There’s Always a Bigger Phish: How the Legal Industry Can Get a Handle on Cybersecurity Threats
Responsible firms can take important steps today to protect private, sensitive data, and they can start with basic office procedures.
August 20, 2019 at 12:30 PM
5 minute read
Legal documents live transitory lives. They contain reams of sensitive information that pass through the hands of lawyers and paralegals, and then they go through the process of being reviewed and signed by clients, clerks, opposing counsels, and judges. When they finally get to the location where records are stored, they are often inadvertently exposed to others—even firm outsiders—who shouldn’t have access to them at all.
As a result, the exposure of confidential material is something that happens all too often and puts the firm in danger of falling short of one of its cardinal commitments: guarding and securing client information.
This isn’t a problem that can go unsolved, and many firms are seeking a solution. But simply digitizing a filing system doesn’t remove the risk of an information breach—in fact, it can enhance it if there are any discrepancies between standards and processes for accessing documents.
For instance, one firm might comply with the Federal E-Sign Act but another might not. One sender might implement end-to-end encryption for a document, ensuring document security along its entire route, while the recipient might have no informational safeguards at all. In unsecured digital systems, client trade secrets, privileged information, and litigation strategies can potentially be exposed and become the perfect target for cybercriminals. Despite this increasing vulnerability, though, many firms lack a cybersecurity plan entirely.
|Embracing the Digital Age
Law firms aren’t the only ones to blame. Incongruences between state, local, and federal filing requirements can be significant hurdles for firms hoping to adopt security processes. While federal documents must be filed electronically, many state and local agencies or court districts still utilize a patchwork of print and e-filing. Kansas began requiring all attorneys to e-file in state courts in 2018, but Massachusetts allows e-filing without mandating it.
If all agencies adopted federal filing standards, it would solve a number of problems. Consistent, mandatory guidelines would make it possible to streamline processes at the firm level and for those in law to have more immediate access to public records. Most importantly, a unified system would make routine security updates and patches easier to implement.
Lawyers can be slow to adopt technology. Many are wary of embracing things like machine learning or predictive analytics despite their many potential benefits, such as deeper insights and increased security. And reasons for this sluggishness vary. Thirty-six percent cite a lack of tech knowledge or skills, and 34% point to a tech-resistant organizational culture.
Whatever the reason, the result is the same. Lawyers and law firms miss critical opportunities not only to secure client information, but also to ensure that it’s kept safe in the event of a disaster or breach.
|Into the Breach
The American Bar Association reported last year that 23% of firms had reported a breach at some point, up from 14% in 2016. Six percent of those breaches resulted in the exposure of sensitive client data.
Small firms are particularly vulnerable. Eleven percent of solo practitioners had experienced a breach of sensitive client information, a number that’s up from zero in 2017. Criminals are identifying and taking advantage of those they can most easily exploit.
Firms must weigh their responsibilities in light of this escalating risk. Attorneys are required to take reasonable measures to protect client information—legally, contractually, and under the ABA’s ethical rules:
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Technology might present new challenges, but lawyers’ responsibility is always to go beyond meeting minimal standards and make client security a top priority. Failure to do so could lead to a major black eye for a firm—or even its downfall. The fall from a tarnished reputation to financial failure is not far.
Ultimately, firms should treat this threat as not a question of “if” but “when.” Keeping record of sensitive information is inherently part of practicing law, but it also creates a target for cybercriminals. As states catch up to federal standards, more information will be moved online, only making that information more accessible.
|Keeping Information Safe
Responsible firms can take important steps today to protect private, sensitive data, and they can start with basic office procedures. They can start by informing every member of the staff of all policies regarding sensitive information and its exchange, whether in physical or digital form. On that foundation, an effective cybersecurity strategy can be built.
Not having an in-house IT specialist is no excuse for compromising client security. In an ever-changing cyber landscape, every firm—regardless of its size—must implement effective safeguards, staff training, ongoing reviews, and regular updates to their security systems. Clients are counting on it.
Jeffery Lauria is the VP of technology at iCorps Technologies, a leading IT consulting and managed services company. His experience spans over 20 years in all facets of IT with a focus on cybersecurity, data privacy, and compliance. His certifications include CISSP, CGEIT, CISA, CRISC, CCISO, CCSK, and CCSP.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250