As an attorney and someone who practices a more “traditional” profession, you may think that your business is not as exposed to cyberattacks and data breaches as a software or eCommerce business, but that couldn’t be further from the truth.
According to a survey conducted by The American Bar Association (ABA), 29% of the responding attorneys and law firms experienced some kind of a security breach in 2020, while 21% were unsure whether a breach had occurred or not. These numbers raise serious concerns, especially amid a global pandemic during which business is being conducted online and from home more than ever.
In reality, no business is safe from cybercrime. According to IBM’s Data Breach Report, it took companies up to 280 days to discover and contain a data breach in 2020. Additionally, the average cost of a data breach was $3.86 million, a staggering figure that further stresses the significance of keeping your data safe.
You might be asking how it’s possible that the cost of recovering from a data breach is so high? That’s because any time-sensitive data, especially third-party data, is compromised, your company is probably going to face lawsuits.
Combine the sometimes exorbitant legal costs associated with such claims and the cost of identifying the breach, notifying affected parties, neutralizing the attack, and installing protocols and systems that will protect you from similar threats in the future, and you’ll start to realize how a cyberattack can cost your company millions.
What Kinds of Cyber Threats Do Attorneys Face?
Cyberattacks are becoming increasingly sophisticated and hackers are constantly developing new ways to infiltrate computers and databases. Cybercriminals target law firms because they want to gain access to confidential attorney-client information, trade secrets, or personally identifiable information. Many also presume that attorneys are often less tech-savvy, which makes them an ideal target for such an attack.
Let’s have a look at some of the most prevalent types of cyberattacks and the consequences they can have on the affected party.
Social Engineering and Phishing: Social engineering attacks are attempts to trick victims into giving criminals access to confidential information and company networks. The attackers make direct contact with the victim, usually through an email, pretending to be a trustworthy source. These phishing emails typically contain links the victim should click on and then insert personal login information to “fix some kind of a problem with their account” and, by doing so, allow criminals access.
Phishing is the most sophisticated and subtle type of cyberattack. Phishers pose as company executives or as somebody in charge of cybersecurity and ask employees to download a file or click on a link that would compromise their computer. The problem with phishing attacks is that they are often very well disguised, which leads to many professionals actually taking the bait without checking the source of the email and ending up compromising their own and company data.
Hacking: Hacking attacks are much less subtle than social engineering. Hackers attack your computer directly to steal the information they need and inflict chaos on your system and network. Skilled hackers can break through your security measures and compromise any connected device, often causing financially devastating data breaches. The goal of these malicious attacks is usually financial gain for the perpetrator, but it can also be a matter of some kind of protest or simply prestige among hackers.
Malware: Malware or malicious software attacks are constantly on the rise. They come in various forms and can be designed to attack your system in many ways. For example, ransomware is malware that hijacks your network and restricts your access to it until you pay the ransom. Cybercriminals know how vital client data is to attorneys, and they expect them to be willing to pay a significant amount of money to get it back in a timely manner.
Spyware infiltrates your system and spies on you in order to gain access to passwords and other sensitive data. What makes malware so difficult to detect and stop is the fact that cybercriminals are constantly evolving malware and changing the ways in which they attack your data.
What Are Some of the Most Prevalent Data Security Risks for Attorneys?
Law firms are particularly appealing to cybercriminals because of all the confidential client information they store. Once they access this data, there are many ways in which they can use it to both hurt you and extra financial gain for themselves.
As mentioned earlier, they can take your data hostage and request a ransom before releasing it back to you. They can also use the private client information they acquired during the attack to make their own investment decisions based on financial statements, business documents, and similar data that you might have access to.
Worse of all, letting this type of private information leak could irreparably damage your reputation as an attorney, a devastating turn of events in a profession in which trust between the attorney and client is almost everything.
And as lawyers know better than anyone, these types of incidents could also lead to malpractice lawsuits since you have a legal obligation to protect your client’s data.
As already mentioned, criminals often target attorneys and their firms because of the sensitivity of attorney-client privileged information they store. That data is very appealing to hackers because it can bring them substantial profit. They assume that attorneys earn a hefty paycheck, which makes them ideal candidates for holding data hostage and asking for ransom payments.
Unfortunately, it’s also a fact that law firms generally have weaker data security measures installed than technology companies would have. Many attorneys are still reluctant to hire cybersecurity experts for their firms, either in-house or as consultants, usually because they are unaware to what extent these types of online threats can be damaging.
It’s also not uncommon to see smaller firms not hiring cybersecurity experts to protect their firms because of a lack of funds. Whatever the reason, choosing to work out your firm’s cybersecurity issues on your own puts you at a greater risk than when hiring experts to help you create and implement a detailed cybersecurity plan of protection, mitigation, and response.
What Can You Do to Protect Your Data?
Absolute protection from cybercrime doesn’t exist. Still, there are steps and procedures you can implement to minimize the chances of being breached and ensure the best possible response to a potential incident if one does occur:
Design and implement a cybersecurity policy for your firm: Creating an official policy is the first and most essential step towards ensuring that your practice has security standards all employees should follow. The policy should be detailed and cover all the cybersecurity measures your company should be implementing. Make sure your staff has access to the document at all times and is familiar with the procedures they need to follow in order to keep your firm protected.
