily implemented. We recommend beginning by considering the following:

Written content. When creating written content for your law firm’s website, think about how that content can be made accessible for folks with disabilities. To help those users who use screen readers or other visual aids, focus on structure and be sure to use proper heading tags—meaning, use the H1 function in lieu of just making the font larger and follow the H1, H2, H3, etc. hierarchy. It’s also just best practice to use bulleted lists, shorter paragraphs, and summary sections for easy scanning. By enhancing readability, you enhance accessibility.

Visual and audio content. Making your legal website accessible means making your design better for everyone. If your content creation and marketing strategies involve video webinars, be sure to include subtitles, provide transcripts, and also provide audio descriptions (e.g., a speech version of a descriptive transcript). Visually impaired users oftentimes use screen readers to engage with online content.

For screen readers to work, the images on your website must have alt text, which is a short text that describes the image. By doing this, you’ll give all users the ability to fully engage with your law firm’s website (and the excellent content you’ve created). Similarly, avoid using charts or graphs that rely solely on color as the differentiator and instead opt for patterns, fills, or borders to communicate. Pay attention to color contrast and font choice on your website, too.

Website design. Website design accessibility means different things, but it all comes down to thoughtfulness and real accessibility. It’s important to evaluate your law firm’s website design and navigation functionality. Keyboard navigation is important for those folks with visual and motor disabilities. People who use screen readers or cannot use a mouse should still be able to access your website, so make sure that users can tab through all navigational elements using keyboard navigation. For example, consider using specific keyboard keys such as Shift+Tab and the Enter key for specific purposes on your website to provide ease of navigation. Be sure that your website’s navigation menu is consistent across all pages!

Form and table labels are also important. Make sure that each form field has a clear label. Additionally, consider adding an accessibility interface to your website, which will allow visitors to adjust your site’s design and user elements to fit their individual needs. You can find an example of what that looks like here by clicking the tab that appears on the right side of the website. By providing an easy option for larger text, contrast, and thoughtful use of colors, you allow everyone to engage with your law firm’s website (and get what makes your firm so unique).

Lastly, for website design, make sure that your call to action (CTA) buttons are accessible. The CTAs featured on your law firm’s website should have an accessible name, which is usually the text on the button itself. We recommend using an aria-label for each CTA to give screen readers the right information.

To ensure real accessibility (and to take some pressure off of your internal team), we highly recommend working with an expert who can help your law firm create a website that is ADA compliant and accessible for all.

How can you avoid legal measures being taken against your law firm’s website?

This one is simple—make sure that your law firm’s website is ADA compliant. If it isn’t, you might find yourself party to a lawsuit. Since 2013, the employment law-focused law firm Seyfarth Shaw has tracked the number of lawsuits filed under the ADA each year. Their data is striking and indicates that more than 11,400 people filed an ADA Title III lawsuit in 2021—a 320 percent increase since 2013. In the year 2020, more than 2,500 lawsuits were filed in federal court claiming online websites were not designed to be accessible to folks with disabilities, in violation of Title III of the ADA. More than 11,400 people filed an ADA website-related lawsuit in 2021, a 320% increase from previous years. This year, hundreds of thousands of business owners will receive demand letters for inaccessible websites. 93% of those demand letters will be settled for $20,000 - $150,000.

What all of this data means is that people are paying attention, and rightfully so. Equal access to the internet is a major concern and is likely to remain that way. So, make sure that your law firm abides by WCAG accessibility standards. We’ll reiterate that you should start by addressing the following (which the DOJ lists as examples of common accessibility barriers):

Getting your law firm’s website in tip-top shape and ADA compliant is the only way to avoid accessibility lawsuits, negative publicity, and most importantly, provide an accessible user experience to everyone. Start by working with the right experts who can help your law firm build an accessible (and interesting) website.

Why is having an accessible lawyer website important?

It’s important because everyone is important. First and foremost is the issue of equal access and human integrity. By designing, maintaining, and updating your law firm’s website to be accessible, you put your money where your mouth is as a lawyer dedicated to justice. You also show prospective and current clients that you pay attention and care.

Second is that, as discussed throughout this article, it’s required by law and enforced by the DOJ. Without an ADA compliant website, your law firm may be subject to a lawsuit and hefty fines (and the accompanying bad publicity).

Last is that it’s just good for business. By having an ADA compliant website, you’ll have more traffic. It’s estimated that nearly a quarter of the U.S. population has a disability. By providing a website and user experience that supports all abilities, your law firm will be seen by more people and have greater odds of landing leads. This is especially true if your law firm specializes in a practice area that supports those with disabilities. Good business sense dictates that you have an accessible website; and human decency does the same.

Design an ADA-compliant website today

Your law firm’s website should and must be ADA compliant. Getting there is a journey, but we promise you that it’s worth it—both to avoid lawsuits and help as many people as possible.

Before you begin designing or re-vamping your law firm’s website, consider the basics outlined in this article. And, if you have any questions or decide that you’re in over your head, website design experts are ready to assist you.

 

 

 

In this digital age, technology has become essential to the delivery of legal services. Law firms use tech tools for a variety of reasons, including matter management, calendaring, client communications, and billing. While this reliance on technology has helped law firms improve client relations and the provision of services, it has also made the legal industry a common target for cybercriminals looking to steal valuable client data.

This increased risk has become all too apparent over the past few years, as several well-known law firms have been forced to deal with the disruptions of a cyberattack. The methods used by these criminals are becoming increasingly complex, which means that the frequency of law firm hacks will likely increase.

For this reason, law firm leaders and administrators must implement cybersecurity measures to fight this persistent threat. It is an ongoing battle that requires a consistent response.

Ransomware

Ransomware is often the weapon of choice for cybercriminals targeting law firms. With this type of hack, a third party takes control of a firm’s files by encrypting them and denying any access to firm members, unless a requested amount of ransom is paid.

