legal data security

3 Strategies To Improve Data Security for Law Firms

June 7, 2024 By Dan Bowman Leave a Comment

It’s no secret that data security for law firms is of the upmost importance. News stories explain that hackers see law firms as wealthy targets, and the larger the client you land, the more of a target you become.

The ABA TechReport shows most attacks are directed at small and medium sized firms.

27% of attacks were directed at firms with 2 – 9 attorneys
35% of attacks were directed at firms with 10 – 49 attorneys
33% of attacks directed at firms with 50 – 99 attorneys

As far as cybercriminals are concerned, small law firms are the low hanging fruit. They’re easy pickings for criminal opportunists looking for an easy payday.

Law firms have a treasure trove of data. They have client, firm and customer data in the form of agreements, documents, contact details, insider information, and personal and financial documents.
Law firms have deep pockets. Cybercriminals assume law firms have a significant amount of cash on hand in the form of hourly billings or cash in a client’s trust account.
Law firms are exposed and vulnerable. The ABA report also shows that a little over a quarter of surveyed law firms have experienced a data breach.

Law firms act as indirect information brokers. They’re expected to safeguard their client’s business. Sure that’s not your core business. You’re focused on taking care of your client’s legal matters. But that doesn’t matter to these cybercriminals.

What Law Firms Can Do To Improve Data Security

As information brokers, law firms can take precautionary steps to ensure that the information in their possession — law firm and client data — stays in their possession.

A report from LogicForce had some surprising implications.

53% didn’t have a data breach response/recovery plan
77% of firms didn’t have cyber insurance
95% of respondents were noncompliant with their own cyber policies
100% were noncompliant with their client’s policies

The vast majority of law firms are vulnerable to a data breach. That’s obviously bad news for law firms. However, these vulnerabilities provide law firms with the clarity and direction they need. Let’s take a look at some of the steps law firms can take to secure their data.

1. Create a cybersecurity policy

A cybersecurity policy outlines the systems, procedures needed to guard your data against attacks. This policy provides firm-wide direction outlining:

Roles and Responsibilities: Outline who is responsible for various aspects of cybersecurity within the firm.
Access Controls: Specify who has access to which data and under what circumstances.
Data Protection Measures: Detail how your data will be protected, including encryption and other security measures.
Accountability: Assign clear responsibility for protecting the firm’s data.
Security Programs: List the necessary security software (e.g., antivirus, firewall, and anti-exploit software) that need to be installed and maintained.
Update and Patch Management: Describe the procedures for applying hardware and software updates to ensure all systems remain secure.
Data Backup Protocols: Outline the methods and schedules for backing up data, including the location of backups and the frequency of these backups.

2. Move to the cloud

Many small to medium law firms face challenges in preparing for potential data breaches. This isn’t due to any lack of effort or capability; it’s often about resources and costs.

Building a robust in-house IT department can be expensive. Here’s a glimpse of what you might need to spend on key roles:

Title/Role	Small	Medium	Enterprise
Network Operations Manager	$131,011	$146,434	$161,603
Network Administrator	$82,922	$91,686	$101,051
Help Desk Support Rep	$40,145	$49,506	$59,822
Installation and Maintenance Technician	$99,238	$118,461	$141,090
Total Cost for IT Staff	$353,316	$406,087	$463,566

These figures only cover salaries and don’t account for benefits, bonuses, or other perks. Additionally, they don’t include costs for:

Laptops, mobile devices, and other hardware
Software licenses and setup fees
Regular data backups, maintenance, and archiving
Internet and network services
24-hour support, including higher costs for on-call staff

These expenses make a compelling case for law firms to move their operations to the cloud. Cloud-based practice management software enables you to offload your network security to a trustworthy provider. Bill4Time, for example, maintains bank-grade security to keep law firm operations running smoothly and safely.

With cloud solutions, your provider handles security, data backups, and compliance requirements. They protect your firm from data breaches, unauthorized access, accidents, and human errors. Cloud-based providers are responsible for maintaining high levels of security and ensuring your data is backed up regularly, helping to shield your firm from various risks.

3. Create a disaster response and data recovery plan

The ABA Legal Technology Survey Report also highlights some concerning statistics as law firms face constant threats of cyber-attacks:

29% of firms have conducted a full security assessment by a third party to identify and address vulnerabilities.
43% of law firms use online backup solutions such as cloud-based services for storing their data securely.
34% of firms have an incident response plan, a concerning drop from previous years.

