The Six Biggest Cybersecurity Threats to Law Firms
Law firms are constantly at risk of cybercrime; how they approach this risk can be of vital importance.
May 25, 2020 at 12:49 AM
5 minute read
Data breaches are unfortunately becoming more common, and law firms, given the sensitivity – and therefore value – of the data they handle, are falling victim to cyberattacks at an alarming rate.
Just recently, we've seen a major data issue at legal software provider Advanced Computer Software, affecting over 190 of the industry's most prestigious law firms.
Not only can data breaches cause hundreds of millions in monetary losses, but they can also result in significant reputational damage, as well as unquantifiable harm to the individuals, who may be impacted for the rest of their lives as their personal information is dispersed publicly around the globe.
Each time a new breach comes to light, we are reminded of how much damage can be done in a short amount of time, often as the result of failed data governance practices and a lack of standard operating procedures.
For law firms combatting this growing threat, it is critical to understand, acknowledge, and address the role common legal industry business practices play in leaving their most sensitive data vulnerable and exposed.
Data governance efforts can be hindered by internal politics
Internal structure and governance can have a significant impact on a firm's ability to implement sound data management practices. Law firms are no longer just responsible for creating client work product; they must now also protect their clients' data.
In most corporate law firms, individual practice groups act as their own corporations within the firm, with a separate leader and organizational structure, and distinct administrative teams supporting them.
Often, client relationships are also siloed within these business units, and there is no global work plan or policy in place for how client data is saved, shared, retained and archived. This disjointedness can be easily exploited by cyber criminals.
There is no in-house security expert
The role of a Chief Information Security Officer is new to the legal world, but because of the challenges typical law firm organizational structures present to cohesive data governance, it has never been more important to hire an internal data security expert who will deploy an holistic plan.
This is not something that can be outsourced. Protecting your firm against these increasingly sophisticated threats requires an expert who understands the threat landscape, is fully integrated into the business, and knows the firm's specific vulnerabilities.
Security experts can implement an enterprise level strategy for ensuring information assets are protected, including properly vetting and integrating of technology solutions, implementing standard operating procedures, mandating employee training and raising awareness around cybersecurity policies.
Cybersecurity protocols are insufficient
Many law firms do not have adequate cybersecurity policies and processes in place, particularly when it comes to vetting third-party vendors and integrating new technologies into the firm.
When you alter the technology to meet a business need, without considering the broader ramifications—for example, failing to integrate new security protocols into legacy software that remains integral to the business—it can introduce vulnerabilities that may put the company at risk for data breaches.
Devices are not encrypted and data is improperly stored
Law firms have historically not had much discipline around securing and storing data. In today's data landscape, law firms should do away with prioritization schedules, and instead look at all of their data through the lens of heightened security.
This includes having policies in place around how lawyers access data while working remotely around the world. It also means ensuring that laptops, hard drives and USB drives are encrypted, and phones and laptops are equipped with tracking technology. The widespread use of BYOD (bring your own device) policies can also put firms at significant risk.
Records management needs an overhaul
Records management teams must become more coordinated across the law firm in order to prevent the loss of sensitive information, viewing each client relationship regardless of service offering as one.
Exhaustive data retention and storage policies should be implemented to ensure data is secured. This includes avoiding common practices like saving documents locally or on shared drives. In some cases, it makes sense to implement heightened policies for dealing with particularly sensitive client data.
This is especially important when dealing with clients' intellectual property, as well as with data responsive to white collar and antitrust matters, where data is reviewing data before production to enforcement agencies.
Employee cybersecurity training is lacking
Data breaches are often the result of human error, and can be avoided with proper employee training and awareness raising around cybersecurity policies. Businesses must be completely in sync with their people deploying technology infrastructure.
It is critical that users understand the threats and are aware of the important role they play in protecting the firm and their clients' sensitive data. This includes robust and ongoing training around password policies; data management, retention and archiving; and managing firm-owned, and personal, devices containing sensitive information.
Frances McLeod is the founding partner of audit and advisory firm, Forensic Risk Alliance.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCan Labour's New Budget Steady the Ship? Big Moves On UK Tax Reform and Fiscal Stability
5 minute readMexico's Judicial Reforms and the Implications for Foreign Investors
5 minute readTrending Stories
- 1Senate Democrats Advance 4th Circuit Pick Ryan Park’s Nomination
- 2Judge Rejects Meta’s Plea to Send FTC Antitrust Suit to Trash Heap
- 3How Have You Fared in 2024? Share Your Insights in the Managing Partners Survey
- 4Court Rules Mere Conduit Defense Not Suitable for a Motion to Dismiss
- 5Ironclad Officially Launches New Gen AI Assistant Jurist
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250