A ransomware attack can leave an entire firm without the ability to work, which immediately decreases revenue. Additionally, the firm may face consequential damages, including:

Phishing

Another common type of cyberattack against law firms involves an email phishing scam, where hackers pose as firm clients or third parties to trick employees into disclosing sensitive data or transferring funds to fraudulent organizations. Attorneys are particularly susceptible to email fraud attempts due to the personal relationships that may have with their clients. A spot-on impersonation may lower a target’s defenses, leading to significant losses.

In one infamous New York case, a law firm was successfully sued for malpractice by a client after hackers impersonated one of the firm’s attorneys to secure a fraudulent $2 million wire transfer. The attackers were able to gain access to the attorney’s AOL email account and analyze previous interactions with the client to successfully carry out the impersonation.

As you likely gleaned from the above, the financial and professional consequences of both ransomware attacks and phishing scams can be detrimental to a law firm, so it is critical to take the necessary steps at your own firm to prevent such an occurrence.

Preventing a Law Firm Cyberattack

Preparation is the only adequate protection against a cyberattack. This starts with understanding the threat and the role that technology plays in reducing it. Attorneys have a duty to not only comprehend the practice law, but also the technology necessary to protect attorney-client privilege and sensitive client data. Most states specifically include this in their rules of ethics because the reluctance of attorneys to introduce technology tools into their law firms increases the chance for a breach.

By refusing to implement tech security measures, attorneys may be found in breach of their professional duty. In addition to ethical consequences, firms also face regulatory enforcement actions from the Federal Trade Commission when client data is not sufficiently protected.

However, there are steps that you can take to strengthen your firm’s protection against security hacks:

Educate Firm Members

Cybercriminals capitalize on limited knowledge and bad habits. Law firms that ignore best practices and utilize weak security systems are essentially opening the door for attackers to access valuable data.

One of the most effective steps a law firm can take is consistently educating and training employees. Human error accounts for a significant number of cyberattacks on businesses. Training sessions should occur on a regular basis to educate employees about their role in preventing breaches. Regular reminders should also be a part of the training plan to ensure that these important duties remain top of mind.

When armed with the right tools, educated employees provide law firms with a strong first line of defense. By acting in a responsible manner, they help close gaps of vulnerability and provide your firm with greater protection.

Perform an Audit

A detailed audit identifies weaknesses before a breach can occur. The first step of an audit should include an inventory assessment to help your firm understand where you stand with respect to technology products utilized.

Technology consists of both hardware and software, as well as data. Hardware includes the maintenance of all computers, servers, laptops, and printers within the firm. Smart devices should also be included with hardware because they are often the vehicle through which attorney-client privilege is breached.

Taking inventory of software products involves a review of all licenses, keys, and passwords. Firms also need to make sure that all software is updated on a regular basis with the most recent versions. Outdated software is more likely to lack sufficient protection against continuously evolving cyberattack techniques.

Data inventory requires the consistent monitoring of what data is stored and how it is maintained. Law firms should consider designating a data administrator who regularly audits the firm’s data for ethical and regulatory compliance.

The second layer of the audit involves answering numerous questions about the firm’s security, such as:

Answering these questions will give law firm leaders and administrators a clear view of where the firm stands with its technology and where it still needs to go.

The services of a security expert can be useful during an audit to ensure that firm networks adequately store firm data. If employing an expert is not an option, a security consultant can also be contracted to assist with the audit.

Establish a Security Plan and Budget

The bottom line: law firms need to craft a security plan and implement it. Basic tools, such as spam filters, anti-spyware, antivirus programs, and network security protocols should be implemented. But your responsibility does not end there.

Many law firms often neglect their first point of contact with the outside world, which is the firm website. When cyber attackers see an outdated website, they may target the law firm under the assumption that their inadequate security measures extend to the entire firm.

Document management is another important component of an effective cybersecurity plan. Law firms maintain countless documents and files that must be handled and stored correctly. A secure document management system prioritizes the protection of files while they are in storage, as well as during transmission. A comprehensive practice management system and email encryption are two tools that law firms can use for successful document management.

A reliable backup system must also be a part of a law firm’s security plan. Cyberattacks can interrupt business in an irreversible way. A backup system helps you get back to work quicker, even in the wake of a disruptive ransomware attack.

Some law firms hire a security consultant that specializes in cybersecurity. Others contract an outside security expert to guide auditing, consulting, and implementation. Firms should include this necessary expense in their annual budgets. Firm leaders and administrators may also consider the cost of purchasing a cyber liability insurance policy for the firm.

Vendors should also be included in law firm security plans. Firms use third-party vendors for a variety of services and products, but they often take for granted that these providers are employing adequate security practices. Firms should review the security certificates of every vendor to ensure that their security protocols are up to par. Law firm vendors need an understanding of the unique importance of protecting law firm data. Their commitment to the protection of client data should match, or exceed, that of the law firm.

Law Firms Must Take Steps to Minimize Cyber Threats

When law firm leaders fail to plan, implement, and enforce strict cybersecurity protocols, they are potentially exposing the firm to costly and damaging attacks. Though it will take some time and money to get adequate plans in place, when done correctly, it is one of the best investments a firm can make to deter fraudsters and keep client data secure.

When law firms are impacted by a cyber attack, they must take immediate steps to address the data breach and minimize its impact. While these tasks generally occur in the days following an event, the most effective response requires the existence of an incident response plan before an attack occurs. By contemplating the potential impact of these disruptive events ahead of time and crafting a plan, law firms can be better prepared to respond.

