The FBI has issued multiple warnings that law firms are being targeted by hackers.
Penalties can include the loss of clients, negative publicity and sanctions. Costs can exceed $1 million for notification, credit monitoring, fines, computer forensics, legal representation and corrective action programs. Multiple federal and state agencies can penalize you for a single data breach. Clients can sue for malpractice if you lose their data.
LESSON 1: Your Data is Valuable to Bad People
Law firms store lots of valuable data in many forms. It doesn’t matter if you specialize in family, corporate, real estate or criminal law. You have something someone else wants – financial information, health records, strategic information and secrets that your client’s competition would love to see. Your data may be protected not just by attorney-client confidentiality, but also by federal and state laws.
LESSON 2: You Must Protect Data for Ethical & Legal Reasons
Cybersecurity is not optional. You have an ethical responsibility to maintain confidentiality, and a legal responsibility to secure legally protected information.
THE STATE BAR OF ARIZONA REQUIRES: • “…Competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence…” • “…Competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.” • “…An attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.” State Bar of Arizona, Opinion No. 05-04 (July 2005)
LESSON 3: You Need to Implement Technical, Physical and Administrative Security
Safeguards Effective cybersecurity requires a belts-and-suspenders approach.
Your staff must know what to do, how to do it, and what will happen (discipline, termination or criminal prosecution) if they break the rules.
Buying security tools and not training everyone on your staff to properly use them is a waste of money. Telling everyone what they should do and not conducting some internal audits to validate compliance is meaningless. Invest in security, make sure everyone knows how to use it, and really does.
LESSON 4: Bad Things Come From Data Breaches
Once data is breached a lot of bad things will happen. The same data can be protected by federal and state laws, requiring reporting to federal agencies, the state attorney general and the bar. Your clients will have to be notified and the breach will be public information in the media and with regulatory agencies. Additionally, there have been several successful data breach lawsuits demonstrating how a firm fell below the reasonable standard of care in protecting data.
LESSON 5: Security is a Specialty, Like the Law, Medicine & Accounting
You need specialized skills and tools to manage your security. Security tools must be properly configured and continually monitored to ensure they are working properly and have had their definitions and patches updated. Logs must be kept to prove that data was encrypted – after the device has been lost or stolen.
A good way to make sure you have the proper security in place is to have an independent security audit. This can help you understand where your data is, how it moves within – and in and out of – your firm, and what vulnerabilities you have.
Cybersecurity isn’t optional. You owe it to your clients.