I hear the naysayers. According to the technophobes and others who continue to kick and scream about the invasion of technology into their practices, the recent “virus intrusion” that paralyzed the Philadelphia Court of Common Pleas highlights why we should return to paper filing, and scrap systems like Pacer, PACFile and, of course, the one used so successfully for many years in the First Judicial District of Pennsylvania.

I disagree.

Returning to paper filing, and curtailing online access to court records, is not a viable option any more than it is possible to return to the days when lawyers used paper versions of Shepard's Citations and smartphones were the stuff of “Star Trek” and even “Lost in Space.” While the court's reference to a “virus intrusion” is sufficiently vague to prevent the public from learning exactly what happened, we can assume that a virus, malware or ransomware is the cause of the problem.

Does the cause really matter? Not really. The result is the same: As of the writing of this article, the court's electronic filing system and access to court dockets have been inaccessible since May 21, and are still inaccessible, and lawyers and their staffs are scrambling to meet deadlines using paper. Meanwhile, users are left in the dark about what happened and how long the court's website will be down.

The “virus intrusion” should remind lawyers that they remain vulnerable to attacks and must take appropriate precautions to avoid being next. Without facts, we can only speculate on what happened in Philadelphia. What we do know is that many experts say that because of limited funding, government websites such as Philadelphia's may not contain the up-to-date protections necessary to prevent these attacks.

Unlike governments, which are generally immune from liability for data breaches, law firms and private businesses are not. Plus, lack of financial resources will not insulate a law firm from liability. If a hacker accesses a firm's confidential data, or if a firm cannot access confidential and sensitive client information because of an intrusion, they may lose clients and find themselves the defendant in a lawsuit. The results can be devastating.

I have seen firms totally paralyzed by hackers, or so traumatized by an attack that they want to close up shop and find new careers. They do not know where to start to rebuild their firm's damaged infrastructure and worry—rightfully so—about the legal and the ethical implications of their actions, or their inactions. And if they do not have cyber insurance, they often are helpless because they do not even know where to begin their journey back to some level of normalcy.

With that in mind, here is a basic cybersecurity awareness checklist for every firm, from solos to their largest brethren:

  • Everything needs data protection.

The expression that “a chain is only as strong as its weakest link” applies to technology. Office technology ranges from servers to PCs to laptops to smartphones to flash drives and to the SD cards that we use to store our smartphone data. Each is an access point, and each needs protection. As a start, every device needs to be encrypted, that is, the data should be stored securely so that only persons with the proper code/password can view the information. Many smartphones have built-in encryption, as does Windows 10 and most server software.

In addition, every computer needs antivirus and anti-malware protection, as well as a firewall. Often, this protection is included in comprehensive security suites such as Norton/Symantec or McAfee. Offices should also consider a hardware firewall, which provides an enhanced level of security over firewall software. And of course, use a jetpack/hotspot when accessing the Internet outside of the office, or include a VPN (virtual private network) program on all mobile devices to avoid ever using free (and often dangerous) public WiFi.

  • Use layers of data protection.

Just as you protect yourself from winter by wearing layers of clothes, you can protect your data by using layers of protection. Thus, your security should include multiple layers of protection, including strong authentication measures to protect against unwelcome hackers.

  • Get help.

All of these types of security can seem overwhelming. If that is the case, and if all of this sounds like a foreign language, hire a reputable security company to review your data systems and recommend whether an overhaul, or merely a tweak, is necessary.

  • Create a culture of cybersecurity awareness.

Many data breaches are the result of human error, ignorance or carelessness. Whether it is someone clicking on a link in an email rather than taking the steps needed to avoid a phishing attempt, or it is a client who was the victim of a spear phishing attack, most breaches could have been avoided. And if you don't know what a spear-phishing attack is, you better find out quickly.

If your data are vulnerable because an employee was careless and left a laptop at a restaurant, they should know how to remotely wipe or disable the device. The same with a phone or any other portable technology.

Your firm can address these circumstances by educating your staff about cybersecurity risks, especially those associated with mobile devices, and training them how to minimize the dangers. While it is helpful to have rules and regulations, they can be meaningless unless your staff has received the proper training. There are many firms that provide cybersecurity awareness training. Contact one.

  • Keep your software up-to-date.

Microsoft and other companies regularly provide free software updates (did you know almost all Windows updates are released on Tuesdays?). These updates often include security updates to protect users against vulnerabilities that could expose users to viruses and other dangers. It is important to either roll out updates regularly or to require users to install updates regularly.

  • Run cybersecurity breach drills.

Remember fire drills? They were annoying and generally disrupted your day. Despite the inconvenience, you knew what to do and where to go if there really was a fire. Running readiness drills is an important way to maintain staff awareness about how to handle cybersecurity threats. There are online sources explaining how to run these drills. Alternatively, you could hire a cybersecurity agency to simulate an attack and determine whether your firm was as prepared as you had thought.

Purchase cybersecurity insurance.

Most, if not all, firms should purchase cybersecurity or cyber-risk insurance. Cybersecurity insurance is an essential risk management tool for law firms because of their access to confidential and sensitive information. Cybersecurity insurance mitigates a firm's losses from a data breach, damage to a network or other cyber-interruptions that can paralyze an office and cause revenue losses.

Cybersecurity insurance can also provide your firm with legal counsel, handle data breach notifications, and take other actions to mitigate damages. Some policies provide access to ethics or technoethics counsel, who can counsel a firm on the ethical concerns that arise when there is a cybersecurity event. Typically, most general liability insurance riders do not provide the same level of protection.

  • Choose your cloud vendors carefully.

Best practices require that lawyers store data (or backups) both onsite and in the cloud. In addition, Pa.R.P.C. 1.15(c)(3) requires that attorneys be able to produce printed copies of their IOLTA account statements, and that the records “be backed up on a separate electronic storage device at least at the end of any day on which entries have been entered into the records.” To prevent the loss of data through an onsite hack, or a disaster, lawyers should also store their IOLTA records in the cloud.

Using a cloud provider requires firms to take reasonable efforts to assure that the firm meets the appropriate legal and ethical requirements. If, like many lawyers, you do not know what to ask a cloud vendor, you could hire a consultant to assist with the process. But even if you do, there are a few essential questions:

  • Which industry security standards it practices?
  • What type of security audits it will provide, and how you can review the results?
  • Has it implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protection, and encryption?
  • Will it agree that all data is the firm's because all client files belong to the client, not the firm or the cloud provider?
  • Will it will honor a lawyer's duties of confidentiality and immediately notify the lawyer of any breaches or outside requests for client information?

In conclusion, despite high profile intrusions such as the one that shut down the Philadelphia Court of Common Pleas, technology and the internet are here to stay. Law firms can learn from these events and be better prepared to handle whatever intrusions the cyber world confronts them with. So, take the time to assess your firm's situation and be better prepared. After all, it's better to be prepared and prevent an attack than to discover your system is down on the day a major filing is due.

Daniel J. Siegel, principal of the Law Offices of Daniel J. Siegel, provides technoethical guidance, general counsel services, and Disciplinary Board representation for attorneys and law firms. He is the editor of “Fee Agreements in Pennsylvania” (6th Edition) and author of “Leaving a Law Practice: Practical and Ethical Issues for Lawyers and Law Firms” (Second Edition), published by the Pennsylvania Bar Institute. He can be reached at [email protected].