Read on for a checklist of steps that law firm attorneys and administrators alike can take to appropriately respond to a data breach:

Incident Response Plan

According to the ABA’s most recent Legal Technology Survey Report, only about a third of respondents have an incident response plan in place. Yet, the ABA notes that incident response plans are critical to law firm operations, providing firms with a roadmap of steps to take when a data breach occurs. These plans require a significant amount of preparation, but the effort is worth its benefit should a breach occur.

There are numerous models for law firms to follow when crafting their own incident responses, but every plan should include these general provisions:

Stop the Breach and Mitigate

Formal Opinion 483 of the ABA Standing Committee on Ethics and Professional Responsibility states that “when a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

Stopping the breach may entail a number of different steps, including:

Once the breach has been stopped, firms need to take “all reasonable efforts” to restore operations and resume client services.

Analyze the Occurrence

Then, firms should next take steps to determine how the data breach occurred, which may require the assistance of a tech expert. Attorneys and administrators should ask probing questions, such as:

The information and evidence gathered can be used to ensure that the current breach has been effectively stopped, while also helping to identify what steps can be taken to prevent future attacks. An analysis of the lost or accessed data also promotes honest and transparent disclosure of the breach to clients and other impacted parties.

Address Vulnerabilities

After the problem has been identified, firms must move quickly to address it. Affected systems need to be secured and vulnerabilities removed. The appropriate tasks depend on the nature of the breach. For example:

Contact Impacted Parties

When identifying impacted parties, firms should analyze the type of data that was compromised. Did the data loss include the last name of a person along with at least the first initial of the first name? Did it include social security numbers or tax ID numbers? Were financial accounts, credit card data, drivers license numbers, or medical information compromised? If any of these details were stolen, then the impacted person or business should be notified.

Under most state ethics rules, attorneys generally have a duty to notify impacted clients of cyber incidents, particularly when the breach compromises confidential information or impairs the law firm’s ability to provide legal services. Though notification to former clients is not specifically addressed in many jurisdictions, law firms may still have a duty to notify them if their data was impacted.

But the duty to inform also extends from general state laws concerning data breaches. For instance, a breach of clients’ personal health records may fall under the Health Breach Notification Rule, which could require notification to the Fair-Trade Commission (FTC) as well as the media. This type of breach may also trigger notification requirements under the Health Insurance Portability and Accountability Act (HIPAA).

Firms need to comply with all federal, state, and local laws in notifying impacted individuals and businesses. States differ in the amount of time given to provide notification, but most typically set a 60-day limitation.

Details typically included within notifications include:

It is also useful for law firm attorneys or administrators to consult with any law enforcement working on the case to ensure that the information provided does not hinder the investigation.

The FTC offers the following advice for businesses when notifying impacted parties:

Following Up

A cybersecurity data breach is not over once the initial disruption is addressed. These incidents have lasting effects and law firms can continuously support impacted parties by taking the following steps:

According to the American Bar Association, 25% of all U.S. law firms have experienced at least one data breach. In other words: the risk to client confidentiality is at an all-time high.

Increased reliance on remote working arrangements, along with ever-evolving cyber threats, has resulted in an extra level of urgency for law firms to protect sensitive client data. Virtual work arrangements create various opportunities for breaches, while cyber attackers constantly seek to hack law firm security measures.

Additionally, law practices have been increasingly subjected to client data breaches caused by user errors and socially engineered attacks involving ransomware. They have been targeted by hackers that view the legal industry as an easy target based on the tendency of law firms to use outdated technologies and easily breached systems. When these breaches occur, sensitive client data can end up in the wrong hands. Clients are forced to deal with the ramifications of their information being used for nefarious reasons, while law firms must contend with potential lawsuits, ethical consequences, damaged reputations, and the loss of profitable business relationships.

The hesitancy of the legal community to embrace innovative technology has added to this vulnerability because most law firms lack both the necessary technology and strategies to deal with looming threats. Even those that have made some efforts often use platforms that are outdated and highly susceptible to data breaches. Threats constantly evolve with greater sophistication. Without a strategy for promoting client confidentiality, law firms leave their client data unprotected.

The Ethics of Confidentiality

Lack of technology is no longer a valid excuse for client data breaches. Changes to the ABA Model Rules speak directly to the importance of technology.

ABA Model Rule 1.1: Competence, Comment [8] states, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.”

In addition, ABA Model Rule 1.6: Confidentiality states, “(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Client data breaches not only lead to financial consequences for law firms, but can also result in detrimental ethical challenges.

Tips for Protecting Client Confidentiality

As law firms work to protect client confidentiality, they can implement strategies to guard against data breaches that originate both internally and externally. The following are some simple, but effective, steps:

Minimize Human Error

The biggest vulnerability faced by any law firm, regardless of size, is employee error. Security experts estimate that more than one-third of business data breaches result from some form of employee negligence, error, or intentional act. These actions typically include phishing scams, loss of hardware, abuse of access privileges, or simple security mistakes. Law firms must identify and address these poor behaviors to effectively lessen opportunities for client data breaches.

An aware and proficient team makes the best weapon against client data breaches. Every member of firm personnel, from partner to receptionist, must understand and respect the vital importance of client confidentiality and protecting client data. Firms should provide mandatory training that promotes the highest levels of awareness and diligence. Without employee involvement, internal vulnerabilities and threats may not be identified, which can ultimately result in employees becoming the channels through which breaches occur.

Encryption

Data encryption provides an effective technology tool for protecting sensitive data. Once encrypted, data becomes indecipherable should it wind up in the wrong hands due to loss or theft. The viewer must utilize the correct encryption key to unscramble the encrypted gibberish back into legible text.

Law firm encryption typically occurs in a couple of ways. Encryption in transit protects data as it is sent electronically within the firm or externally. This is commonly referred to as end-to-end encryption. Encryption at rest refers to the encryption of data that is stored on hard drives, laptops, or mobile devices.

