In this digital age, technology has become essential to the delivery of legal services. Law firms use tech tools for a variety of reasons, including matter management, calendaring, client communications, and billing. While this reliance on technology has helped law firms improve client relations and the provision of services, it has also made the legal industry a common target for cybercriminals looking to steal valuable client data.
This increased risk has become all too apparent over the past few years, as several well-known law firms have been forced to deal with the disruptions of a cyberattack. The methods used by these criminals are becoming increasingly complex, which means that the frequency of law firm hacks will likely increase.
For this reason, law firm leaders and administrators must implement cybersecurity measures to fight this persistent threat. It is an ongoing battle that requires a consistent response.
Ransomware is often the weapon of choice for cybercriminals targeting law firms. With this type of hack, a third party takes control of a firm’s files by encrypting them and denying any access to firm members, unless a requested amount of ransom is paid.
A ransomware attack can leave an entire firm without the ability to work, which immediately decreases revenue. Additionally, the firm may face consequential damages, including:
Another common type of cyberattack against law firms involves an email phishing scam, where hackers pose as firm clients or third parties to trick employees into disclosing sensitive data or transferring funds to fraudulent organizations. Attorneys are particularly susceptible to email fraud attempts due to the personal relationships that may have with their clients. A spot-on impersonation may lower a target’s defenses, leading to significant losses.
In one infamous New York case, a law firm was successfully sued for malpractice by a client after hackers impersonated one of the firm’s attorneys to secure a fraudulent $2 million wire transfer. The attackers were able to gain access to the attorney’s AOL email account and analyze previous interactions with the client to successfully carry out the impersonation.
As you likely gleaned from the above, the financial and professional consequences of both ransomware attacks and phishing scams can be detrimental to a law firm, so it is critical to take the necessary steps at your own firm to prevent such an occurrence.
Preparation is the only adequate protection against a cyberattack. This starts with understanding the threat and the role that technology plays in reducing it. Attorneys have a duty to not only comprehend the practice law, but also the technology necessary to protect attorney-client privilege and sensitive client data. Most states specifically include this in their rules of ethics because the reluctance of attorneys to introduce technology tools into their law firms increases the chance for a breach.
By refusing to implement tech security measures, attorneys may be found in breach of their professional duty. In addition to ethical consequences, firms also face regulatory enforcement actions from the Federal Trade Commission when client data is not sufficiently protected.
However, there are steps that you can take to strengthen your firm’s protection against security hacks:
Cybercriminals capitalize on limited knowledge and bad habits. Law firms that ignore best practices and utilize weak security systems are essentially opening the door for attackers to access valuable data.
One of the most effective steps a law firm can take is consistently educating and training employees. Human error accounts for a significant number of cyberattacks on businesses. Training sessions should occur on a regular basis to educate employees about their role in preventing breaches. Regular reminders should also be a part of the training plan to ensure that these important duties remain top of mind.
When armed with the right tools, educated employees provide law firms with a strong first line of defense. By acting in a responsible manner, they help close gaps of vulnerability and provide your firm with greater protection.
A detailed audit identifies weaknesses before a breach can occur. The first step of an audit should include an inventory assessment to help your firm understand where you stand with respect to technology products utilized.
Technology consists of both hardware and software, as well as data. Hardware includes the maintenance of all computers, servers, laptops, and printers within the firm. Smart devices should also be included with hardware because they are often the vehicle through which attorney-client privilege is breached.
Taking inventory of software products involves a review of all licenses, keys, and passwords. Firms also need to make sure that all software is updated on a regular basis with the most recent versions. Outdated software is more likely to lack sufficient protection against continuously evolving cyberattack techniques.
Data inventory requires the consistent monitoring of what data is stored and how it is maintained. Law firms should consider designating a data administrator who regularly audits the firm’s data for ethical and regulatory compliance.
The second layer of the audit involves answering numerous questions about the firm’s security, such as:
Answering these questions will give law firm leaders and administrators a clear view of where the firm stands with its technology and where it still needs to go.
The services of a security expert can be useful during an audit to ensure that firm networks adequately store firm data. If employing an expert is not an option, a security consultant can also be contracted to assist with the audit.
The bottom line: law firms need to craft a security plan and implement it. Basic tools, such as spam filters, anti-spyware, antivirus programs, and network security protocols should be implemented. But your responsibility does not end there.
Many law firms often neglect their first point of contact with the outside world, which is the firm website. When cyber attackers see an outdated website, they may target the law firm under the assumption that their inadequate security measures extend to the entire firm.
Document management is another important component of an effective cybersecurity plan. Law firms maintain countless documents and files that must be handled and stored correctly. A secure document management system prioritizes the protection of files while they are in storage, as well as during transmission. A comprehensive practice management system and email encryption are two tools that law firms can use for successful document management.
A reliable backup system must also be a part of a law firm’s security plan. Cyberattacks can interrupt business in an irreversible way. A backup system helps you get back to work quicker, even in the wake of a disruptive ransomware attack.
Some law firms hire a security consultant that specializes in cybersecurity. Others contract an outside security expert to guide auditing, consulting, and implementation. Firms should include this necessary expense in their annual budgets. Firm leaders and administrators may also consider the cost of purchasing a cyber liability insurance policy for the firm.
Vendors should also be included in law firm security plans. Firms use third-party vendors for a variety of services and products, but they often take for granted that these providers are employing adequate security practices. Firms should review the security certificates of every vendor to ensure that their security protocols are up to par. Law firm vendors need an understanding of the unique importance of protecting law firm data. Their commitment to the protection of client data should match, or exceed, that of the law firm.
