Get a Free Demo
2019 was the worst year on record for data breaches, according to at least one research firm. But 2020 already looks poised to eclipse it: data security for law firms and privacy threats have only increased with so many people social distancing and logging into work remotely.
For instance, the World Health Organization recently advised that “hackers and cyber scammers are taking advantage of the coronavirus disease (COVID-19) pandemic by sending fraudulent email and WhatsApp messages that attempt to trick [recipients] into clicking on malicious links or opening attachments.” When users fall for the trap, cybercriminals steal their username and password. Now Zoom bombers are hijacking teleconferences to harass participants and share illicit materials.
Yet there are more than external risks facing us during this pandemic: employees don’t always make the best choices—whether consciously or inadvertently—to protect their data. Often, that’s because they don’t know how to secure their information or because the methods for securing data are cumbersome. But those errors can have devastating consequences. For example, thousands of recorded video calls were (briefly) visible to everyone on the open web. And one healthcare organization jeopardized 344,000 healthcare records because it forgot to wipe the hard drives when the lease on its photocopiers expired—resulting in a civil penalty of $1.2 million.
For lawyers, the consequences of failing to secure data are dire on multiple fronts. Not only might they lose their own data, but they may also lose their clients’ sensitive and confidential information, jeopardizing their attorney-client privilege and violating their ethical duties. These concerns have typically made lawyers loath to let their data out of their sight—or off their in-house servers. But law firms themselves have a poor track record of protecting their data. Perhaps the most notorious law firm breach involved an email hack in 2016 of Panamanian firm Mossack Fonseca, which lost 11.5 million sensitive client records and 2.6 terabytes of data, but other reports suggest that as many as one in four law firms have lost data through breaches.
Now, even for the most cloud-averse law firms, CDC guidance and state mandates have forced their hand. To do any work, lawyers must remotely log in to their firm servers through their laptops and mobile devices. Outside their firm’s cybersecurity infrastructure, firewall, and network security hardware, their data may be more vulnerable than ever. That’s why it’s critical for law firms to understand data security risks and partner with organizations committed to following best practices to protect their data.
Multiple rules of the American Bar Association’s Model Rules of Professional Conduct require lawyers to take steps to protect client data. The duty of competence outlined in Model Rule 1.1 requires that lawyers “understand technologies that are being used to deliver legal services to their clients . . . [and] use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.” Further, Model Rules 5.1 and 5.3 impose the “obligation to safeguard and monitor the security of electronically stored client property and information.”
The ABA Standing Committee on Ethics and Professional Responsibility has taken these obligations further in its formal opinions. It states that lawyers must not only protect client information but also notify clients if their data has been compromised in a data breach.
For example, Formal Opinion 477R requires lawyers to understand how they store client data and how it can be accessed, so that they can “manag[e] the risk of inadvertent or unauthorized disclosure of client-related information.” Lawyers must ensure that they have implemented appropriate safeguards to limit access to client information and supervise third parties that handle client data, confirming that all third parties take measures that satisfy the lawyer’s professional obligations. To fulfill their ethical duties, lawyers should review their vendors’ cybersecurity credentials and audit their security policies and practices. Formal Opinion 483 requires lawyers to monitor for potential breaches and take steps to stop and/or mitigate any breach and to notify clients and former clients of any data compromise.
It is clear that lawyers must safeguard their clients’ data, regardless of whether it is stored on their own systems or elsewhere. But what exactly are they protecting against?
Law firms store a veritable treasure trove of data that any cyberpirate would covet:
Because law firms store all of this data for multiple clients, they represent the perfect target for a one-stop data breach—a target that’s made even more alluring because many firms lack the state-of-the-art security that other industries have implemented.
Then there are the risks associated with internal threats: employees or contractors may have access to firm and client data, but should their interests diverge from those of the firm, they may take advantage of an opportunity to seize valuable data for inside trading or other nefarious purposes. Or they may not have ever been trained to identify and avoid potential threats. Or they may simply be careless with their data. It’s hard to detect or forestall risks like these, because these insiders have been—appropriately—granted permission to access sensitive data.