To safeguard client data and maintain the integrity of your firm, it’s imperative to implement a comprehensive disaster response and data recovery plan. Here’s an outline to get you started:

Incident Response Team: Identify key personnel responsible for handling cyber incidents.
Contact Lists: Maintain updated contact information for internal teams and external partners.
Backup Procedures: Outline how and when data backups will occur, including locations.
Data Restoration Steps: Specify the steps for restoring data from backups in an emergency.
Communication Plan: Establish protocols for informing clients and stakeholders about incidents.
Access Controls: Define procedures for managing and restricting access to sensitive data.
Testing Schedule: Regularly test your disaster recovery processes to ensure they are effective.
Legal and Compliance Guidelines: Ensure adherence to legal requirements and ethical standards for data protection.

Including these elements in your disaster response and data recovery plan will help you swiftly address and recover from any cyber incident, safeguarding your firm’s data integrity and client trust.

Good Data Security Makes Your Law Firm a Hard Target

It’s important to be proactive when it comes to data security for law firms. Breaches occur everyday, but with the right tools and processes in place, your firm doesn’t have to fall victim to the next cybersecurity attack.

Law Firm Data Breach: What To Do When The Worst Happens

August 19, 2019 By Andrew McDermott Leave a Comment

“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Then-FBI director Robert Mueller shared these sobering words at the 2012 RSA Cybersecurity conference. When it comes to a data breach, it’s not a matter of if but when and how bad. These words aren’t exactly encouraging. It’s as if he believes a data breach is inevitable.

He’s right.

But most firms aren’t prepared for this reality. Many legal professionals prefer to roll the dice. They still assume it can’t or won’t happen to them.

Most firms aren’t prepared for a data breach

The LogicForce Cybersecurity Scorecard states 53% of firms have no disaster response or recovery plan in place. 60% of firms don’t have a security and compliance officer and what’s worse, they have no plans to hire one. 77% of these firms have no cybersecurity insurance.

These firms are exposed.

Large firms may be able to take the financial hit from a data breach or adverse cybersecurity event, but what about smaller firms? Can they afford to take the hit? Data from the ABA Tech Report suggests that the answer is no.

Are they prepared for an attack? An ILTA survey showed:

87 percent of law firms do not encrypt laptops, netbooks and mobile devices
61 percent don’t have intrusion detection tools in place
64 percent don’t have intrusion protection tools
40 percent of firms weren’t even aware an attack had occurred
22 percent have a documented cybersecurity training program
Only 23 percent have cybersecurity insurance policies in place

The majority of small-to-medium law firms aren’t prepared to recover from the inevitable attack headed their way.

The law firm data breach: How to recover

Let’s imagine that the inevitable has happened. A disgruntled insider or predatory outsider has broken into your company. What are the steps you should take to recover from an adverse cybersecurity event?

Step 1: Secure your network/data

You’ll want to take steps to lock down your data, traffic and network. You’ll also want to verify that the right employees have access to the right data, at the right time.

Notify your IT or data, forensics team. Request that they conduct a thorough investigation. If your firm has multiple departments, you’ll want to make sure you have the appropriate teams on deck and ready to help.
Consult with your resident experts. If you don’t have an in-house expert you can lean on you’ll want to reach out to a trustworthy third party that can provide your firm with the legal counsel needed.
Lockdown physical access. Any areas related to your breach should be locked down and monitored carefully. You’ll want to change any access codes, locks, or credentials needed. If you have multiple employees, you’ll want to reach out to local law enforcement to determine when it’s safe to resume day-to-day operations.
Prevent further data loss. If you’ve already lost important data, you’ll want to take the appropriate steps needed to lock things down further. If there’s any evidence present in the breach, you’ll want to take special precautions, so you don’t destroy any important pieces of evidence.

These details are important steps you should take immediately after a breach or cybersecurity event. You’ll want to focus your attention on limiting the amount of data flowing out of your firm.

Step 2: Fix, patch or update your vulnerabilities

Identify the source/cause of the breach. You’ll want to identify when, how and why these attackers were able to get into your organization. The IT or data forensics team you’ve identified in step one should be able to help you identify the cause of the breach.
Vet third-party providers. Do third party providers have access to your data via an API or another piece of software? You’ll want to verify that:
- Your providers should have continued access to your data.
- That your provider’s system is secure and any vulnerabilities have been patched.
Cooperate with IT and your forensics team fully. You’ll want to identify:
- Which security measures were enabled at the time of the breach
- Analyze whether you (or a third party) were able to contain any or all of the breach successfully (e.g., via network segmentation.
- Assess user rights management and current group policies to verify the right people have access to the right pieces of data, at the right time.
Create a crisis management plan. You may need to provide the right people – clients, employees, suppliers, providers shareholders, partners and the public with the appropriate level of communication. Your communication and crisis management plan should
- Own the mistake or mishap.
- Not withhold key pieces of data from your audience.
- Not withhold or share information that makes it harder for clients to protect themselves.