But even with its high level of protection, many law firms fail to use encryption methods. According to some legal ethics experts, ABA Model Rule 1.6 classifies encryption failures as potential breaches of ethical duty should the data warrant special precautions. This risk seemingly requires law firms to evaluate whether each client matter necessitates encryption and take appropriate measures. Failing to do so could result in ethical violations.

Regular System Updates

Tech providers consistently create new strategies for preventing system breaches, but these tactics only work when the systems and software are updated on a regularly scheduled basis. This includes VPN, antivirus, anti-spyware, and spam filters.

Unfortunately, far too many law firms implement new technologies and then fail to keep them fully updated. Without consistent updates, these tools may become vulnerable to ever-changing cyber threats. Outdated systems place client data at risk and may even open law firms up to liability should a breach occur. Law firms need systems in place to ensure that necessary system updates occur.

Scrutinizing Vendors

Third-party law firm vendors can also place client confidentiality at risk if they fail to follow strict security standards. These parties can create a weak link in the chain of client data that they are entrusted with during the course of business.

When choosing to work with a vendor, law firms need to closely evaluate the vendor’s security protocols. They may also include specific security requirements within the controlling contract and ensure that the vendor’s insurance policy adequately covers any breaches that may occur.

Legal tech companies routinely use cloud-based storage for their technologies. When managed correctly, these platforms offer great benefits to legal practices. But without proper security protocols in place, cloud storage becomes extremely vulnerable to cyber-attacks. Therefore, law firms need to ensure that cloud-based service providers maintain their networks with technical competence and top-notch security features.

Document Security is the Tech Tool Every Law Firm Needs for Client Confidentiality

Law firms cannot ignore the role of document safety in the promotion of client confidentiality. With document management systems in place, firms benefit from multi-level security that limits access to reading, deleting, or editing sensitive documents both internally and externally.

These resources can also help firms quickly identify breaches by creating a detailed trail of everything related to a document's life cycle. Firms have access to specific information regarding who made changes and when. They can also review information about document transmission and downloads. These types of security checks protect client confidentiality and provide clients with the assurance that their information is being handled effectively.

The transfer of documents creates the biggest risk of breach. The transmittal of a document to the wrong recipient is a mistake that cannot be undone. If that document contains sensitive or confidential information, the law firm has created a substantial risk should the data be used against the firm or one of its clients. Email is largely considered the fastest and easiest method of sending documents to colleagues and clients, but it is also one of the biggest security risks a law firm can take. This highlights the importance of viable alternatives for sending secure client communications. With tools like client portals and secure document transmission systems, law firms are not forced to rely on risky email transmissions. The credentials of all recipients can be confirmed to ensure client confidentiality and prevent documents from ending up in the wrong hands.

In 2021, whether you realize it or not, you’re a “mobile” lawyer. The digitalization of the world we live in has made the proliferation of cellphones and on-the-go devices an undeniable part of our everyday routine. 

Did you know that as of 4 years ago, nearly 100% of lawyers were using mobile computing tools for at least some aspect of their practice? So now, it isn’t “nearly,” it is a resounding “everybody.” Everyone has a cell phone and everyone uses it both for personal and professional reasons. We are all working in a mobile world these days and the expectation is that we will have access to our information from wherever we are. 

The first time many of us remember seeing a mobile device was in the 1987 action flick, Lethal Weapon. It was this massive square hunk of material connected to this even clunkier receiver that Roger Murtaugh lugged around across LA. Since then, we have seen this evolution from our Nokia candy-bar phones to flip phones and Blackberrys. But now many decades later, 80% of attorneys are using these beautiful slabs of indestructible (so they say) glass called iPhones. We think of these devices as mobile phones that happen to do a few other things on top of making calls and sending texts. But, think about all the things your phone has replaced… we’re talking about email, calendaring, camera, books, TV, games, tickets, GPS the list goes on and on. 

What you should be taking away from this is the fact that these devices are no longer small, single-serving phones. They are an entire personal computer. Our phones have become the primary PC that most of us use on a constant basis. Of course, we have desktops and laptops, but these sleeker and portable devices are one of the first places we go to when we wake up and the last thing we put down at night. There is no other piece of technology that we own that is so pervasive in our lives. 

You may be asking yourself, so what? Isn’t technology supposed to grow and evolve and improve? And obviously, the answer to that is yes, but what hasn’t evolved with the changes in our technology is how we protect the information we interact with. Right now, our mobile devices are still thought of as “phones.” And how we protect and monitor them reflects that. However, we go to much greater lengths to protect our servers and our computers. But think about what we just talked about. Our phones are our computers too, and they must be protected as diligently.

Duty of Competence

A few years ago the ABA President started a Commission where they were tasked with looking at whether or not they should make any changes to the Model Rules of Professional Conduct to address the idea that technology today affects nearly every aspect of our legal work. This includes how we store information, how we communicate with clients, how we conduct discovery, and so on.

The ABA went on further to say that: “In the past, lawyers communicated with clients by telephone, in person, by facsimile, but today, lawyers communicate with clients electronically. Confidential information is stored on mobile devices, including the cloud.” Ultimately, this Commission determined that there needed to be some changes to the Model Rules of Professional Conduct. These changes emphasized that it is part of a lawyer’s general and ethical duty to remain competent in a digital age. 

To be more specific, this change was most reflected in Rule 1.1- The General Duty of Competence. There was no major change to this actual rule, but an addition was made to comment 8. The section opener remained the same: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology..” This means the technology you use to run your practice. Every firm uses technology in its practice. Whether it’s simply Microsoft Word or a billing software, everyone uses something. We hear some firms say that they only care about the states that are relevant to their operations. Currently, 38 states have adopted this revised Duty of Competence. 