Continuously educate your staff: It is not enough to notify your employees of what is expected of them. Everybody should go through training on how to set up and protect their business accounts adequately. Be aware that new types of social engineering and phishing attacks appear daily and that people need constant education in order to be able to recognize and report such attacks to the company’s cybersecurity expert. Educating staff is more important now than ever because of the fact that a vast majority are still working from home as a result of the pandemic.
Use a password management tool and multi-factor authentication: Instruct your employees to use strong and unique passwords. You can make this task easier for them by using a password management tool that generates and saves all of their passwords. Think about adding multi-factor authentication as an additional layer of protection for all your company accounts.
Purchase and regularly update security software: The anti-virus software market is well served, so you shouldn’t have trouble finding a good solution for your firm at any price point. Buy a licensed product and ensure regular updates and security scans are performed.
Consider checking and updating permissions: Not everyone on your staff needs to have access to all the information your firm stores. Analyze clearance needs for each position and grant everyone as much access as they need to do their job. That limits unnecessary data exposure and minimizes the risk of things such as insider trading schemes. Access control is also crucial when a person resigns or gets fired, after which all their permissions need to be revoked promptly.
Encrypt your data: Encryption is a process that translates your data into a secret code that is password protected. Enable encryption on all your devices and use SSL and TLS protocols for transferring data.
Instruct your clients to use safe communication methods: Your clients might not be aware that their actions are unsafe for your firm and their personal data. Notify them who they can expect to communicate with from your firm, what channels of communication to use, and how to report any suspicious activity.
Create an incident response plan: The incident response plan should instruct your employees on how to handle all the phases of a potential breach, including detection, containment, investigation, remediation, and recovery. Your response plan should align with the ABA’s Formal Opinion 483 that provides guidance for attorneys and lawyers that have suffered a data breach.
Obtain adequate insurance policies: Insurance is your ultimate line of defense that serves to minimize the damage of a breach, especially financially.
How Can Insurance Help Mitigate Your Risks?
Buying the right insurance policies is an essential step in protecting your practice. Suppose other security measures you take to prevent data breaches fail. An insurance policy tailored to protecting your business from such issues would be able to help you successfully deal with the breach and recover from all its consequences.
Two types of business insurance are crucial for attorneys when it comes to coping with cybercrime; cyber liability insurance and legal professional liability insurance.
Cyber Liability Insurance
Cyber insurance allows you to transfer the costs related to overcoming a data breach to your insurer. Traditional insurance policies were not designed to cover risks associated with cyberattacks, which is why every business that stores data online must strongly consider purchasing cyber insurance. The policy usually splits into first-party and third-party coverage.
First-party cyber insurance will cover your costs related to the breach. The third-party coverage will respond to the damage suffered by the direct victims of the breach, usually your clients or partners.
Cyber insurance policies are dynamic and easy to adjust to your needs. As an attorney who works with privileged information, you should make sure that your policy covers the following:
Notification costs: The breached party has the responsibility to investigate the extent of the breach and notify everybody affected. Depending on the severity of the attack, this can be an expensive endeavor.
Computer forensics: You also need to conduct a thorough investigation of how the data breach occurred in order to prevent future exposure. Cyber insurance helps with the cost of hiring an expert who would look into the problem and help implement improved security protocols.
Civil damages: Most of the lawsuits stemming from a data breach are class action suits, which usually means multiple victims and potentially costly damages and fines.
Credit monitoring: Your cyber insurance policy would kick in to cover the victims’ insurance policies. State regulators require credit monitoring and they want to ensure that potential victims are properly protected and compensated.
Ransom in case of extortion: If you fall victim to a ransomware attack, the attackers can ask for a substantial ransom that the firm itself might not be able to cover.
PR costs to minimize reputational damage: Reputation is essential for attorneys and you need to handle the potential fallout of a data breach with extreme caution. A preferred insurance policy would help cover the costs of hiring a PR expert to minimize reputational damage.
Legal Professional Liability Insurance
Professional liability insurance would respond to malpractice claims resulting from a data breach. Your clients could interpret your failure to keep their information safe as a breach of your professional duty and sue for damages. As data breaches seldom affect just one of your clients, you could end up facing multiple lawsuits. Even if you can prove that the allegations are baseless and that you have done everything in your power to prevent the breach, dealing with the claims can be very time-consuming and costly regardless of the outcome.
That is where your professional liability policy would kick in to help. It would cover all your defense costs, however expensive the process turns out to be. It would also pay for any awarded damages. It is important to remember that this policy only covers unintentional errors and omissions, not claims arising from malicious and fraudulent actions taken by you or your staff.
Regardless of your legal firm’s size and specialization, you shouldn’t underestimate the importance of data security. It is not just your moral and professional responsibility to protect your clients’ information, but there are also rapidly evolving laws that mandate compliance with the data security regulations.
All investments made in IT infrastructure, cybersecurity expertise, education, and even insurance can pay huge dividends in the long run by protecting your firm from cybercriminals and lessening the financial blow if and when a cyberattack or data breach does occur.