The first of this three-part series focused on the growing and substantial risk of hackers that all law firms face in the digital age. This article explores assumptions and errors that many law firms make in considering cyber issues. While some cyberattacks may be inevitable, there are common mistakes that many practitioners (and their firms) unwittingly make. By being informed of the risks, attorneys and firms can take steps to avoid common mistakes.

Implement Breach Prevention Protocols

Of course, the development and implementation of a cyberattack response plan is critical. But cyberattack prevention is arguably more important because it implicates both information technology and risk management issues. Law firms that successfully prevent cyber breaches generally follow four key steps.

First, firms can implement a comprehensive cybersecurity program. This typically consists of anti-virus protections, firewalls, secure connections, and requiring passwords for mobile or desktop devices. While these are common elements of a cybersecurity program, an often overlooked principle is determining what actually constitutes a “breach” that requires a response or notification of authorities and impacted individuals. For some law firms, any unauthorized access of a firm system may constitute a “breach”; others define “breach” as an event in which someone has taken something (like data or files or money) from the firm.

Second, some firms adopt an incident response plan before a breach occurs. Having a plan in place not only helps to avoid off-the-cuff decisions, it may also help a law firm defend against any claims of negligence should a breach occur.

Some elements that firms consider for their incident response plan include the following: (1) appointing a person to be in charge of the response on a breach; (2) the reporting chain of command for addressing a breach; (3) lists of server locations and where certain information is stored (to help support the internal investigation); (4) a protocol for conducting interviews and collecting and preserving critical evidence; (5) a policy of determining when to involve authorities; (6) a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements); and (7) media strategy.

Third, firms may test their cybersecurity programs and incident response plans. Routine review of records and activity logs helps to determine a baseline for what activity on the system is “normal.” This baseline is valuable because most hacks, malware, or phishing emails are not blatant or obvious. Evidence of a hack is almost always subtle or even hidden.

Determining what activity is “abnormal” necessarily requires knowing what activity is “normal.” Some law firms hire a professional hacker to test their systems, revealing vulnerabilities in networks and cybersecurity programs. These tests also help a law firm identify what sort of suspicious behavior to look for in the future.

Fourth, some firms train their employees to recognize what common risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.

Promote the Firm's Cybersecurity Efforts

The firm's efforts to protect sensitive client data can be a valuable business development tool. It is another way that firms can stand out in the marketplace and distinguish themselves in order to keep current clients and attract new ones. If a firm does not have the appropriate security protocols in place, or is unable to implement them, that may be the difference that results in a client choosing another firm to represent them.

By recognizing and understanding their clients' security needs, law firms can be more competitive. If a client requests or imposes specific security guidelines, the attorney in charge of the matter might want to consult the IT department to ensure that the law firm can certify compliance. Taking a representation for which the firm cannot provide proper cybersecurity or where it cannot meet the client's expectations of security may expose the firm to civil liability.

Retain Counsel

Counsel with experience in cybersecurity and malpractice defense issues can assist a law firm in developing an appropriate cybersecurity program, investigating an incident, and responding to the same. Involving counsel also helps cloak the situation in the attorney-client privilege.

Being able to rely on an outside attorney's advice regarding appropriate cyber protections and breach response protocols can be beneficial if the implementing law firm ever experiences a claim that the firm failed to adequately safeguard client data or failed to adequately respond to a breach. Otherwise, if there is no privilege, discussions about what protections were worth implementing (or which ones that could have saved client data were rejected) or the pros and cons of disclosing a potential incident before the investigation is complete could become exhibits in litigation brought by a disgruntled client.

Consider Cyber Insurance

Nearly all law firms have a professional liability insurance policy in place, which may provide coverage for the losses stemming from the breach of client information, IP infringement, or other third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional malpractice policy.

Firms may therefore consider whether they need something more, such as specific cyber or data breach coverage, to protect them from the costs and exposure of a cyberattack.

No Firm Is Exempt

One of the biggest mistakes a law firm can make is thinking that it is invincible. All firms, even small firms, possess confidential data on their networks, such as employee Social Security numbers, privileged communications, and confidential client information.

And it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place, a small mistake such as leaving a cellphone in a cab can provide a hacker an open door to the law firm's files.