When law firm leaders fail to plan, implement, and enforce strict cybersecurity protocols, they are potentially exposing the firm to costly and damaging attacks. Though it will take some time and money to get adequate plans in place, when done correctly, it is one of the best investments a firm can make to deter fraudsters and keep client data secure.
When law firms are impacted by a cyber attack, they must take immediate steps to address the data breach and minimize its impact. While these tasks generally occur in the days following an event, the most effective response requires the existence of an incident response plan before an attack occurs. By contemplating the potential impact of these disruptive events ahead of time and crafting a plan, law firms can be better prepared to respond.
Read on for a checklist of steps that law firm attorneys and administrators alike can take to appropriately respond to a data breach:
According to the ABA’s most recent Legal Technology Survey Report, only about a third of respondents have an incident response plan in place. Yet, the ABA notes that incident response plans are critical to law firm operations, providing firms with a roadmap of steps to take when a data breach occurs. These plans require a significant amount of preparation, but the effort is worth its benefit should a breach occur.
There are numerous models for law firms to follow when crafting their own incident responses, but every plan should include these general provisions:
Formal Opinion 483 of the ABA Standing Committee on Ethics and Professional Responsibility states that “when a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”
Stopping the breach may entail a number of different steps, including:
Once the breach has been stopped, firms need to take “all reasonable efforts” to restore operations and resume client services.
Then, firms should next take steps to determine how the data breach occurred, which may require the assistance of a tech expert. Attorneys and administrators should ask probing questions, such as:
The information and evidence gathered can be used to ensure that the current breach has been effectively stopped, while also helping to identify what steps can be taken to prevent future attacks. An analysis of the lost or accessed data also promotes honest and transparent disclosure of the breach to clients and other impacted parties.
After the problem has been identified, firms must move quickly to address it. Affected systems need to be secured and vulnerabilities removed. The appropriate tasks depend on the nature of the breach. For example:
When identifying impacted parties, firms should analyze the type of data that was compromised. Did the data loss include the last name of a person along with at least the first initial of the first name? Did it include social security numbers or tax ID numbers? Were financial accounts, credit card data, drivers license numbers, or medical information compromised? If any of these details were stolen, then the impacted person or business should be notified.
Under most state ethics rules, attorneys generally have a duty to notify impacted clients of cyber incidents, particularly when the breach compromises confidential information or impairs the law firm’s ability to provide legal services. Though notification to former clients is not specifically addressed in many jurisdictions, law firms may still have a duty to notify them if their data was impacted.
But the duty to inform also extends from general state laws concerning data breaches. For instance, a breach of clients’ personal health records may fall under the Health Breach Notification Rule, which could require notification to the Fair-Trade Commission (FTC) as well as the media. This type of breach may also trigger notification requirements under the Health Insurance Portability and Accountability Act (HIPAA).
Firms need to comply with all federal, state, and local laws in notifying impacted individuals and businesses. States differ in the amount of time given to provide notification, but most typically set a 60-day limitation.
Details typically included within notifications include:
It is also useful for law firm attorneys or administrators to consult with any law enforcement working on the case to ensure that the information provided does not hinder the investigation.
The FTC offers the following advice for businesses when notifying impacted parties:
A cybersecurity data breach is not over once the initial disruption is addressed. These incidents have lasting effects and law firms can continuously support impacted parties by taking the following steps:
According to the American Bar Association, 25% of all U.S. law firms have experienced at least one data breach. In other words: the risk to client confidentiality is at an all-time high.
Increased reliance on remote working arrangements, along with ever-evolving cyber threats, has resulted in an extra level of urgency for law firms to protect sensitive client data. Virtual work arrangements create various opportunities for breaches, while cyber attackers constantly seek to hack law firm security measures.
Additionally, law practices have been increasingly subjected to client data breaches caused by user errors and socially engineered attacks involving ransomware. They have been targeted by hackers that view the legal industry as an easy target based on the tendency of law firms to use outdated technologies and easily breached systems. When these breaches occur, sensitive client data can end up in the wrong hands. Clients are forced to deal with the ramifications of their information being used for nefarious reasons, while law firms must contend with potential lawsuits, ethical consequences, damaged reputations, and the loss of profitable business relationships.
The hesitancy of the legal community to embrace innovative technology has added to this vulnerability because most law firms lack both the necessary technology and strategies to deal with looming threats. Even those that have made some efforts often use platforms that are outdated and highly susceptible to data breaches. Threats constantly evolve with greater sophistication. Without a strategy for promoting client confidentiality, law firms leave their client data unprotected.
Lack of technology is no longer a valid excuse for client data breaches. Changes to the ABA Model Rules speak directly to the importance of technology.
ABA Model Rule 1.1: Competence, Comment  states, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.”
In addition, ABA Model Rule 1.6: Confidentiality states, “(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Client data breaches not only lead to financial consequences for law firms, but can also result in detrimental ethical challenges.
As law firms work to protect client confidentiality, they can implement strategies to guard against data breaches that originate both internally and externally. The following are some simple, but effective, steps:
The biggest vulnerability faced by any law firm, regardless of size, is employee error. Security experts estimate that more than one-third of business data breaches result from some form of employee negligence, error, or intentional act. These actions typically include phishing scams, loss of hardware, abuse of access privileges, or simple security mistakes. Law firms must identify and address these poor behaviors to effectively lessen opportunities for client data breaches.
