Cybersecurity, Part 2: Preventing a Breach
The first of this three-part series focused on the growing and substantial risk of hackers that all law firms face in the digital age. This article…
November 09, 2017 at 04:35 PM
17 minute read
The first of this three-part series focused on the growing and substantial risk of hackers that all law firms face in the digital age. This article explores assumptions and errors that many law firms make in considering cyber issues. While some cyberattacks may be inevitable, there are common mistakes that many practitioners (and their firms) unwittingly make. By being informed of the risks, attorneys and firms can take steps to avoid common mistakes.
Implement Breach Prevention Protocols
Of course, the development and implementation of a cyberattack response plan is critical. But cyberattack prevention is arguably more important because it implicates both information technology and risk management issues. Law firms that successfully prevent cyber breaches generally follow four key steps.
First, firms can implement a comprehensive cybersecurity program. This typically consists of anti-virus protections, firewalls, secure connections, and requiring passwords for mobile or desktop devices. While these are common elements of a cybersecurity program, an often overlooked principle is determining what actually constitutes a “breach” that requires a response or notification of authorities and impacted individuals. For some law firms, any unauthorized access of a firm system may constitute a “breach”; others define “breach” as an event in which someone has taken something (like data or files or money) from the firm.
Second, some firms adopt an incident response plan before a breach occurs. Having a plan in place not only helps to avoid off-the-cuff decisions, it may also help a law firm defend against any claims of negligence should a breach occur.
Some elements that firms consider for their incident response plan include the following: (1) appointing a person to be in charge of the response on a breach; (2) the reporting chain of command for addressing a breach; (3) lists of server locations and where certain information is stored (to help support the internal investigation); (4) a protocol for conducting interviews and collecting and preserving critical evidence; (5) a policy of determining when to involve authorities; (6) a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements); and (7) media strategy.
Third, firms may test their cybersecurity programs and incident response plans. Routine review of records and activity logs helps to determine a baseline for what activity on the system is “normal.” This baseline is valuable because most hacks, malware, or phishing emails are not blatant or obvious. Evidence of a hack is almost always subtle or even hidden.
Determining what activity is “abnormal” necessarily requires knowing what activity is “normal.” Some law firms hire a professional hacker to test their systems, revealing vulnerabilities in networks and cybersecurity programs. These tests also help a law firm identify what sort of suspicious behavior to look for in the future.
Fourth, some firms train their employees to recognize what common risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.
Promote the Firm's Cybersecurity Efforts
The firm's efforts to protect sensitive client data can be a valuable business development tool. It is another way that firms can stand out in the marketplace and distinguish themselves in order to keep current clients and attract new ones. If a firm does not have the appropriate security protocols in place, or is unable to implement them, that may be the difference that results in a client choosing another firm to represent them.
By recognizing and understanding their clients' security needs, law firms can be more competitive. If a client requests or imposes specific security guidelines, the attorney in charge of the matter might want to consult the IT department to ensure that the law firm can certify compliance. Taking a representation for which the firm cannot provide proper cybersecurity or where it cannot meet the client's expectations of security may expose the firm to civil liability.
Retain Counsel
Counsel with experience in cybersecurity and malpractice defense issues can assist a law firm in developing an appropriate cybersecurity program, investigating an incident, and responding to the same. Involving counsel also helps cloak the situation in the attorney-client privilege.
Being able to rely on an outside attorney's advice regarding appropriate cyber protections and breach response protocols can be beneficial if the implementing law firm ever experiences a claim that the firm failed to adequately safeguard client data or failed to adequately respond to a breach. Otherwise, if there is no privilege, discussions about what protections were worth implementing (or which ones that could have saved client data were rejected) or the pros and cons of disclosing a potential incident before the investigation is complete could become exhibits in litigation brought by a disgruntled client.
Consider Cyber Insurance
Nearly all law firms have a professional liability insurance policy in place, which may provide coverage for the losses stemming from the breach of client information, IP infringement, or other third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional malpractice policy.
Firms may therefore consider whether they need something more, such as specific cyber or data breach coverage, to protect them from the costs and exposure of a cyberattack.
No Firm Is Exempt
One of the biggest mistakes a law firm can make is thinking that it is invincible. All firms, even small firms, possess confidential data on their networks, such as employee Social Security numbers, privileged communications, and confidential client information.
And it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place, a small mistake such as leaving a cellphone in a cab can provide a hacker an open door to the law firm's files.
