Data breaches are unfortunately becoming more common, and law firms, given the sensitivity – and therefore value – of the data they handle, are falling victim to cyberattacks at an alarming rate.

Just recently, we've seen a major data issue at legal software provider Advanced Computer Software, affecting over 190 of the industry's most prestigious law firms.

Not only can data breaches cause hundreds of millions in monetary losses, but they can also result in significant reputational damage, as well as unquantifiable harm to the individuals, who may be impacted for the rest of their lives as their personal information is dispersed publicly around the globe. 

Each time a new breach comes to light, we are reminded of how much damage can be done in a short amount of time, often as the result of failed data governance practices and a lack of standard operating procedures.

For law firms combatting this growing threat, it is critical to understand, acknowledge, and address the role common legal industry business practices play in leaving their most sensitive data vulnerable and exposed.

Data governance efforts can be hindered by internal politics

Internal structure and governance can have a significant impact on a firm's ability to implement sound data management practices. Law firms are no longer just responsible for creating client work product; they must now also protect their clients' data.

In most corporate law firms, individual practice groups act as their own corporations within the firm, with a separate leader and organizational structure, and distinct administrative teams supporting them.

Often, client relationships are also siloed within these business units, and there is no global work plan or policy in place for how client data is saved, shared, retained and archived. This disjointedness can be easily exploited by cyber criminals.

There is no in-house security expert

The role of a Chief Information Security Officer is new to the legal world, but because of the challenges typical law firm organizational structures present to cohesive data governance, it has never been more important to hire an internal data security expert who will deploy an holistic plan.

This is not something that can be outsourced. Protecting your firm against these increasingly sophisticated threats requires an expert who understands the threat landscape, is fully integrated into the business, and knows the firm's specific vulnerabilities.

Security experts can implement an enterprise level strategy for ensuring information assets are protected, including properly vetting and integrating of technology solutions, implementing standard operating procedures, mandating employee training and raising awareness around cybersecurity policies.

Cybersecurity protocols are insufficient

Many law firms do not have adequate cybersecurity policies and processes in place, particularly when it comes to vetting third-party vendors and integrating new technologies into the firm.

When you alter the technology to meet a business need, without considering the broader ramifications—for example, failing to integrate new security protocols into legacy software that remains integral to the business—it can introduce vulnerabilities that may put the company at risk for data breaches. 

Devices are not encrypted and data is improperly stored

Law firms have historically not had much discipline around securing and storing data. In today's data landscape, law firms should do away with prioritization schedules, and instead look at all of their data through the lens of heightened security.

This includes having policies in place around how lawyers access data while working remotely around the world. It also means ensuring that laptops, hard drives and USB drives are encrypted, and phones and laptops are equipped with tracking technology.  The widespread use of BYOD (bring your own device) policies can also put firms at significant risk.

Records management needs an overhaul

Records management teams must become more coordinated across the law firm in order to prevent the loss of sensitive information, viewing each client relationship regardless of service offering as one.

Exhaustive data retention and storage policies should be implemented to ensure data is secured. This includes avoiding common practices like saving documents locally or on shared drives. In some cases, it makes sense to implement heightened policies for dealing with particularly sensitive client data.

This is especially important when dealing with clients' intellectual property, as well as with data responsive to white collar and antitrust matters, where data is reviewing data before production to enforcement agencies.

Employee cybersecurity training is lacking

Data breaches are often the result of human error, and can be avoided with proper employee training and awareness raising around cybersecurity policies. Businesses must be completely in sync with their people deploying technology infrastructure.

It is critical that users understand the threats and are aware of the important role they play in protecting the firm and their clients' sensitive data. This includes robust and ongoing training around password policies; data management, retention and archiving; and managing firm-owned, and personal, devices containing sensitive information. 

Frances McLeod is the founding partner of audit and advisory firm, Forensic Risk Alliance.