The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
Often, when a cyber breach reaches the news, it is because something bad has already happened. Some cyber attacks may be inevitable, but there are common mistakes that many practitioners make. Here are some mistakes made by other firms and attorneys, and how those mistakes can be avoided.
'Prevention' Is a Goal
Many law firms develop plans for what to do once a cyber attack happens. However, it is just as important for firms to focus on prevention of attacks. Notably, preventing a cyber attack is not solely an IT issue, but rather, is a risk management issue.
Firms that have successfully prevented cyber breaches have generally followed four key steps. First, some law firms have implemented a cyber security program, incorporating some common elements, such as anti-virus protections, firewalls, secure connections and requiring passwords for mobile or desktop devices.
An often overlooked principle of a cyber security program is determining what actually constitutes a "breach" that will require a response or, possibly, notification of authorities and impacted individuals. For some law firms, any unsanctioned access of a firm system may be a "breach;" others may not call it a "breach" until someone has taken something (like data or files or money) that does not belong to them.
Second, some firms have adopted a robust incident response plan. Once a breach event occurs, it is easy for panic to set in. That is why many law firms design a response plan before a breach occurs. It may also help a law firm defend against any claims of negligence should a breach occur.
There are a few common elements that most firms consider for their incident response plan: appointing a person to be in charge of the response upon a breach, the reporting chain of command for addressing a breach, physical locations of servers and where certain information is stored (to help support the internal investigation), a plan for conducting interviews and collecting and preserving evidence, a policy of determining when to involve authorities, a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements) and media strategy.
Third, firms often test their systems. Law firms experienced in this arena routinely review their records and activity logs to determine a baseline for what activity on the system is "normal." Most hacks, malware or phishing emails do not alert the law firm: "You have been compromised." More often, evidence of a hack is more subtle. Other times, the law firm notices the impact (i.e., money missing from an account) but did not notice the breach.
A law firm can only really determine what activity is "abnormal" after it knows what activity is "normal." Some law firms treat this issue like their corporate clients might—by hiring a "white hat" hacker to try to test the system. This shows a law firm where the vulnerabilities are in the law firm networks. It also helps a law firm identify what sort of suspicious behavior to look for in the future.
Fourth, many firms train their employees to recognize what some risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.
All Law Firms Are At Risk
One of the biggest mistakes a law firm can make is thinking that it cannot happen to them. Even small firms possess confidential data on their networks, such as employee Social Security numbers and privileged communications. Also, it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place for mobile devices, a phone left in a cab can provide a person an open door to the law firm's files.
This is a business development opportunity.
By having protocols in place to protect client data, law firms may be able to stand out in the marketplace as a good option for clients. This is another way that firms can distinguish themselves and land new clients. If a firm does not have the appropriate security protocols in place or is unable to implement them, that might be the difference that results in a client choosing another firm to represent them.
Also, law firms can be more competitive by understanding their clients' security needs. Whenever a client imposes or requests security guidelines, the attorney in charge of the matter might want to run them by the IT department or the in-house cyber "czar" to ensure the law firm can certify its compliance. A law firm should avoid taking a representation for which it cannot provide proper cyber security or where it cannot meet the client's expectations of security. Doing otherwise may expose the firm to civil liability.
Consider Cyber Insurance
All law firms should have a professional liability insurance policy. However, firms may also consider whether they need something more—such as specific cyber or data breach coverage—to protect them from the costs and exposure of a cyber attack.
A professional liability policy will likely provide coverage for the breach of client information, IP infringement or third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional policy.
Hire a Lawyer
Law firms do not have to go through this alone. Counsel with experience in cyber security and malpractice defense issues can assist a law firm in developing a cyber response plan, investigating an incident and responding to the same. Involving counsel also helps cloak the situation in the privilege. (Some states also recognize other privileges—such as the self-critical analysis privilege—to provide additional protection.)
Being able to rely on an outside attorney's advice regarding appropriate cyber protections and breach response protocols will be beneficial if the implementing law firm ever experiences a claim that the firm failed to adequately safeguard client data and/or failed to appropriately respond to the cyber incident. Otherwise, discussions about what protections were worth implementing (or which ones, that could have saved client data, were rejected) or the pros and cons of disclosing a potential incident before the investigation is complete could become exhibits in litigation brought by a disgruntled client.