Shari L. Klevens is a partner at Dentons and serves on the firm's U.S. board of directors. She represents and advises lawyers and insurers on complex claims and is co-chairwoman of Dentons' global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Klevens and Clair are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”
The first of this three-part series focused on the growing and substantial risk of hackers that all law firms face in the digital age. This article explores assumptions and errors that many law firms make in considering cyber issues. While some cyberattacks may be inevitable, there are common mistakes that many practitioners (and their firms) unwittingly make. By being informed of the risks, attorneys and firms can take steps to avoid common mistakes.
Implement Breach Prevention Protocols
Of course, the development and implementation of a cyberattack response plan is critical. But cyberattack prevention is arguably more important because it implicates both information technology and risk management issues. Law firms that successfully prevent cyber breaches generally follow four key steps.
First, firms can implement a comprehensive cybersecurity program. This typically consists of anti-virus protections, firewalls, secure connections, and requiring passwords for mobile or desktop devices. While these are common elements of a cybersecurity program, an often overlooked principle is determining what actually constitutes a “breach” that requires a response or notification of authorities and impacted individuals. For some law firms, any unauthorized access of a firm system may constitute a “breach”; others define “breach” as an event in which someone has taken something (like data or files or money) from the firm.
Second, some firms adopt an incident response plan before a breach occurs. Having a plan in place not only helps to avoid off-the-cuff decisions, it may also help a law firm defend against any claims of negligence should a breach occur.
Some elements that firms consider for their incident response plan include the following: (1) appointing a person to be in charge of the response on a breach; (2) the reporting chain of command for addressing a breach; (3) lists of server locations and where certain information is stored (to help support the internal investigation); (4) a protocol for conducting interviews and collecting and preserving critical evidence; (5) a policy of determining when to involve authorities; (6) a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements); and (7) media strategy.
Third, firms may test their cybersecurity programs and incident response plans. Routine review of records and activity logs helps to determine a baseline for what activity on the system is “normal.” This baseline is valuable because most hacks, malware, or phishing emails are not blatant or obvious. Evidence of a hack is almost always subtle or even hidden.
Determining what activity is “abnormal” necessarily requires knowing what activity is “normal.” Some law firms hire a professional hacker to test their systems, revealing vulnerabilities in networks and cybersecurity programs. These tests also help a law firm identify what sort of suspicious behavior to look for in the future.
Fourth, some firms train their employees to recognize what common risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.
Promote the Firm's Cybersecurity Efforts
The firm's efforts to protect sensitive client data can be a valuable business development tool. It is another way that firms can stand out in the marketplace and distinguish themselves in order to keep current clients and attract new ones. If a firm does not have the appropriate security protocols in place, or is unable to implement them, that may be the difference that results in a client choosing another firm to represent them.
By recognizing and understanding their clients' security needs, law firms can be more competitive. If a client requests or imposes specific security guidelines, the attorney in charge of the matter might want to consult the IT department to ensure that the law firm can certify compliance. Taking a representation for which the firm cannot provide proper cybersecurity or where it cannot meet the client's expectations of security may expose the firm to civil liability.
Retain Counsel
Counsel with experience in cybersecurity and malpractice defense issues can assist a law firm in developing an appropriate cybersecurity program, investigating an incident, and responding to the same. Involving counsel also helps cloak the situation in the attorney-client privilege.
Being able to rely on an outside attorney's advice regarding appropriate cyber protections and breach response protocols can be beneficial if the implementing law firm ever experiences a claim that the firm failed to adequately safeguard client data or failed to adequately respond to a breach. Otherwise, if there is no privilege, discussions about what protections were worth implementing (or which ones that could have saved client data were rejected) or the pros and cons of disclosing a potential incident before the investigation is complete could become exhibits in litigation brought by a disgruntled client.
Consider Cyber Insurance
Nearly all law firms have a professional liability insurance policy in place, which may provide coverage for the losses stemming from the breach of client information, IP infringement, or other third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional malpractice policy.
Firms may therefore consider whether they need something more, such as specific cyber or data breach coverage, to protect them from the costs and exposure of a cyberattack.
No Firm Is Exempt
One of the biggest mistakes a law firm can make is thinking that it is invincible. All firms, even small firms, possess confidential data on their networks, such as employee Social Security numbers, privileged communications, and confidential client information.
And it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place, a small mistake such as leaving a cellphone in a cab can provide a hacker an open door to the law firm's files.
Shari L. Klevens is a partner at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute readAs Profits Rise, Law Firms Likely to Make More AI Investments in 2025
Government Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrump Mulls Big Changes to Banking Regulation, Unsettling the Industry
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250