Application to Your Daily Practice

So what does this mean when it applies to your daily practice, from a practical level? We typically think of technology competence as protecting our client’s information, but if we dig deeper, we will find that it incorporates these 5 things:

  1. Safeguarding client information and remaining up to date on the various risks and benefits associated with relevant technologies
  2. eDiscovery, including the preservation, review, and production of ESI (This includes social media discovery, which opens a Pandora’s box of ethical issues)
  3. The technology that lawyers use to run their practices (This can include communication and file share technologies, software for document generation, electronic calendaring, and docketing tools. Many of these applications store information in the cloud so this realm includes competence with cloud-based operations)
  4. Understanding the technology used by your clients to design or manufacture products or to offer particular services
  5. The technology used to present information in the courtroom

Let’s dig a little deeper into points 1 and 3…

What does that mean exactly when we say the benefits and risks associated with relevant technologies?

The Benefits 

The benefits of mobile devices are incredible. That is an undisputed statement. We can now get our work done anywhere at any time, and now with the necessity to work remotely, this capability has become even more critical. Speed is also another advantage, we can communicate so much faster with both our internal teams and our clients without missing a beat. And if you’re on a cloud-based practice management system, you can truly access any file, any document, anything about all your matters from wherever you are all from your phone. 

The Risks

The first and most obvious risk with mobile devices is the chance of either misplacing, losing, damaging, or getting it stolen. The question isn’t if this will happen, it is when it will happen. 

It was reported that women are 42% more likely to have their phone stolen while men are 57% more likely to drop their phone in the toilet. And a recent study released from Kensington revealed the costs associated with the loss or theft is far greater than the cost of the device itself, thanks to lost productivity, the loss of intellectual property, data breaches, and legal fees.

Regardless of whether your phone is stolen or lost, there are a lot of associated risks that come with that. But no application on our phones runs as much risk as our email does. Today, we use email to communicate with our clients and colleagues. Today we use email as the primary means to transport files and documents. If someone was able to access your phone, they may not be a hacker, but they know what the mail app looks like. If they are able to open this app, they will have complete and unfettered access to the most confidential and sensitive information that has been entrusted to you. And it isn’t just the messages or communications, it’s the attachments! Even with eDiscovery, a vast number of loose files (word documents, pdf, photos), are attached and sent via email. 

Ultimately, this is the inherent risk involved.

So what can we do? Let’s find out... 

Best Practices to Protect Your Mobile Information

No one expects you to be a mobile security expert. Things happen and the best you can do is be prepared and stay informed of the things you can do. So, with this in mind, when you’re using a mobile device, be aware of these things:

  1. Wifi- Open public wifi networks, as convenient and accessible as they are, pose risks. For one, your data can be accessed by third parties, hackers, or the stranger sitting next to you. It’s also important to note that this person or entity doesn’t have to be physically sitting near you, they could be anywhere in the vicinity to ascertain your data as it flows across the router and across the network. 
  2. GPS- The GPS feature in our phones today is unprecedented. However, there is another setting in your phone called “significant locations,” where you can access a list of all the major cities and places you have been to over the course of a few weeks. This feature is automatically enabled, so it is important you are aware of it so you can disable it if you so choose. If someone gained access to inside your phone, they would be able to quickly find out where you go and for how long.
  3. Phone Updates- It is important to be aware of these updates because oftentimes they contain bug fixes and patches to problems in the older iterations of the software. Keep this in mind with your apps as well, if you let things get too far behind on updates, you risk data breaches and security threats. 
  4. Passwords- The most dangerous thing that people do with their smartphones is that they do not put a password on them. Fortunately, most software now requires you to put a password on your device. If you have a password on your phone, make sure it is a good one. In 2019 alone, “123456” was the most commonly used password, accounting for 23.2 million accounts. Your password is the gatekeeper to everything confidential in your life so don’t take this security step lightly. Tools like 1Password will help you manage and automatically generate lengthy passwords that are then stored in a vault that is protected by a PBKDF2-guarded master password that you create. Don’t sacrifice security for convenience. 
  5. Erase Data- This feature on your phone sounds scary, but hear us out. When you enable this feature, the first thing it does is turn on “data protection.” This is a powerful security mechanism and when it is enabled, it ensures that any files created by an app are automatically encrypted on your phone’s file system. This means that if someone were to come into the possession of your phone and you have a passcode on it, they would not be able to access any data stored on your device, even if they plug it into a computer.
  6. Cloud Backups- Cloud backup enables your organization to send a copy of your cloud data to another location so that if your data is compromised, you can restore the information, ensure business continuity, and defend against devastating IT crises.

The Takeaway

All of these best practices serve to help you protect the information stored on your personal computer (your cellphone). It is important to note that “reasonable efforts” and “reasonable precautions” means reasonableness. Not perfection. You have an obligation to do what you can, stay informed, and mitigate risks. You do not have to be a technology or smartphone expert to practice the above-mentioned best tips. 

Cyber and Data Security

The threat landscape for data security is incredibly vast. Today, law firms have the responsibility and duty of technological competence to ensure that their client's information is safeguarded and monitored.

The sad reality is that law firms are often the center of data attacks because of the type of sensitive information that is being dealt with on a daily basis. Often times, attorneys assume that their email or personal information is safe. This is a mistake.

Maybe unbeknownst to you, your personal information includes clues into larger portals of information that can then be categorized and cataloged for hackers to use to gain access to other sensitive information. 

Crime today has been commercialized, and organized crime groups use tools to professionally infiltrate your information. The hacking industry now runs much deeper than someone sitting in their basement chugging a Mountain Dew, it has evolved into an illegal business that has cost firms and businesses billions of dollars. 

Because of this, clients are no longer just paying for legal services, they are also paying to ensure that their data is protected. Today, class-action lawsuits can be brought against a firm for failure to safeguard and protect their client's information. 