An aware and proficient team makes the best weapon against client data breaches. Every member of firm personnel, from partner to receptionist, must understand and respect the vital importance of client confidentiality and protecting client data. Firms should provide mandatory training that promotes the highest levels of awareness and diligence. Without employee involvement, internal vulnerabilities and threats may not be identified, which can ultimately result in employees becoming the channels through which breaches occur.
Data encryption provides an effective technology tool for protecting sensitive data. Once encrypted, data becomes indecipherable should it wind up in the wrong hands due to loss or theft. The viewer must utilize the correct encryption key to unscramble the encrypted gibberish back into legible text.
Law firm encryption typically occurs in a couple of ways. Encryption in transit protects data as it is sent electronically within the firm or externally. This is commonly referred to as end-to-end encryption. Encryption at rest refers to the encryption of data that is stored on hard drives, laptops, or mobile devices.
But even with its high level of protection, many law firms fail to use encryption methods. According to some legal ethics experts, ABA Model Rule 1.6 classifies encryption failures as potential breaches of ethical duty should the data warrant special precautions. This risk seemingly requires law firms to evaluate whether each client matter necessitates encryption and take appropriate measures. Failing to do so could result in ethical violations.
Tech providers consistently create new strategies for preventing system breaches, but these tactics only work when the systems and software are updated on a regularly scheduled basis. This includes VPN, antivirus, anti-spyware, and spam filters.
Unfortunately, far too many law firms implement new technologies and then fail to keep them fully updated. Without consistent updates, these tools may become vulnerable to ever-changing cyber threats. Outdated systems place client data at risk and may even open law firms up to liability should a breach occur. Law firms need systems in place to ensure that necessary system updates occur.
Third-party law firm vendors can also place client confidentiality at risk if they fail to follow strict security standards. These parties can create a weak link in the chain of client data that they are entrusted with during the course of business.
When choosing to work with a vendor, law firms need to closely evaluate the vendor’s security protocols. They may also include specific security requirements within the controlling contract and ensure that the vendor’s insurance policy adequately covers any breaches that may occur.
Legal tech companies routinely use cloud-based storage for their technologies. When managed correctly, these platforms offer great benefits to legal practices. But without proper security protocols in place, cloud storage becomes extremely vulnerable to cyber-attacks. Therefore, law firms need to ensure that cloud-based service providers maintain their networks with technical competence and top-notch security features.
Law firms cannot ignore the role of document safety in the promotion of client confidentiality. With document management systems in place, firms benefit from multi-level security that limits access to reading, deleting, or editing sensitive documents both internally and externally.
These resources can also help firms quickly identify breaches by creating a detailed trail of everything related to a document's life cycle. Firms have access to specific information regarding who made changes and when. They can also review information about document transmission and downloads. These types of security checks protect client confidentiality and provide clients with the assurance that their information is being handled effectively.
The transfer of documents creates the biggest risk of breach. The transmittal of a document to the wrong recipient is a mistake that cannot be undone. If that document contains sensitive or confidential information, the law firm has created a substantial risk should the data be used against the firm or one of its clients. Email is largely considered the fastest and easiest method of sending documents to colleagues and clients, but it is also one of the biggest security risks a law firm can take. This highlights the importance of viable alternatives for sending secure client communications. With tools like client portals and secure document transmission systems, law firms are not forced to rely on risky email transmissions. The credentials of all recipients can be confirmed to ensure client confidentiality and prevent documents from ending up in the wrong hands.
In 2021, whether you realize it or not, you’re a “mobile” lawyer. The digitalization of the world we live in has made the proliferation of cellphones and on-the-go devices an undeniable part of our everyday routine.
Did you know that as of 4 years ago, nearly 100% of lawyers were using mobile computing tools for at least some aspect of their practice? So now, it isn’t “nearly,” it is a resounding “everybody.” Everyone has a cell phone and everyone uses it both for personal and professional reasons. We are all working in a mobile world these days and the expectation is that we will have access to our information from wherever we are.
The first time many of us remember seeing a mobile device was in the 1987 action flick, Lethal Weapon. It was this massive square hunk of material connected to this even clunkier receiver that Roger Murtaugh lugged around across LA. Since then, we have seen this evolution from our Nokia candy-bar phones to flip phones and Blackberrys. But now many decades later, 80% of attorneys are using these beautiful slabs of indestructible (so they say) glass called iPhones. We think of these devices as mobile phones that happen to do a few other things on top of making calls and sending texts. But, think about all the things your phone has replaced… we’re talking about email, calendaring, camera, books, TV, games, tickets, GPS the list goes on and on.
What you should be taking away from this is the fact that these devices are no longer small, single-serving phones. They are an entire personal computer. Our phones have become the primary PC that most of us use on a constant basis. Of course, we have desktops and laptops, but these sleeker and portable devices are one of the first places we go to when we wake up and the last thing we put down at night. There is no other piece of technology that we own that is so pervasive in our lives.
You may be asking yourself, so what? Isn’t technology supposed to grow and evolve and improve? And obviously, the answer to that is yes, but what hasn’t evolved with the changes in our technology is how we protect the information we interact with. Right now, our mobile devices are still thought of as “phones.” And how we protect and monitor them reflects that. However, we go to much greater lengths to protect our servers and our computers. But think about what we just talked about. Our phones are our computers too, and they must be protected as diligently.