What’s a law firm to do? The firm’s core business is practicing law on behalf of clients—not data security. And, although attorneys are mindful of the need to protect information covered by the attorney-client privilege and work-product doctrine, they aren’t experts in IT security or cybersecurity. So, while they may do their best to follow security rules and comply with their ethical obligations in good faith, there’s always the risk that something will slip through the cracks.
These are some of the reasons that lawyers should consider sending their information to a cloud-based practice management solution. Here is what you need to know to choose the option that offers the best cloud security for law firms.
Providers of cloud-based services, including law practice management software, typically offer stronger security than most law firms, because their work centers around data and securing that data. This focus means they continually invest in the latest security tools to guard against evolving cyberthreats.
But not all cloud-based service providers are created equal. Law firms should look for the following data privacy and data security attributes when selecting a cloud-based solution for law practice management.
Your cloud provider’s data centers should have comprehensive physical security protocols to prevent unauthorized access. Here are some questions to ask:
Centerbase’s data centers follow industry-standard best practices, including checkpoints, gates, fences, 24/7/365 on-site personnel, badge/photo ID access, biometric access screening, secure cages, and full-building video capture. Only individuals on a screened and preapproved list have physical access to our facilities; they must present a pass card to enter the parking lot and undergo a biometric screening to enter the building. An authorized third party is required to physically unlock the cages where your information is stored.
What industry-recognized security certifications do the organization and its data centers have? Some of the most common certifications are ISO/IEC 27001, SSAE 18, and SOC 2. Organizations that meet these standards have established that they have adequate controls to securely host data. Make sure a third party has independently audited any organization that you’re considering for compliance.
Because your law firm is probably storing a range of data in its law practice management solution, you should also ensure that your provider is compliant with the other laws that you’re governed by.
For example, if your law firm works with doctors, hospitals, or other healthcare providers, it is subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Security rule and HITECH Act require healthcare organizations and their business associates (those who handle services on behalf of healthcare organizations) to implement administrative, technical, and physical safeguards to shield electronically stored protected health information.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions and those that collect personally identifiable financial information that is not publicly available—such as names, addresses, income, account numbers, payment history, purchase history, balances, and the fact that an individual is a customer or consumer—to protect that information from disclosure. Covered entities are required to develop an information security program with administrative, technical, and physical safeguards, including measures for detecting and preventing attacks and system failures and selecting third-party providers that offer appropriate data protection.
Depending on the data you collect, your law firm may also be subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requires entities that collect credit card data to take steps to protect the systems and devices that store that data, including data centers, with physical security measures and other protections.
Centerbase data centers’ compliance with SSAE 18, SOC 1, SOC 2, HIPAA, and PCI DSS v3.2 has been audited by an independent third party.
What will happen to your data in the event of a cyberattack or other emergency? Any cloud computing provider that your law firm uses should have extensive disaster recovery and business continuity plans that will allow you to resume your business operations after a disaster occurs. Don’t take their word for it; ask to see a copy.
Check to make sure that your provider has at least one secondary data center with real-time backup and processing power equal to that of its main site. The backup facility should be geographically and environmentally diverse from the primary data center to avoid simultaneous disruptive events. Ask about uptime statistics, and make sure each data center is protected by battery backup as well as fire detection and suppression systems. Your best bet is a Tier III or higher data center with redundant and dual-powered servers, which allow for maintenance and cooling without any service disruptions.
