Cyber-attacks in general are on the rise. In 2020 we witnessed security breaches at Solarwinds, Twitter, and Marriott and many other businesses. But hackers are no longer just focusing on the big giants. Today’s headlines include prominent law firms who are falling victim to cyber-attacks. Recently, we saw Jones Day law firm on the defense of a cyber-attack. Jones Day, who has many prominent clients including former President Donald Trump, had files stolen and posted on the dark web. But Jones Day is not alone, many law firms lack strong cybersecurity programs, thus making them prime targets to cyber-attacks.
Today, bad actors continue to scope out new targets. Law firms are an attractive target because of the sensitive data that they retain. Many law firms have access to highly confidential corporate data in addition to sensitive individual personal data. Law firms house highly sensitive information like financial data, corporate strategies, trade secrets, business transaction information, and other private information. In all these cases, law firms have both a legal and ethical obligation to protect their client’s data. As lawmakers attempt to enact legislation to protect consumer’s data, this ever changing legislative landscape is often difficult to maintain and implement.
Relying on in-house counsel or your IT department is not enough. To ensure your law firm is ready for a data breach, it is critical to have a cybersecurity attorney on retainer. IT security professionals are stretched thin. Many outsourced IT resources have multiple clients that they service. In an environment where we find a shortage of security expertise, recruitment and retainment of IT security staff is a challenge. They are often difficult to find and if you are lucky to have a dedicated IT security professional, rarely do they understand the law. State, local and sometimes international laws have specific legal requirements for the protection of private and privileged information, an IT team cannot manage on their own.
IT professionals are exceptionally good at securing and protecting data. It is risky to rely on your IT department, a cybersecurity attorney will ensure that all aspects of your IT security are compliant with regulations and will be there to represent you in the event something goes wrong.
What are some basic security measures that a law firm should implement?
Cybersecurity attorneys understand regulations, compliance, policies, laws, and protocols on the protection of private information. Cybersecurity attorneys are in high demand and you do not want to be left unguarded without one. There are however there are five easy low-cost steps you can take to help increase your Firm’s protection. These include:
- Two-factor authentication is essential to the protection of sensitive data. Two-factor authentication provides an extra layer of protection that makes it more difficult for hackers to access email, data storage, or other sensitive information.
- Update operating systems on a regular schedule. Updates provide solutions to known vulnerabilities in operating systems. If these are not fixed on a regular basis, you are basically inviting hackers to break into your system.
- Encryption, encryption, encryption! Encryption provides an easy and cost-effective layer of protection.
- Training of employees. All employees should be aware of potential phishing and other possible malware attacks and have a process to report these cyber-attacks.
- Password policies. Law firms should maintain a password policy that requires employees to change their passwords on a regular basis.
What happens when something goes wrong?
The question is not a matter of if, but a matter of when. Bulletproof cybersecurity may never become a reality; therefore, you want to be sure you are prepared. A cybersecurity attorney can be instrumental to the execution of your incident response program. The financial impact of a data breach can be damaging and can also include the loss of the client. Compliance with cybersecurity and privacy laws is not an option, severe penalties for noncompliance can not only present legal troubles but also severely impact your bottom line. With the proper incident response plan in place the impact of a cybersecurity incident can be minimized.
Cyber incidents come in all shapes and sizes. From the misdirected email to the large-scale cyber-attack, all cyber incidents need to be evaluated and should follow a documented cybersecurity response program. When a law firm suspects that a cybersecurity incident has occurred, there are potential notification requirements that are triggered. Some of these requirements are required by law, some are required by contract, some by both. In short, a prompt evaluation is necessary as sometimes the notification window is 72 hours after knowledge of the event.
Because time is of the essence, those who have a cybersecurity attorney on retainer are in a better position to respond to security incidents quickly and efficiently. A cybersecurity attorney is critical during the incident response evaluation and will be able to determine who and when needs to be notified.
In addition, a cybersecurity attorney will be able to assist with the investigation stage of the incident and provide key services such as coordination with forensic investigators, law enforcement, and third-party vendors. Most importantly, a cybersecurity attorney will enable the attorney-client privilege. Therefore, any work product or cybersecurity specialist retained by the attorney to address the cyber incident may be protected within the attorney-client privilege.
Data breaches in law firms are making headlines. You do not want to be caught off guard by a cyber incident and struggle to secure the right cybersecurity protection. Having a cybersecurity attorney on retainer is no longer a nice to have but instead a must have. It is critical that you be proactive and not wait for your firm to be attacked, at that point it may be too late.