As the news media continues to make us aware of the ever mounting data breaches within our corporations and government agencies one would assume these institutions are the only key targets for state and criminal sponsored hackers. However, data breaches at law firms are occurring at an ever increasing rate yet go primarily unreported. However, 25% of firms did report some type of breach in 2015 up from 10% in 2012.

The fact that law firms host enormous amounts of very valuable data ranging from corporate intellectual property and strategy documents to sensitive government secrets is not lost on those who can gain from obtaining it. Implementing sound IT systems and data security practices is an essential business practice for every law firm as well as an ethical duty for lawyers. Law firms that ignore this risk and do not devote the proper amount of resources to protect client data do so at their own demise.

The simple fact is whether law firms like it or not they are by the very nature of their profession entrenched in the data management/security business.

The potential catastrophic financial impact a breach could have on a firm is something that every Managing Partner must consider. The average cost of a data breach ranges from $6.4mm to $7.5mm, including forensic investigation, remediation, notification expense, credit monitoring and crises management. This does not include the negative impact of any client attrition that undoubtedly occurs. Therefore the very existence of the law firm may hinge on their ability to withstand such a cost.

 

Lawyers Duty to Protect Client Data

The legal and ethical obligations of law firms to protect client data is very well documented. A variety of Federal laws like Health Insurance Portability Act “HIPAA” and Fair and Accurate Credit Transactions Act “FACTA” clearly obligate lawyers to protect certain types of data in their possession. States have also imposed obligations on law firms and businesses to protect personally identifiable information “PII” including driver’s license and social security numbers. Failure to do so can result in civil action, suits and penalties.

Lawyers are also tasked with complying with their ethical duties as spelled out in the ABA Model Rules of Professional Conduct 1.1 and 1.6. Any violation may result in a malpractice lawsuit and potential disciplinary action.

To compound matters almost every law firm today goes through a myriad of IT systems and security audits at the demand of their corporate and government clients. Failure to meet client’s requirements may result in the loss of business or significant infrastructure investment to bring the firm into compliance. This is particularly true of firms who work in the financial, and healthcare industries.

Therefore, responsible firms should pursue either an internal examination or external independent audit that looks at the following areas of information security. While this list is not exhaustive it is a good first step into making security conscious decisions and laying the groundwork for a holistic approach to security.

Key Insight

The simple fact is whether law firms like it or not they are by the very nature of their profession entrenched in the data management/security business.

The Cloud

Law firms should use cloud providers that can reasonably protect and provide assurances on overall data security. Knowing the answers to the following questions should help in the selection process:

  • Will the data be encrypted?
    • Who holds the encryption keys?
    • Is the data encrypted in Transit and in Motion?
  • Might it be subject to international search and seizure?
  • Has your client approved of data being stored in the cloud?
  • Does the provider provide Litigation Hold technology preventing deletion of data?
  • What auditing and security capabilities are available with the platform?
  • Email Security

Law firms need to consider using email encryption. There are many forms of email encryption. These options include utilizing a third party service to encrypt the content of your messages, encrypting your email database/file system, and finally encrypting emails in transit. Utilizing third parties, or encrypting the email databases can pose challenges to end users. However, ensuring the communications channel between your email system and the recipient’s email system can be a seamless process for both end users.

 

BYOD

Best practice is to have a clearly written BYOD policy regulating usage with the law firm having ultimate control over all devices. Strong consideration should be given to installing software that can remotely wipe all data from devices in the event an employee should leave the firm. Mobile device management platforms that support containerization of business and personal data, enhanced security controls, encryption key escrow, and tracking & management of mobile devices is of extreme importance.

 

Encryption

All portable devices (phones, tables, laptops, media, etc.) are subject to loss or theft. Encrypting them not only makes sense, but with today’s technology this is a very easy step to accomplish in mitigating the risk to critical firm or client data.

 

Password Policy

All firms should have a policy that mandates passwords are changed at certain intervals throughout the year with characterizations consisting of numbers, letters and special characters. It is also important to note that a password of 12 characters is significantly more difficult to crack (years) than a password of 8 characters (2 hours). Another thing to consider is to allow the use of dictionary words, but extending the password requirements to be greater than 16 characters.

 

Training

Everyone in the firm should understand the ethical and professional responsibilities they have to ensure the data in their possession is protected. General Counsel should clearly articulate the data governance and IT security policies of the firm as well as the expectations for compliance. Periodic training updates and refresher courses are highly recommended as it is human nature to revert back to old habits that may put data security at risk.

 

Wireless

Wireless access points should be considered untrusted devices. The ability to exploit laptops that are utilizing “public” Wi-Fi does not require any skill. Mobile employees should be equipped with company or personal hotspots to protect company assets.

 

Cyber Errors and Omissions Insurance Policy

Every Law Firm should have Cyber E&O coverage. The very survival of the business may depend on it! Most policies cover the cost of litigation, loss of income and client notification. In some cases it can also cover regulatory fines, penalties and miscellaneous expenses.

 

TAKE A PROGRAMATTIC APPROACH TO DATA SECURITY

In closing, data breach is a very real threat and has become an ever growing concern to Managing Partners and CIOs of law firms around the world, regardless of size or practice areas. Complicating matters are law firm clients who are becoming increasingly more sophisticated about data security requirements and demanding their lawyers and their firms have systems in place to ensure compliance. Failure to protect client data by a law firm can result in disastrous monetary and reputational consequences. Therefore, instituting a comprehensive data security program at the enterprise level of every firm is a necessary cost of doing business.