A few years ago the ABA President started a Commission where they were tasked with looking at whether or not they should make any changes to the Model Rules of Professional Conduct to address the idea that technology today affects nearly every aspect of our legal work. This includes how we store information, how we communicate with clients, how we conduct discovery, and so on.
The ABA went on further to say that: “In the past, lawyers communicated with clients by telephone, in person, by facsimile, but today, lawyers communicate with clients electronically. Confidential information is stored on mobile devices, including the cloud.” Ultimately, this Commission determined that there needed to be some changes to the Model Rules of Professional Conduct. These changes emphasized that it is part of a lawyer’s general and ethical duty to remain competent in a digital age.
To be more specific, this change was most reflected in Rule 1.1- The General Duty of Competence. There was no major change to this actual rule, but an addition was made to comment 8. The section opener remained the same: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology..” This means the technology you use to run your practice. Every firm uses technology in its practice. Whether it’s simply Microsoft Word or a billing software, everyone uses something. We hear some firms say that they only care about the states that are relevant to their operations. Currently, 38 states have adopted this revised Duty of Competence.
So what does this mean when it applies to your daily practice, from a practical level? We typically think of technology competence as protecting our client’s information, but if we dig deeper, we will find that it incorporates these 5 things:
Let’s dig a little deeper into points 1 and 3…
What does that mean exactly when we say the benefits and risks associated with relevant technologies?
The benefits of mobile devices are incredible. That is an undisputed statement. We can now get our work done anywhere at any time, and now with the necessity to work remotely, this capability has become even more critical. Speed is also another advantage, we can communicate so much faster with both our internal teams and our clients without missing a beat. And if you’re on a cloud-based practice management system, you can truly access any file, any document, anything about all your matters from wherever you are all from your phone.
The first and most obvious risk with mobile devices is the chance of either misplacing, losing, damaging, or getting it stolen. The question isn’t if this will happen, it is when it will happen.
It was reported that women are 42% more likely to have their phone stolen while men are 57% more likely to drop their phone in the toilet. And a recent study released from Kensington revealed the costs associated with the loss or theft is far greater than the cost of the device itself, thanks to lost productivity, the loss of intellectual property, data breaches, and legal fees.
Regardless of whether your phone is stolen or lost, there are a lot of associated risks that come with that. But no application on our phones runs as much risk as our email does. Today, we use email to communicate with our clients and colleagues. Today we use email as the primary means to transport files and documents. If someone was able to access your phone, they may not be a hacker, but they know what the mail app looks like. If they are able to open this app, they will have complete and unfettered access to the most confidential and sensitive information that has been entrusted to you. And it isn’t just the messages or communications, it’s the attachments! Even with eDiscovery, a vast number of loose files (word documents, pdf, photos), are attached and sent via email.
Ultimately, this is the inherent risk involved.
So what can we do? Let’s find out...
No one expects you to be a mobile security expert. Things happen and the best you can do is be prepared and stay informed of the things you can do. So, with this in mind, when you’re using a mobile device, be aware of these things:
All of these best practices serve to help you protect the information stored on your personal computer (your cellphone). It is important to note that “reasonable efforts” and “reasonable precautions” means reasonableness. Not perfection. You have an obligation to do what you can, stay informed, and mitigate risks. You do not have to be a technology or smartphone expert to practice the above-mentioned best tips.
The threat landscape for data security is incredibly vast. Today, law firms have the responsibility and duty of technological competence to ensure that their client's information is safeguarded and monitored.
The sad reality is that law firms are often the center of data attacks because of the type of sensitive information that is being dealt with on a daily basis. Often times, attorneys assume that their email or personal information is safe. This is a mistake.
Maybe unbeknownst to you, your personal information includes clues into larger portals of information that can then be categorized and cataloged for hackers to use to gain access to other sensitive information.
Crime today has been commercialized, and organized crime groups use tools to professionally infiltrate your information. The hacking industry now runs much deeper than someone sitting in their basement chugging a Mountain Dew, it has evolved into an illegal business that has cost firms and businesses billions of dollars.
Because of this, clients are no longer just paying for legal services, they are also paying to ensure that their data is protected. Today, class-action lawsuits can be brought against a firm for failure to safeguard and protect their client's information.
An attorney may be required to take special security precautions to protect against unauthorized disclosure of information or when the nature of the information requires a higher degree of security. So, for example, does everyone at your firm have access to the same information? Is it classified and compartmentalized across the firm? Is the data protected according to its sensitivity?
All of these things should lead you to question, are the measures you’re taking and putting in place strong enough to protect your client’s sensitive information?
At the end of the day, it's about organizing your information in ways that keep it safe and accessible to those who need it. Do you keep all your client files on one hard drive? Do different clients warrant a different type of security to access their files, are they cleaned up regularly?
The Association of Corporate Counsel (ACC) published model information and security controls that have been adopted almost nationwide as the defacto standard for attorneys to follow. Whether you have an IT team or not, it is your duty and responsibility to understand these measures and be able to act on them.
Let’s go through some of these together:
1. Understand your information
In order to protect your firm’s and your client’s information, you must understand what information you have. You must then classify and organize it, and then thoroughly document what you are going to do to protect it.
2. Review the rights and responsibilities
You’re either doing a good job and following best practices, or you’re not. You need to know what procedures you have or will have in place to secure what needs to be protected.
3. Physical security
Does your office and your third party vendor’s space utilize badges and door codes? If not, this is the easiest thing to quickly implement. You can also go one step further and store data in different access-based locations and create logical controls so people are only accessing the information they are authorized to.