At Centerbase, we constantly replicate our main site’s data to our off-site disaster recovery location to allow for a quick transition in the unlikely event of a catastrophe at our main location. We’ve operated servers in our main facility for over 14 years without the need for a single failover. We employ a four-tier data redundancy policy, with three encrypted sets at our primary sites and a fourth set at our disaster recovery sites. We have a system-wide 99.999% uptime with zero data loss. We maintain a Tier III offsite disaster recovery location, fully capable of taking over in the unlikely event of a catastrophe at our main data center locations. All Centerbase databases are continuously backed up and can be restored to any point in time within a 10-minute window.
How do users access the data in their law practice management system? What processes does the platform have in place to limit access on a need-to-know basis? Does the system have content-level permissions and information rights management protocols? You should be able to set permissions at multiple levels: user, group, and organization. You should also be able to set access independently at the file and folder levels. Finally, make sure your provider offers a complete audit history so you can track logins and monitor access.
Centerbase’s advanced application-level security settings allow you to set permissions to any data in the system on an individual or group basis, so you can limit access to financial data, billing rates, sensitive documents, and cases. Our system also includes a user-definable change tracking, audit log, and deletion log system. From an easy-to-use dashboard, you can quickly review all user activity, including changes made, and view both the old and new values and any deletions. You can also monitor logins and log users out remotely. Our server also logs and monitors every connection and communication that is made with your system. We store the IP address, the information that is accessed, and the date and time of all interactions, so you know who is using your system at any time.
How does your provider monitor its perimeter security? Has it implemented antivirus scanning technology? Has it configured a firewall to prevent vulnerabilities such as malware and denial of service attacks? Does it have an intrusion detection system that alerts you to network threats in real time and automatically block attacks? Does it protect data at rest and during transfer with encryption?
Centerbase manages our own firewalls and security policies and has over 14 years of incident-free experience. We design our systems to actively refuse connections from high-risk countries known for hacking activity. We continuously monitor our systems for vulnerability and malicious activity to guard against cyberattacks and DOS incidents. We also employ 128-bit SSL encryption for data transfer, storage, and onsite and offsite backup: in other words, we meet the same stringent encryption standards as financial institutions, healthcare providers, and other security-conscious businesses. This ensures that no one will ever have access your firm’s information if they gain physical access to our systems.
Make sure your service-level agreement with your provider spells out who owns your data: all uploaded data should remain yours. What will happen to your data when the relationship ends? Does your provider have a standard policy to remove data from its servers, archives, and backup devices?
Our clients own all data in our system. When a law firm ends a Centerbase subscription, we make all content available to the firm’s administrator or authorized user. All content associated with the firm’s subscription is irrevocably deleted from the Centerbase platform within 90 days of termination.
What is your provider’s policy on technical support?
Centerbase keeps a close eye on the performance and response time of your system. Offsite monitoring software constantly reviews our infrastructure for failures or issues. We also monitor each client’s website for response time to ensure a high level of performance. Our staff is notified via text and email when issues arise and are on call and available 24/7/365 to make sure your systems are up, running, and available to you.
Law firms considering a cloud-based practice management and billing solution for the first time may feel some trepidation about losing control of their data. However, by ensuring that their service provider has invested in the measures outlined in this article, they may find that their data is even more secure than in the four walls of their firm.
Curious how we set the bar for legal software security? Check it out here!
If you’re trying become a partner, this blog is for you. We know you work long and hard hours, but sometimes you’re not always rewarded for it. We have compiled a list of the top 6 reasons your firm will be motivated to promote you to the next level and you need to check them out.
But first, let’s discuss why more attorneys never make it to this senior level.
Attorneys who want to be made partners at large law firms typically quit too soon. Many times, attorneys will quit very close to the finish line within months or even days of becoming a partner. Most people who stick with it have a chance of making it, but most people don’t.
For the most part, the main hurdle to becoming a partner at a major law firm is most often psychological. In general, law firms don’t want to make people partner. If they make people partner, especially in situations where it’s for an equity partnership, it’s going to cost the law firm more money. And when someone is close and gives up before making partner, it gives the existing partners a reason to feel special, it also gives them access to more money.