An attorney may be required to take special security precautions to protect against unauthorized disclosure of information or when the nature of the information requires a higher degree of security. So, for example, does everyone at your firm have access to the same information? Is it classified and compartmentalized across the firm? Is the data protected according to its sensitivity?

All of these things should lead you to question, are the measures you’re taking and putting in place strong enough to protect your client’s sensitive information? 

At the end of the day, it's about organizing your information in ways that keep it safe and accessible to those who need it. Do you keep all your client files on one hard drive? Do different clients warrant a different type of security to access their files, are they cleaned up regularly? 

Model Information and Security Controls

The Association of Corporate Counsel (ACC) published model information and security controls that have been adopted almost nationwide as the defacto standard for attorneys to follow. Whether you have an IT team or not, it is your duty and responsibility to understand these measures and be able to act on them.

Let’s go through some of these together:

1. Understand your information

In order to protect your firm’s and your client’s information, you must understand what information you have. You must then classify and organize it, and then thoroughly document what you are going to do to protect it.

2. Review the rights and responsibilities

You’re either doing a good job and following best practices, or you’re not. You need to know what procedures you have or will have in place to secure what needs to be protected.

3. Physical security

Does your office and your third party vendor’s space utilize badges and door codes? If not, this is the easiest thing to quickly implement. You can also go one step further and store data in different access-based locations and create logical controls so people are only accessing the information they are authorized to. 

4. Information disposal

What you do when you’re done with the sensitive information should be reviewed and documented with your clients as well. Are you giving their information back? Are you destroying it? Are you doing both? That needs to be outlined and made clear. 

5. Monitor 

Make sure your people and your vendors are doing what they’re supposed to be doing. Conduct vulnerability assessments, make sure your devices are encrypted, and know if something is open or publicly accessible. Encryption is a very basic security measure that your firm needs to be aware of and implementing (if you’re not already). Your information should be encrypted both at rest and in transit. For example, if you have an encrypted computer that gets stolen, you don’t have to report that because the thief cannot do anything with the information on the device. Yes, you'll be out an expensive piece of equipment, but your data will be secure. That is encryption at rest. Encryption in transit is the protected information that is being sent or received between devices like through email or text. 

The most dangerous people at your firm are the ones who lead your IT team, but they are also the most helpful. This type of trust is a commodity. There must be controls in place to ensure that the work they have done is accurate and secure. If you do not have an IT team, you need to do your due diligence with your cloud provider or your third-party vendor and ensure that they are up to date with the latest security measures and you have records that they are constantly monitoring your information.

6. Insurance

You don’t know what you don’t know. Buy cyber insurance. Only 34% of firms have cyber liability insurance. Take the opportunity to limit your exposure because the cost of a breach will end up being significantly more than the cost to prevent it.

Now that you have all this information in place what do you do? You prove it. Take the time to get an industry certification or a privacy shield and be proactive to show your clients that their highly sensitive information is in good hands.

Third-Party Vendor Cloud, Compliance, and Risk Management 

These five questions you must be asking your vendors!

Third-party vendors constitute a lot of risk. Did you know that 60% of breaches are linked to third-parties? Even today, many firms do not adequately assess these relationships because they feel that their staff is well trained and will assume their vendors are too. 

Let’s look at some numbers here: 

32% of firms do not evaluate third-party vendor security. 

60% of attacks come through third-party vendors. 

And only 34% of firms have cybersecurity insurance. 

So when someone asks? Why do we care? This is why. These figures are staggering. Even though you may have a buttoned-up security system, can you trust the third parties? 

If you’re working with third-party vendors, you need to follow some basic steps to ensure that the work they are doing is not only correct but protected as well. Ask yourself:

As we discussed earlier because third parties are very susceptible to cyberattacks, clients are asking for assurance from their law firms and as a result, many of these firms are seeing an increase in information security and data governance audits coming from their clients. It is becoming more common practice to audit your third parties, both from the client and firm side because the risks of cyber attacks are so high. At the bare minimum, if you’re using a third-party vendor, make sure they are doing at least as good of a job as you are in implementing security controls. Do not assume anything because it is not if you will experience a potential breach, it is when.

What Do I Ask My Third-Party Vendor?

You don’t have to be an IT professional to ensure that your firm and your client's information are safe! If you're using a third-party vendor to store your data, consider asking them these three questions…

1. How are you protecting my information?

This is an open-ended question for which the vendor should immediately answer by showing you their security policy documentation, standards documentation, and instant response plan. If they respond with something along the lines of that information being proprietary, you should raise concern. The best practice in security is always transparency. 

Additionally, when you ask your vendor any questions regarding your data, pay attention to how they answer it, and take note of the amount of detail they give in their response. They should be able to tell you what they are going to do with the data, how long they’re going to keep it, and how the data is classified. 

2. What are you doing with my information?

What infrastructure is your third-party vendor using? Where are they physically located? What class systems are their server hardware and firewalls? Using a third-party vendor is a lot of work because you need to do your homework and make sure that your information is secure. For example, look at their data flow diagrams, this will tell you all the buckets where your encrypted data sit at rest and all the paths they take between those buckets when they’re encrypted in transit. It is important to ask how they encrypt your information and the humans that are physically accessing that data at each point. 

3. Business Continuity Plan  

This is your backup plan! Some firms use Amazon Web Services (AWS) as a hosting vendor. Just last week, their system went down. Not for a few seconds or minutes, but for hours. The reason for this outage was undisclosed (scary!). Because of this, you need to know does your third-party vendor have an off-site disaster recovery location to allow for a quick transition? Ask to see what their uptime has looked like over the course of several years and if they have had a lot of impactful outages. Your job depends on being able to access your stored documentation and files. If you don't have access to what you need, you can't do your job.

Key Takeaways

Using third-party vendors may pose many avoidable risks. It is best practice to consolidate your tech stack and make sure you know exactly where all your data is stored. At all times.