4. Information disposal
What you do when you’re done with the sensitive information should be reviewed and documented with your clients as well. Are you giving their information back? Are you destroying it? Are you doing both? That needs to be outlined and made clear.
Make sure your people and your vendors are doing what they’re supposed to be doing. Conduct vulnerability assessments, make sure your devices are encrypted, and know if something is open or publicly accessible. Encryption is a very basic security measure that your firm needs to be aware of and implementing (if you’re not already). Your information should be encrypted both at rest and in transit. For example, if you have an encrypted computer that gets stolen, you don’t have to report that because the thief cannot do anything with the information on the device. Yes, you'll be out an expensive piece of equipment, but your data will be secure. That is encryption at rest. Encryption in transit is the protected information that is being sent or received between devices like through email or text.
The most dangerous people at your firm are the ones who lead your IT team, but they are also the most helpful. This type of trust is a commodity. There must be controls in place to ensure that the work they have done is accurate and secure. If you do not have an IT team, you need to do your due diligence with your cloud provider or your third-party vendor and ensure that they are up to date with the latest security measures and you have records that they are constantly monitoring your information.
You don’t know what you don’t know. Buy cyber insurance. Only 34% of firms have cyber liability insurance. Take the opportunity to limit your exposure because the cost of a breach will end up being significantly more than the cost to prevent it.
Now that you have all this information in place what do you do? You prove it. Take the time to get an industry certification or a privacy shield and be proactive to show your clients that their highly sensitive information is in good hands.
Third-party vendors constitute a lot of risk. Did you know that 60% of breaches are linked to third-parties? Even today, many firms do not adequately assess these relationships because they feel that their staff is well trained and will assume their vendors are too.
Let’s look at some numbers here:
32% of firms do not evaluate third-party vendor security.
60% of attacks come through third-party vendors.
And only 34% of firms have cybersecurity insurance.
So when someone asks? Why do we care? This is why. These figures are staggering. Even though you may have a buttoned-up security system, can you trust the third parties?
If you’re working with third-party vendors, you need to follow some basic steps to ensure that the work they are doing is not only correct but protected as well. Ask yourself:
As we discussed earlier because third parties are very susceptible to cyberattacks, clients are asking for assurance from their law firms and as a result, many of these firms are seeing an increase in information security and data governance audits coming from their clients. It is becoming more common practice to audit your third parties, both from the client and firm side because the risks of cyber attacks are so high. At the bare minimum, if you’re using a third-party vendor, make sure they are doing at least as good of a job as you are in implementing security controls. Do not assume anything because it is not if you will experience a potential breach, it is when.
You don’t have to be an IT professional to ensure that your firm and your client's information are safe! If you're using a third-party vendor to store your data, consider asking them these three questions…
1. How are you protecting my information?
This is an open-ended question for which the vendor should immediately answer by showing you their security policy documentation, standards documentation, and instant response plan. If they respond with something along the lines of that information being proprietary, you should raise concern. The best practice in security is always transparency.
Additionally, when you ask your vendor any questions regarding your data, pay attention to how they answer it, and take note of the amount of detail they give in their response. They should be able to tell you what they are going to do with the data, how long they’re going to keep it, and how the data is classified.
2. What are you doing with my information?
What infrastructure is your third-party vendor using? Where are they physically located? What class systems are their server hardware and firewalls? Using a third-party vendor is a lot of work because you need to do your homework and make sure that your information is secure. For example, look at their data flow diagrams, this will tell you all the buckets where your encrypted data sit at rest and all the paths they take between those buckets when they’re encrypted in transit. It is important to ask how they encrypt your information and the humans that are physically accessing that data at each point.
3. Business Continuity Plan
This is your backup plan! Some firms use Amazon Web Services (AWS) as a hosting vendor. Just last week, their system went down. Not for a few seconds or minutes, but for hours. The reason for this outage was undisclosed (scary!). Because of this, you need to know does your third-party vendor have an off-site disaster recovery location to allow for a quick transition? Ask to see what their uptime has looked like over the course of several years and if they have had a lot of impactful outages. Your job depends on being able to access your stored documentation and files. If you don't have access to what you need, you can't do your job.
Using third-party vendors may pose many avoidable risks. It is best practice to consolidate your tech stack and make sure you know exactly where all your data is stored. At all times.
When it comes to IT and your security, you need a strategy. You cannot hope things go your way, or hope a backup can be produced. Your clients expect nothing but excellence from you, you should expect the same from your vendors.
And if you remember anything from this blog, remember this- If you didn’t document it, it doesn’t exist and if you didn’t test it, it doesn’t work.
If you're still curious to learn more, check out our blog: Data Security for Law Firms: Everything You Need to Know
Do you want to hear some scary facts? In 2014, 500 million Yahoo users were compromised. In 2016, 57 million Uber customer accounts and profiles were breached, and in 2017, 143 million social security numbers were stolen from Equifax. Breaches to this scale may not happen every day, but smaller ones do. And as the prevalence of cyber threats grow, smaller companies are now being targeted at a much higher rate.
Between January 2015 and December 2016, there was an approximate 2,370% increase in identified exposed losses. Email scans were reported in all 50 states and from 2013-2016, the Internet Crime Complaint Center reported exposed losses of more than $2 billion. As privacy concerns continue to grow, governments are now instituting laws that require companies to report every incident of hacking and data breach.
