Think you can’t be duped by the Nigerian Prince or your best friend that needs $5,000.00 to return home from the Bahamas? You’re probably right. But think your law firm is immune from having funds in a trust account stolen by phishing experts using undetectable malware? Think again!
Cyber-attacks and data breaches are no longer the stories of James Bond or limited to large corporations. Although malware and cybersecurity raise concerns across all industries, the structure and mindset of law firms often make them the perfect target for hackers and phishing schemes. Structurally, law firms are a treasure trove of clients’ health records, social security numbers, and bank information. The firms are a plethora of intellectual data including trade secrets, intellectual property, and deals not yet known to the public. Yet, whether it be from ignorance or arrogance, m any firms have historically failed to acknowledge their vulnerability to these cyber thieves or act responsibly after a breach or client’s valuable data is stolen. These attacks are not going away. Law firms will continue to be targets. The difference is how law firms react to protect their data, their clients, and their reputations.
WHAT CONSTITUTES A DATA BREACH?
Not every cyberattack creates a data breach. A cyberattack is purely the attempt by hackers to gain illegal access to a network. According to the American Bar Association, a data breach is a data event where (1) significant confidential client information is misappropriated, destroyed or otherwise compromised, or (2) an attorney’s ability to execute the legal services for which they are hired is impaired.
Every lawyer knows our professional and ethical obligations to safeguard their clients’ information extends to written, spoken, and electronically formatted information. But identifying the specific information to protect can be a daunting task. Certain types of data are obvious: sensitive information from clients, confidential financial information, trade secrets, intellectual property, medical information, and personal information. Other information will vary depending on the field of practice. For example, family law attorneys may have information about children and SAPCR documents, real estate lawyers possess confidential information in loan documents or information regarding prospective business deals, and tax attorneys regularly file reports with financial information; but attorneys with corporate practices may have sensitive information of third parties that carries fiduciary duties to not only the client but also the third parties as well.
ANALYZE YOUR IT SYSTEM
Hire an IT analyst or utilize one of the free websites which provide free risk assessments. Question how data flows through the system, each point of entry and exit for information, and who needs access to the information. Know the vulnerability of your IT system and provide yourself an opportunity to address the issues before a potential catastrophe.
Start with an understanding of the hardware—the computers, printers, servers—making note of the model numbers, serial numbers, and which devices are connected to the internet. Inventory all software, programs, and security systems (including firewalls, malware, ransomware, and antivirus software), last updates, reliability of backups, and how long it will take to recover data in the case of a data breach. Does your firm have an intranet within the company, how does the system operate, and is it protected?
Protecting your clients’ information does not require developing a level of expertise on these issues, but you should have a working knowledge of the systems.
WHO’S STEALING MY STUFF?
Historically, across all industries, data breaches generally came from employee negligence and lost/stolen devices. Today, the number one cause of data breaches are criminal attacks by hackers.
Hackers are no longer a few individuals sitting in a basement staying up all night. They are massive businesses enterprises with huge growth potential. Hackers utilize automated systems that continuously scan networks looking for weaknesses, no matter how small. If your firm is on the internet, it is a target. Hackers target a weakness and follow the trail to something of value, regardless of how small. Many hackers simply cast a large net and gather mass amounts of information, regardless of its value, and then analyze it later to determine whether the information has any value at all.
Hackers utilize a variety of attack methods. For example, ransomware can encrypt a firm’s client files from firm access or shutdown telephone or email systems. Every minute a firm is unable to access a client file or use the firm’s email is a direct financial loss. Spyware and phishing attacks, on the other hand, are the practice of sending fraudulent communications with the goal of stealing confidential data. Additional methods include “man in the middle attacks” or eavesdropping attacks, where hackers place themselves in between a two-party transaction, receiving all of the information one party is sending to the other. Unsecured networks, such as public wifi’s at airports, leave many people open to these attacks.
WHAT DO I DO NOW?
Regardless of how sophisticated hackers become, the easiest cyberattack on any organization is through unsuspecting employees. Malware, phishing, and man in the middle attacks are exponentially more effective when targeting untrained employees— opening suspicious emails and visiting unsafe websites. Educating and training staff and attorneys on cybersecurity is the least expensive and most effective resource for any law firm.
ESTABLISH CYBERSECURITY POLICIES FOR ALL EMPLOYEES (INCLUDE IN EMPLOYEE HANDBOOK)
- Regarding social media and similar activities permitted in the firm
- Regarding employees’ use of personal electronic devices to receive and send email. If allowed, employees should be required to maintain security protocols on their personal devices and a protocol should be established for reporting suspicious emails received by an employee.
- Develop protocols regarding passwords/ utilization of a secure password wallet program to access confidential client files
- Establish guidelines for employees utilizing public wifisystems
- IT procedures upon termination of employment, such as revoking network credentials
ESTABLISH CYBERSECURITY POLICIES IN THE EVENT OF A BREACH
- Proper protocol if an employee is confronted with a possible data breach
- Create incident response plans so employees understand their responsibilities before a breach occurs
- Ensure backup and restoration procedures are in place
- Your files should be copied and stored off-site to provide access in the event of a cyber-attack/data breach.
To many, these steps may seem like overkill. But as lawyers, we protect our clients’ rights and property every day by planning ahead.
DO YOU REALLY HAVE A CHOICE?
Anticipating a hacker’s motives or thought processes is nearly impossible. Although no system is ever perfect, when required policies, procedures, and frameworks are followed, confidential information is more secure, and the chances are significantly reduced that an employee will unwittingly release information. Implementing protocols and procedures may seem daunting and time consuming, but it is fundamental to minimizing risk.
Failure to make a reasonable effort to safeguard client information is not only a great way to lose clients, but an unfortunate means to find yourself facing an ethics rule violation. The American Bar Association and Texas State Bar ethics rules require attorneys to safeguard client information competently and within a reasonable measure.
In addition to the rules of professional conduct, there are state regulations you must comply with if personal information of your clients is compromised. In Texas, you must immediately report a breach of personal information to clients as soon as it occurs or when you become aware of the breach. In Texas personal information includes: name (first and last or first initial and last); social security number; date of birth; maternal data, such as mother’s maiden name; government-issued identifications; biometric data; unique computerized identification; routing codes, or addresses; financial account information; credit card or debit card (as well as all passwords and PINs); personal information relating to physical or mental health; and healthcare payment history. Delays in the notification are only permitted if law enforcement determines that the notice will hinder a criminal investigation. If you fail to properly notify a client of a data breach involving their personal information, you may be liable for state penalties from $2,000 to $50,000 per violation. Prompt notification is key because every day that goes by without taking reasonable action to notify affected clients may incur a penalty of $100 per day.
No one thinks they will fall for the scam—not the mega Washington, D.C. law firm that lost millions of dollars when its IT system was attacked by a ransomware attack, and not the small ten-attorney law firm in Rhode Island who fell prey to over $700,000 in lost business due to hackers encrypting their client files. Train your employees, implement the policies, and ensure compliance. In this case, the best defense truly is the best offense. Molly Neck