When it comes to IT and your security, you need a strategy. You cannot hope things go your way, or hope a backup can be produced. Your clients expect nothing but excellence from you, you should expect the same from your vendors. 

And if you remember anything from this blog, remember this- If you didn’t document it, it doesn’t exist and if you didn’t test it, it doesn’t work. 

If you're still curious to learn more, check out our blog: Data Security for Law Firms: Everything You Need to Know

2019 was the worst year on record for data breaches, according to at least one research firm. But 2020 already looks poised to eclipse it: data security for law firms and privacy threats have only increased with so many people social distancing and logging into work remotely.

For instance, the World Health Organization recently advised that “hackers and cyber scammers are taking advantage of the coronavirus disease (COVID-19) pandemic by sending fraudulent email and WhatsApp messages that attempt to trick [recipients] into clicking on malicious links or opening attachments.” When users fall for the trap, cybercriminals steal their username and password. Now Zoom bombers are hijacking teleconferences to harass participants and share illicit materials.

Yet there are more than external risks facing us during this pandemic: employees don’t always make the best choices—whether consciously or inadvertently—to protect their data. Often, that’s because they don’t know how to secure their information or because the methods for securing data are cumbersome. But those errors can have devastating consequences. For example, thousands of recorded video calls were (briefly) visible to everyone on the open web. And one healthcare organization jeopardized 344,000 healthcare records because it forgot to wipe the hard drives when the lease on its photocopiers expired—resulting in a civil penalty of $1.2 million.

For lawyers, the consequences of failing to secure data are dire on multiple fronts. Not only might they lose their own data, but they may also lose their clients’ sensitive and confidential information, jeopardizing their attorney-client privilege and violating their ethical duties. These concerns have typically made lawyers loath to let their data out of their sight—or off their in-house servers. But law firms themselves have a poor track record of protecting their data. Perhaps the most notorious law firm breach involved an email hack in 2016 of Panamanian firm Mossack Fonseca, which lost 11.5 million sensitive client records and 2.6 terabytes of data, but other reports suggest that as many as one in four law firms have lost data through breaches.

Now, even for the most cloud-averse law firms, CDC guidance and state mandates have forced their hand. To do any work, lawyers must remotely log in to their firm servers through their laptops and mobile devices. Outside their firm’s cybersecurity infrastructure, firewall, and network security hardware, their data may be more vulnerable than ever. That’s why it’s critical for law firms to understand data security risks and partner with organizations committed to following best practices to protect their data.

Lawyers’ Obligations to Maintain Data Security and Privacy

Multiple rules of the American Bar Association’s Model Rules of Professional Conduct require lawyers to take steps to protect client data. The duty of competence outlined in Model Rule 1.1 requires that lawyers “understand technologies that are being used to deliver legal services to their clients . . . [and] use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.” Further, Model Rules 5.1 and 5.3 impose the “obligation to safeguard and monitor the security of electronically stored client property and information.”

The ABA Standing Committee on Ethics and Professional Responsibility has taken these obligations further in its formal opinions. It states that lawyers must not only protect client information but also notify clients if their data has been compromised in a data breach.

For example, Formal Opinion 477R requires lawyers to understand how they store client data and how it can be accessed, so that they can “manag[e] the risk of inadvertent or unauthorized disclosure of client-related information.” Lawyers must ensure that they have implemented appropriate safeguards to limit access to client information and supervise third parties that handle client data, confirming that all third parties take measures that satisfy the lawyer’s professional obligations. To fulfill their ethical duties, lawyers should review their vendors’ cybersecurity credentials and audit their security policies and practices. Formal Opinion 483 requires lawyers to monitor for potential breaches and take steps to stop and/or mitigate any breach and to notify clients and former clients of any data compromise.

It is clear that lawyers must safeguard their clients’ data, regardless of whether it is stored on their own systems or elsewhere. But what exactly are they protecting against?

Law Firm Data Security and Data Privacy Risks

Law firms store a veritable treasure trove of data that any cyberpirate would covet:

Because law firms store all of this data for multiple clients, they represent the perfect target for a one-stop data breach—a target that’s made even more alluring because many firms lack the state-of-the-art security that other industries have implemented.

Then there are the risks associated with internal threats: employees or contractors may have access to firm and client data, but should their interests diverge from those of the firm, they may take advantage of an opportunity to seize valuable data for inside trading or other nefarious purposes. Or they may not have ever been trained to identify and avoid potential threats. Or they may simply be careless with their data. It’s hard to detect or forestall risks like these, because these insiders have been—appropriately—granted permission to access sensitive data.

What’s a law firm to do? The firm’s core business is practicing law on behalf of clients—not data security. And, although attorneys are mindful of the need to protect information covered by the attorney-client privilege and work-product doctrine, they aren’t experts in IT security or cybersecurity. So, while they may do their best to follow security rules and comply with their ethical obligations in good faith, there’s always the risk that something will slip through the cracks.

These are some of the reasons that lawyers should consider sending their information to a cloud-based practice management solution. Here is what you need to know to choose the option that offers the best cloud security for law firms.

What Law Firms Should Look for in a Practice Management Solution

Providers of cloud-based services, including law practice management software, typically offer stronger security than most law firms, because their work centers around data and securing that data. This focus means they continually invest in the latest security tools to guard against evolving cyberthreats.

But not all cloud-based service providers are created equal. Law firms should look for the following data privacy and data security attributes when selecting a cloud-based solution for law practice management.