Let’s take a look at the threats your firm faces, the obligations you have with your clients when you communicate through text, and how to protect yourself while you communicate in today’s day and age.
According to a Legal Technology Survey Report that the American Bar Association released in 2016, more than one-quarter of firms with more than 500 lawyers admitted they experienced some type of breach. Approximately 40% of those firms reported significant resulting business downtime and loss of billable hours. 25% recounted hefty fees to correct the problems and one in six reported loss of important files and information.
Today, 25% of all law firms have been subjected to, or experienced, some form of a data breach involving hackers. Computer-oriented crimes span a wide variety of actions, intentions, and goals, and no company is too large or too small to be affected by a cyberattack.
So why are firms being targeted? Lawyer’s handle very sensitive information for their clients, intellectual property, financial information, and legal strategies, all of which are incredibly valuable for malicious third parties.
As this continues to become a problem, rules that govern the legal industry are changing. Let’s dig deeper.
What are some of the challenges that law firms face?
Unfortunately, even with the advancements in firewalls and encryptions that we see today, people are the largest weakness in a firm’s security network. Whether it’s due to failure to follow protocols or insufficient training, social engineering hacking is on a rise.
The rise of texting is undisputed. It is our primary means of communication. 81% of Americans are sending and receiving texts, with 27 trillion texts being sent every year. According to Nielsen, on average, Americans text twice as much as they call and for Americans under the age of 50, sending and receiving text messages is the most prevalent form of communication. The need and ability to send and receive communication instantly is a primary reason for the rise of this communication method. I'm sure you're familiar with this; people want what they want and they want it now, no questions asked. Today, if it takes longer than thirty minutes to respond to a text (and even that’s generous!), some eyebrows will inevitably be raised. As this trend has evolved, advanced, and continued its way throughout the 21st century, the legal field has slowly started to capitalize on the advantages of the fast and easy communication style too.
There are three compelling reasons why lawyers turn to texting their clients as a dominant means of communication.
And if all of that isn’t enough to compel you, how about the fact that 78% of people wish they could have a text conversation with a business. You don’t have to be good at math to know that’s a lot of people.
Of course, with all this being said, there are downsides to communicating in this modern and rapid way; those being ethical obligations, confidentiality concerns, over accessibility, record preservation, and simplicity. As the legal field continues to evolve, and texting becomes more and more commonplace, there is a framework of rules that all lawyers should abide by as they continue to utilize this form of communication. Doing so, will not only enhance your customer experience but will also protect everyone from malicious third-party threats.
As a lawyer, you have a duty of competence that you must provide to your clients. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.
Back in the 90s, when email came onto the scene, the ABA said that lawyers had a reasonable expectation of privacy in communications made by all forms of email, but they also included that the encryption of emails sent over the internet was unnecessary, despite some risk of interception and disclosure. So twenty-some years ago, you didn’t have to worry about protecting your communications. But in 2020, with the rise of breaches and personal information being exposed, the ABA adjusted its statement to include that a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Today, it is a lawyer’s duty to keep abreast of the knowledge and changes in the law and its practice, including the benefits and risks associated with relevant technology. Now, all lawyers are required to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and inadvertent disclosure of information.
The first thing every law firm and lawyer must be able to do is to understand the nature of the threat. Being able to identify what kind of threat is being imposed will help you determine how you should communicate with your staff about combating it.
Not only should you be able to understand the potential threats, but you should also have an understanding of how your confidential information is being stored and transmitted. How does your firm store information? Are you cloud-based or on a physical hard drive?
Next, you must know how to use reasonable security measures to protect what you’re communicating with your clients. This means you also need to determine how your electronic communications and client matter is being protected. It goes further than your IT department making a unilateral decision, it’s your responsibility to make the decision to protect your clients.
Lastly, firms must train their lawyers and staff in technology and information security and conduct due diligence on vendors providing communication technology. This includes how vendors process and handle your data, whether or not it complies with your ethical obligation, vendor conflict check, and understanding how they do business. Additionally, it is important to note whether or not these vendors are storing your information overseas, what jurisdiction they have over that data, and in the event of a breach, what are the steps to mitigate or resolve the hack?
The factors to be considered in determining the reasonableness of lawyers efforts include:
As you move forward and continue to grow your firm and expand your client list, it is best practice to speak with your clients and discuss their expectations for communication. What suits them best? Are they comfortable with communicating back and forth via text and are they aware of the security risks and threats in today’s day and age?
Simple answer, yes. You may send texts to and receive texts from clients. There are no statutes prohibiting this, however, there are regulations around data security and confidentiality as mentioned above.
If you’re trying to solicit new clients via text there are some standards you must follow. For example, the first line of your text must say that what you’re sending is an advertisement. You must track who received the texts and what content they are specifically receiving. You must ensure that the prospective client is not responsible for the data costs by working with cell phone service providers and you must have a method for prospective clients to opt-out.
If all that sounds like a hassle to you, consider this: the average open rate for text message campaigns is 98%, compared to a 20% open rate for email campaigns. SMS response rates are 295% higher than phone call response rates and 75% of people wouldn't mind receiving an SMS text message from a brand if they opt-in for the service. All this data leads to the undeniable fact that texting yields the highest rate of response.
The information you handle every day is critical, because of this, firms all across the US are at risk. Any firm relying on existing non-secure messaging systems to communicate with clients is putting themselves and their clients’ confidential information at risk.