Shari L. Klevens is a partner at Dentons and serves on the firm's U.S. board of directors. She represents and advises lawyers and insurers on complex claims and is co-chairwoman of Dentons' global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Klevens and Clair are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”

The first of this three-part series focused on the growing and substantial risk of hackers that all law firms face in the digital age. This article explores assumptions and errors that many law firms make in considering cyber issues. While some cyberattacks may be inevitable, there are common mistakes that many practitioners (and their firms) unwittingly make. By being informed of the risks, attorneys and firms can take steps to avoid common mistakes.

Implement Breach Prevention Protocols

Of course, the development and implementation of a cyberattack response plan is critical. But cyberattack prevention is arguably more important because it implicates both information technology and risk management issues. Law firms that successfully prevent cyber breaches generally follow four key steps.

First, firms can implement a comprehensive cybersecurity program. This typically consists of anti-virus protections, firewalls, secure connections, and requiring passwords for mobile or desktop devices. While these are common elements of a cybersecurity program, an often overlooked principle is determining what actually constitutes a “breach” that requires a response or notification of authorities and impacted individuals. For some law firms, any unauthorized access of a firm system may constitute a “breach”; others define “breach” as an event in which someone has taken something (like data or files or money) from the firm.

Second, some firms adopt an incident response plan before a breach occurs. Having a plan in place not only helps to avoid off-the-cuff decisions, it may also help a law firm defend against any claims of negligence should a breach occur.

Some elements that firms consider for their incident response plan include the following: (1) appointing a person to be in charge of the response on a breach; (2) the reporting chain of command for addressing a breach; (3) lists of server locations and where certain information is stored (to help support the internal investigation); (4) a protocol for conducting interviews and collecting and preserving critical evidence; (5) a policy of determining when to involve authorities; (6) a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements); and (7) media strategy.

Third, firms may test their cybersecurity programs and incident response plans. Routine review of records and activity logs helps to determine a baseline for what activity on the system is “normal.” This baseline is valuable because most hacks, malware, or phishing emails are not blatant or obvious. Evidence of a hack is almost always subtle or even hidden.

Determining what activity is “abnormal” necessarily requires knowing what activity is “normal.” Some law firms hire a professional hacker to test their systems, revealing vulnerabilities in networks and cybersecurity programs. These tests also help a law firm identify what sort of suspicious behavior to look for in the future.

Fourth, some firms train their employees to recognize what common risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.

Promote the Firm's Cybersecurity Efforts

The firm's efforts to protect sensitive client data can be a valuable business development tool. It is another way that firms can stand out in the marketplace and distinguish themselves in order to keep current clients and attract new ones. If a firm does not have the appropriate security protocols in place, or is unable to implement them, that may be the difference that results in a client choosing another firm to represent them.

By recognizing and understanding their clients' security needs, law firms can be more competitive. If a client requests or imposes specific security guidelines, the attorney in charge of the matter might want to consult the IT department to ensure that the law firm can certify compliance. Taking a representation for which the firm cannot provide proper cybersecurity or where it cannot meet the client's expectations of security may expose the firm to civil liability.

Retain Counsel

Counsel with experience in cybersecurity and malpractice defense issues can assist a law firm in developing an appropriate cybersecurity program, investigating an incident, and responding to the same. Involving counsel also helps cloak the situation in the attorney-client privilege.

Being able to rely on an outside attorney's advice regarding appropriate cyber protections and breach response protocols can be beneficial if the implementing law firm ever experiences a claim that the firm failed to adequately safeguard client data or failed to adequately respond to a breach. Otherwise, if there is no privilege, discussions about what protections were worth implementing (or which ones that could have saved client data were rejected) or the pros and cons of disclosing a potential incident before the investigation is complete could become exhibits in litigation brought by a disgruntled client.

Consider Cyber Insurance

Nearly all law firms have a professional liability insurance policy in place, which may provide coverage for the losses stemming from the breach of client information, IP infringement, or other third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional malpractice policy.

Firms may therefore consider whether they need something more, such as specific cyber or data breach coverage, to protect them from the costs and exposure of a cyberattack.

No Firm Is Exempt

One of the biggest mistakes a law firm can make is thinking that it is invincible. All firms, even small firms, possess confidential data on their networks, such as employee Social Security numbers, privileged communications, and confidential client information.

And it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place, a small mistake such as leaving a cellphone in a cab can provide a hacker an open door to the law firm's files.

Shari L. Klevens is a partner at Dentons and serves on the firm's U.S. board of directors. She represents and advises lawyers and insurers on complex claims and is co-chairwoman of Dentons' global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Klevens and Clair are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”