Physical Security Measures

Your cloud provider’s data centers should have comprehensive physical security protocols to prevent unauthorized access. Here are some questions to ask:

Centerbase’s data centers follow industry-standard best practices, including checkpoints, gates, fences, 24/7/365 on-site personnel, badge/photo ID access, biometric access screening, secure cages, and full-building video capture. Only individuals on a screened and preapproved list have physical access to our facilities; they must present a pass card to enter the parking lot and undergo a biometric screening to enter the building. An authorized third party is required to physically unlock the cages where your information is stored.

Certifications

What industry-recognized security certifications do the organization and its data centers have? Some of the most common certifications are ISO/IEC 27001, SSAE 18, and SOC 2. Organizations that meet these standards have established that they have adequate controls to securely host data. Make sure a third party has independently audited any organization that you’re considering for compliance.

Because your law firm is probably storing a range of data in its law practice management solution, you should also ensure that your provider is compliant with the other laws that you’re governed by.

For example, if your law firm works with doctors, hospitals, or other healthcare providers, it is subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Security rule and HITECH Act require healthcare organizations and their business associates (those who handle services on behalf of healthcare organizations) to implement administrative, technical, and physical safeguards to shield electronically stored protected health information.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions and those that collect personally identifiable financial information that is not publicly available—such as names, addresses, income, account numbers, payment history, purchase history, balances, and the fact that an individual is a customer or consumer—to protect that information from disclosure. Covered entities are required to develop an information security program with administrative, technical, and physical safeguards, including measures for detecting and preventing attacks and system failures and selecting third-party providers that offer appropriate data protection.

Depending on the data you collect, your law firm may also be subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requires entities that collect credit card data to take steps to protect the systems and devices that store that data, including data centers, with physical security measures and other protections.

Centerbase data centers’ compliance with SSAE 18, SOC 1, SOC 2, HIPAA, and PCI DSS v3.2 has been audited by an independent third party.

Disaster Recovery and Business Continuity Plans

What will happen to your data in the event of a cyberattack or other emergency? Any cloud computing provider that your law firm uses should have extensive disaster recovery and business continuity plans that will allow you to resume your business operations after a disaster occurs. Don’t take their word for it; ask to see a copy.

Check to make sure that your provider has at least one secondary data center with real-time backup and processing power equal to that of its main site. The backup facility should be geographically and environmentally diverse from the primary data center to avoid simultaneous disruptive events. Ask about uptime statistics, and make sure each data center is protected by battery backup as well as fire detection and suppression systems. Your best bet is a Tier III or higher data center with redundant and dual-powered servers, which allow for maintenance and cooling without any service disruptions.

At Centerbase, we constantly replicate our main site’s data to our off-site disaster recovery location to allow for a quick transition in the unlikely event of a catastrophe at our main location. We’ve operated servers in our main facility for over 14 years without the need for a single failover. We employ a four-tier data redundancy policy, with three encrypted sets at our primary sites and a fourth set at our disaster recovery sites. We have a system-wide 99.999% uptime with zero data loss. We maintain a Tier III offsite disaster recovery location, fully capable of taking over in the unlikely event of a catastrophe at our main data center locations. All Centerbase databases are continuously backed up and can be restored to any point in time within a 10-minute window.

User Authentication and Authorization

How do users access the data in their law practice management system? What processes does the platform have in place to limit access on a need-to-know basis? Does the system have content-level permissions and information rights management protocols? You should be able to set permissions at multiple levels: user, group, and organization. You should also be able to set access independently at the file and folder levels. Finally, make sure your provider offers a complete audit history so you can track logins and monitor access.

Centerbase’s advanced application-level security settings allow you to set permissions to any data in the system on an individual or group basis, so you can limit access to financial data, billing rates, sensitive documents, and cases. Our system also includes a user-definable change tracking, audit log, and deletion log system. From an easy-to-use dashboard, you can quickly review all user activity, including changes made, and view both the old and new values and any deletions. You can also monitor logins and log users out remotely. Our server also logs and monitors every connection and communication that is made with your system. We store the IP address, the information that is accessed, and the date and time of all interactions, so you know who is using your system at any time.

Infrastructure Security

How does your provider monitor its perimeter security? Has it implemented antivirus scanning technology? Has it configured a firewall to prevent vulnerabilities such as malware and denial of service attacks? Does it have an intrusion detection system that alerts you to network threats in real time and automatically block attacks? Does it protect data at rest and during transfer with encryption?

Centerbase manages our own firewalls and security policies and has over 14 years of incident-free experience. We design our systems to actively refuse connections from high-risk countries known for hacking activity. We continuously monitor our systems for vulnerability and malicious activity to guard against cyberattacks and DOS incidents. We also employ 128-bit SSL encryption for data transfer, storage, and onsite and offsite backup: in other words, we meet the same stringent encryption standards as financial institutions, healthcare providers, and other security-conscious businesses. This ensures that no one will ever have access your firm’s information if they gain physical access to our systems.

Data Ownership

Make sure your service-level agreement with your provider spells out who owns your data: all uploaded data should remain yours. What will happen to your data when the relationship ends? Does your provider have a standard policy to remove data from its servers, archives, and backup devices?

Our clients own all data in our system. When a law firm ends a Centerbase subscription, we make all content available to the firm’s administrator or authorized user. All content associated with the firm’s subscription is irrevocably deleted from the Centerbase platform within 90 days of termination.

Support

What is your provider’s policy on technical support?

Centerbase keeps a close eye on the performance and response time of your system. Offsite monitoring software constantly reviews our infrastructure for failures or issues. We also monitor each client’s website for response time to ensure a high level of performance. Our staff is notified via text and email when issues arise and are on call and available 24/7/365 to make sure your systems are up, running, and available to you.

Conclusion

Law firms considering a cloud-based practice management and billing solution for the first time may feel some trepidation about losing control of their data. However, by ensuring that their service provider has invested in the measures outlined in this article, they may find that their data is even more secure than in the four walls of their firm.

Curious how we set the bar for legal software security? Check it out here!