In today’s world, protecting yourself, your firm, and your clients is critical. Here are some basic measures and steps you can take to protect yourself.
To learn more, check out our blog, Data Security for Law Firms: Everything You Need to Know
2019 was the worst year on record for data breaches, according to at least one research firm. But 2020 already looks poised to eclipse it: data security for law firms and privacy threats have only increased with so many people social distancing and logging into work remotely.
For instance, the World Health Organization recently advised that “hackers and cyber scammers are taking advantage of the coronavirus disease (COVID-19) pandemic by sending fraudulent email and WhatsApp messages that attempt to trick [recipients] into clicking on malicious links or opening attachments.” When users fall for the trap, cybercriminals steal their username and password. Now Zoom bombers are hijacking teleconferences to harass participants and share illicit materials.
Yet there are more than external risks facing us during this pandemic: employees don’t always make the best choices—whether consciously or inadvertently—to protect their data. Often, that’s because they don’t know how to secure their information or because the methods for securing data are cumbersome. But those errors can have devastating consequences. For example, thousands of recorded video calls were (briefly) visible to everyone on the open web. And one healthcare organization jeopardized 344,000 healthcare records because it forgot to wipe the hard drives when the lease on its photocopiers expired—resulting in a civil penalty of $1.2 million.
For lawyers, the consequences of failing to secure data are dire on multiple fronts. Not only might they lose their own data, but they may also lose their clients’ sensitive and confidential information, jeopardizing their attorney-client privilege and violating their ethical duties. These concerns have typically made lawyers loath to let their data out of their sight—or off their in-house servers. But law firms themselves have a poor track record of protecting their data. Perhaps the most notorious law firm breach involved an email hack in 2016 of Panamanian firm Mossack Fonseca, which lost 11.5 million sensitive client records and 2.6 terabytes of data, but other reports suggest that as many as one in four law firms have lost data through breaches.
Now, even for the most cloud-averse law firms, CDC guidance and state mandates have forced their hand. To do any work, lawyers must remotely log in to their firm servers through their laptops and mobile devices. Outside their firm’s cybersecurity infrastructure, firewall, and network security hardware, their data may be more vulnerable than ever. That’s why it’s critical for law firms to understand data security risks and partner with organizations committed to following best practices to protect their data.
Multiple rules of the American Bar Association’s Model Rules of Professional Conduct require lawyers to take steps to protect client data. The duty of competence outlined in Model Rule 1.1 requires that lawyers “understand technologies that are being used to deliver legal services to their clients . . . [and] use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.” Further, Model Rules 5.1 and 5.3 impose the “obligation to safeguard and monitor the security of electronically stored client property and information.”
The ABA Standing Committee on Ethics and Professional Responsibility has taken these obligations further in its formal opinions. It states that lawyers must not only protect client information but also notify clients if their data has been compromised in a data breach.
For example, Formal Opinion 477R requires lawyers to understand how they store client data and how it can be accessed, so that they can “manag[e] the risk of inadvertent or unauthorized disclosure of client-related information.” Lawyers must ensure that they have implemented appropriate safeguards to limit access to client information and supervise third parties that handle client data, confirming that all third parties take measures that satisfy the lawyer’s professional obligations. To fulfill their ethical duties, lawyers should review their vendors’ cybersecurity credentials and audit their security policies and practices. Formal Opinion 483 requires lawyers to monitor for potential breaches and take steps to stop and/or mitigate any breach and to notify clients and former clients of any data compromise.
It is clear that lawyers must safeguard their clients’ data, regardless of whether it is stored on their own systems or elsewhere. But what exactly are they protecting against?
Law firms store a veritable treasure trove of data that any cyberpirate would covet:
Because law firms store all of this data for multiple clients, they represent the perfect target for a one-stop data breach—a target that’s made even more alluring because many firms lack the state-of-the-art security that other industries have implemented.
Then there are the risks associated with internal threats: employees or contractors may have access to firm and client data, but should their interests diverge from those of the firm, they may take advantage of an opportunity to seize valuable data for inside trading or other nefarious purposes. Or they may not have ever been trained to identify and avoid potential threats. Or they may simply be careless with their data. It’s hard to detect or forestall risks like these, because these insiders have been—appropriately—granted permission to access sensitive data.
What’s a law firm to do? The firm’s core business is practicing law on behalf of clients—not data security. And, although attorneys are mindful of the need to protect information covered by the attorney-client privilege and work-product doctrine, they aren’t experts in IT security or cybersecurity. So, while they may do their best to follow security rules and comply with their ethical obligations in good faith, there’s always the risk that something will slip through the cracks.
These are some of the reasons that lawyers should consider sending their information to a cloud-based practice management solution. Here is what you need to know to choose the option that offers the best cloud security for law firms.
Providers of cloud-based services, including law practice management software, typically offer stronger security than most law firms, because their work centers around data and securing that data. This focus means they continually invest in the latest security tools to guard against evolving cyberthreats.
But not all cloud-based service providers are created equal. Law firms should look for the following data privacy and data security attributes when selecting a cloud-based solution for law practice management.
Your cloud provider’s data centers should have comprehensive physical security protocols to prevent unauthorized access. Here are some questions to ask:
Centerbase’s data centers follow industry-standard best practices, including checkpoints, gates, fences, 24/7/365 on-site personnel, badge/photo ID access, biometric access screening, secure cages, and full-building video capture. Only individuals on a screened and preapproved list have physical access to our facilities; they must present a pass card to enter the parking lot and undergo a biometric screening to enter the building. An authorized third party is required to physically unlock the cages where your information is stored.
