CyberSecure-KeynoteLegal documents live transitory lives. They contain reams of sensitive information that pass through the hands of lawyers and paralegals, and then they go through the process of being reviewed and signed by clients, clerks, opposing counsels, and judges. When they finally get to the location where records are stored, they are often inadvertently exposed to others—even firm outsiders—who shouldn’t have access to them at all.

As a result, the exposure of confidential material is something that happens all too often and puts the firm in danger of falling short of one of its cardinal commitments: guarding and securing client information.

This isn’t a problem that can go unsolved, and many firms are seeking a solution. But simply digitizing a filing system doesn’t remove the risk of an information breach—in fact, it can enhance it if there are any discrepancies between standards and processes for accessing documents.

For instance, one firm might comply with the Federal E-Sign Act but another might not. One sender might implement end-to-end encryption for a document, ensuring document security along its entire route, while the recipient might have no informational safeguards at all. In unsecured digital systems, client trade secrets, privileged information, and litigation strategies can potentially be exposed and become the perfect target for cybercriminals. Despite this increasing vulnerability, though, many firms lack a cybersecurity plan entirely.

|

Embracing the Digital Age

Law firms aren’t the only ones to blame. Incongruences between state, local, and federal filing requirements can be significant hurdles for firms hoping to adopt security processes. While federal documents must be filed electronically, many state and local agencies or court districts still utilize a patchwork of print and e-filing. Kansas began requiring all attorneys to e-file in state courts in 2018, but Massachusetts allows e-filing without mandating it.

If all agencies adopted federal filing standards, it would solve a number of problems. Consistent, mandatory guidelines would make it possible to streamline processes at the firm level and for those in law to have more immediate access to public records. Most importantly, a unified system would make routine security updates and patches easier to implement.

Lawyers can be slow to adopt technology. Many are wary of embracing things like machine learning or predictive analytics despite their many potential benefits, such as deeper insights and increased security. And reasons for this sluggishness vary. Thirty-six percent cite a lack of tech knowledge or skills, and 34% point to a tech-resistant organizational culture.

Whatever the reason, the result is the same. Lawyers and law firms miss critical opportunities not only to secure client information, but also to ensure that it’s kept safe in the event of a disaster or breach.

|

Into the Breach

The American Bar Association reported last year that 23% of firms had reported a breach at some point, up from 14% in 2016. Six percent of those breaches resulted in the exposure of sensitive client data.

Small firms are particularly vulnerable. Eleven percent of solo practitioners had experienced a breach of sensitive client information, a number that’s up from zero in 2017. Criminals are identifying and taking advantage of those they can most easily exploit.

Firms must weigh their responsibilities in light of this escalating risk. Attorneys are required to take reasonable measures to protect client information—legally, contractually, and under the ABA’s ethical rules:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Technology might present new challenges, but lawyers’ responsibility is always to go beyond meeting minimal standards and make client security a top priority. Failure to do so could lead to a major black eye for a firm—or even its downfall. The fall from a tarnished reputation to financial failure is not far.

Ultimately, firms should treat this threat as not a question of “if” but “when.” Keeping record of sensitive information is inherently part of practicing law, but it also creates a target for cybercriminals. As states catch up to federal standards, more information will be moved online, only making that information more accessible.

|

Keeping Information Safe

Responsible firms can take important steps today to protect private, sensitive data, and they can start with basic office procedures. They can start by informing every member of the staff of all policies regarding sensitive information and its exchange, whether in physical or digital form. On that foundation, an effective cybersecurity strategy can be built.

Not having an in-house IT specialist is no excuse for compromising client security. In an ever-changing cyber landscape, every firm—regardless of its size—must implement effective safeguards, staff training, ongoing reviews, and regular updates to their security systems. Clients are counting on it.

Jeffery Lauria is the VP of technology at iCorps Technologies, a leading IT consulting and managed services company. His experience spans over 20 years in all facets of IT with a focus on cybersecurity, data privacy, and compliance. His certifications include CISSP, CGEIT, CISA, CRISC, CCISO, CCSK, and CCSP.