Generally, law firms will only make you a partner if they have to. However, there are some exceptions to that, such as making contract partners or non-equity partners because law firms can make a lot of money off of non-equity partners.
We know that isn’t necessarily great to hear, but that’s why we have collected all the insights into why firms are actually incentivized to make you a partner, let’s jump in.
The first reason a law firm will make you partner is if you have a lot of business or if your future projections indicate that you will be bringing in a lot of business.
If you have a lot of business and say you’re bringing in $10 million dollars, the firm may only have to pay you $2 million to make you a partner. They may pay you a little bit more, or they may pay you a little less, but think of all the money you’re generating for the firm. So at the end of the day, that law firm can pay you a fraction of what you’re generating and become very profitable, and generally, they will want to make you partner.
There are very few reasons why a firm wouldn’t want to make someone with millions of dollars worth of business a partner. Or someone who looks like they’re going to have a lot of business in the future. If you’re bringing in small amounts of business, but the business you’re bringing is continually increasing, and you’re on an upward trend, they can see someone who is capable of doing that and you will be rewarded.
A second reason a law firm may make you partner is if you’re connected to a powerful partner or a group of powerful partners with a lot of business. If that’s the case, they will most likely make you a partner. It’s very important for associates and counsel to get as close as you can to powerful partners with a lot of business because those are the people who are really supportive of the firm and are driving revenue. So if those partners want you to be a partner and the law firm can do it, they’re going to do it. A lot of times what happens too is if you’re close to a powerful partner and that powerful partner leaves, as a condition of joining the new firm, they may actually demand that they make you partner as well.
The next reason is if you’re connected to a powerful client or group of clients that give a lot of business to the law firm. The law firm will likely make you partner in this case. A lot of times an associate may be tasked with working with a major client and if that client is very enthusiastic about that person and is giving the firm a lot of money, the firm may highly consider making that person a partner. Getting close to a client and doing really good work for that client are always the smartest things you can do, especially if it is a very large client because they without a doubt can influence your career.
Hard work is one of the most common reasons people are made partner at a lot of large law firms. If you’re the hardest working, billing the most hours, setting the pace, and making the firm a lot of money, it will be incredibly difficult for the law firm not to make you partner. In many cases, what will happen if they don’t is it will demotivate all the other associates and staff working hard around them. The thing about billing a lot of hours is not just the fact that you’re billing that time, rather it’s that people are giving you the work and the firm isn’t having to write off your hours. It’s the fact that your clients are enthusiastic about your work and they’re willing to continue giving it to you. If you’re always in the office and billing a lot of hours, you’re going to be a good role model for other attorneys. In this case, if they don’t make you partner it is going to make the law firm look bad.
The fifth reason a law firm may make you partner is if the firm experienced some type of disruption. This disruption could precipitate from unforeseen departures, firings, or retirements, and the firm needs to move into action to keep people around. If people are made partner under those kinds of conditions, they may have already been considering leaving the firm, so the firm made the move to make them a partner to prevent that. When a law firm suffers from departures or other morale issues, remember that it is temporary. If management or the leaders of the firm don’t correct it, they will be left without any attorneys to promote.
Many people will also be made partner because they have some form of expertise or a special skill or other types of connections that the law firm needs. These skills or connections can typically not be found anywhere else. If you have that type of expertise, a firm may want to make you partner. This could be something as such as having a Ph.D. in electrical engineering. For an IP litigator firm, that credential would be incredibly valuable.
Having experience outside of the legal industry can prove to be incredibly valuable. Many times law firms will hire individuals who have unique backgrounds or come from institutions like the government or if you’re well known through your family name or have superior connections within the legal industry. Differentiating yourself is one of the fastest ways to move to the top.
The important thing to understand is that a firm will not make someone a partner unless they have to. If you’re made a partner, it is because you’re giving more to the firm than the firm can offer you in return. Making partner is a sign of not only your worth but the value your firm places in your role there.