What industry-recognized security certifications do the organization and its data centers have? Some of the most common certifications are ISO/IEC 27001, SSAE 18, and SOC 2. Organizations that meet these standards have established that they have adequate controls to securely host data. Make sure a third party has independently audited any organization that you’re considering for compliance.
Because your law firm is probably storing a range of data in its law practice management solution, you should also ensure that your provider is compliant with the other laws that you’re governed by.
For example, if your law firm works with doctors, hospitals, or other healthcare providers, it is subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Security rule and HITECH Act require healthcare organizations and their business associates (those who handle services on behalf of healthcare organizations) to implement administrative, technical, and physical safeguards to shield electronically stored protected health information.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions and those that collect personally identifiable financial information that is not publicly available—such as names, addresses, income, account numbers, payment history, purchase history, balances, and the fact that an individual is a customer or consumer—to protect that information from disclosure. Covered entities are required to develop an information security program with administrative, technical, and physical safeguards, including measures for detecting and preventing attacks and system failures and selecting third-party providers that offer appropriate data protection.
Depending on the data you collect, your law firm may also be subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requires entities that collect credit card data to take steps to protect the systems and devices that store that data, including data centers, with physical security measures and other protections.
Centerbase data centers’ compliance with SSAE 18, SOC 1, SOC 2, HIPAA, and PCI DSS v3.2 has been audited by an independent third party.
What will happen to your data in the event of a cyberattack or other emergency? Any cloud computing provider that your law firm uses should have extensive disaster recovery and business continuity plans that will allow you to resume your business operations after a disaster occurs. Don’t take their word for it; ask to see a copy.
Check to make sure that your provider has at least one secondary data center with real-time backup and processing power equal to that of its main site. The backup facility should be geographically and environmentally diverse from the primary data center to avoid simultaneous disruptive events. Ask about uptime statistics, and make sure each data center is protected by battery backup as well as fire detection and suppression systems. Your best bet is a Tier III or higher data center with redundant and dual-powered servers, which allow for maintenance and cooling without any service disruptions.
At Centerbase, we constantly replicate our main site’s data to our off-site disaster recovery location to allow for a quick transition in the unlikely event of a catastrophe at our main location. We’ve operated servers in our main facility for over 14 years without the need for a single failover. We employ a four-tier data redundancy policy, with three encrypted sets at our primary sites and a fourth set at our disaster recovery sites. We have a system-wide 99.999% uptime with zero data loss. We maintain a Tier III offsite disaster recovery location, fully capable of taking over in the unlikely event of a catastrophe at our main data center locations. All Centerbase databases are continuously backed up and can be restored to any point in time within a 10-minute window.
How do users access the data in their law practice management system? What processes does the platform have in place to limit access on a need-to-know basis? Does the system have content-level permissions and information rights management protocols? You should be able to set permissions at multiple levels: user, group, and organization. You should also be able to set access independently at the file and folder levels. Finally, make sure your provider offers a complete audit history so you can track logins and monitor access.
Centerbase’s advanced application-level security settings allow you to set permissions to any data in the system on an individual or group basis, so you can limit access to financial data, billing rates, sensitive documents, and cases. Our system also includes a user-definable change tracking, audit log, and deletion log system. From an easy-to-use dashboard, you can quickly review all user activity, including changes made, and view both the old and new values and any deletions. You can also monitor logins and log users out remotely. Our server also logs and monitors every connection and communication that is made with your system. We store the IP address, the information that is accessed, and the date and time of all interactions, so you know who is using your system at any time.
How does your provider monitor its perimeter security? Has it implemented antivirus scanning technology? Has it configured a firewall to prevent vulnerabilities such as malware and denial of service attacks? Does it have an intrusion detection system that alerts you to network threats in real time and automatically block attacks? Does it protect data at rest and during transfer with encryption?
Centerbase manages our own firewalls and security policies and has over 14 years of incident-free experience. We design our systems to actively refuse connections from high-risk countries known for hacking activity. We continuously monitor our systems for vulnerability and malicious activity to guard against cyberattacks and DOS incidents. We also employ 128-bit SSL encryption for data transfer, storage, and onsite and offsite backup: in other words, we meet the same stringent encryption standards as financial institutions, healthcare providers, and other security-conscious businesses. This ensures that no one will ever have access your firm’s information if they gain physical access to our systems.
Make sure your service-level agreement with your provider spells out who owns your data: all uploaded data should remain yours. What will happen to your data when the relationship ends? Does your provider have a standard policy to remove data from its servers, archives, and backup devices?
Our clients own all data in our system. When a law firm ends a Centerbase subscription, we make all content available to the firm’s administrator or authorized user. All content associated with the firm’s subscription is irrevocably deleted from the Centerbase platform within 90 days of termination.
What is your provider’s policy on technical support?
Centerbase keeps a close eye on the performance and response time of your system. Offsite monitoring software constantly reviews our infrastructure for failures or issues. We also monitor each client’s website for response time to ensure a high level of performance. Our staff is notified via text and email when issues arise and are on call and available 24/7/365 to make sure your systems are up, running, and available to you.
Law firms considering a cloud-based practice management and billing solution for the first time may feel some trepidation about losing control of their data. However, by ensuring that their service provider has invested in the measures outlined in this article, they may find that their data is even more secure than in the four walls of their firm.
Curious how we set the bar for legal software security? Check it out here!