Create a list of the questions, objections, fears, and concerns each audience will have. Provide them with details on what you’ve done or are doing to address the problem.

This is an important first step. If you take the time to approach this area carefully, you’ll be able to recover your reputation and limit potential losses ahead of time.

Step 3: Notify your relevant parties

You’ll need to notify the various groups of people mentioned above about the breach. You’ll want to ensure that you’re fully compliant with any and all laws, whether they’re at the local, county, city, state or federal levels. As you know, most states will have specific requirements for releasing information.

If the breach involves health care data, you’ll need to determine whether you’re required to comply with the FTC’s Health Breach Notification Rule or the HIPAA Health Breach Notification Rule. These rules will outline who needs to be notified (e.g., the media) and when.

You’ll also want to notify affected (clients) businesses. If the breach affects a significant or large group of people, you’ll need to notify credit bureaus.

A data breach is inevitable; catastrophic data loss isn’t

The law firm data breach is something your organization can recover from. Create a recovery plan, follow the above steps and you’ll have what you need to restore your business and your reputation to full working order.

3 Simple strategies attorneys can use to improve their law firm’s data security

August 14, 2019 By Andrew McDermott Leave a Comment

It’s an unpreventable disaster.

One hundred six million people have been affected by the Capital One data breach. A former Amazon employee exploited a vulnerability in Capital One’s cloud system using it to steal sensitive personal and financial data from their customers.

There’s no way anyone could have seen this coming.

There’s just one problem with this belief. It’s completely untrue. A Wall Street Journal report shows the vulnerability that led to the Capital One hack was known (and shared) by security researchers since 2014. It’s no surprise; criminals frequently target financial organizations.

What about law firms?

Which industry is more appealing to cybercriminals?

If you guessed law firms, you’re right.

News outlets like the BBC and the WSJ state that law firms are a favorite target for cybercriminals. A report by Recorded Future lists state-sponsored attacks on law firms from China, Russia, and Iran are on the rise. Land a large client and you become a target for cybercriminals. Wait a minute. The majority of law firms are small. Many of them serve individuals or other small-to-medium businesses?

How are these firms at risk?

The ABA TechReport shows most attacks are directed at small and medium sized firms.

27 percent of attacks were directed at firms with 2 – 9 attorneys
35 percent of attacks were directed at firms with 10 – 49 attorneys
33 percent of attacks directed at firms with 50 – 99 attorneys

As far as cyber criminals are concerned, small law firms are the low hanging fruit. They’re easy pickings for criminal opportunists looking for an easy payday.

Why?

Law firms have a treasure trove of data. They have client, firm and customer data in the form of agreements, documents, contact details, insider information, personal and financial documents.
Law firms have deep pockets. Cybercriminals assume law firms have a significant amount of cash on hand in the form of hourly billings or cash in a client’s trust account.
Law firms are exposed and vulnerable. A LogicForce report listed 4,169 publicly confirmed breaches since 2016. That number is increasing rapidly. What’s worse, 40 percent of firms weren’t even aware an attack had occurred.

You have client data and they want it.

What law firms can do to improve data security

As information brokers, law firms can take precautionary steps to ensure that the information in their possession, law firm and client data, stays in their possession. Aren’t most firms doing this already?

Not at all.

A recent report from LogicForce had some surprising implications.

53 percent didn’t have a data breach response/recovery plan
77 percent of firms didn’t have cyber insurance
95 percent of respondents were noncompliant with their own cyber policies
100 percent were noncompliant with their client’s policies

The vast majority of law firms are vulnerable to a data breach. That’s obviously bad news for law firms. But it’s also very good news for law firms.

Here’s why.

These vulnerabilities provide law firms with the clarity and direction they need. Let’s take a look at some of the steps law firms can take to secure their data.

1. Create a cybersecurity policy

A cybersecurity policy outlines the systems, procedures needed to guard your data against attacks. This policy provides firm-wide direction outlining:

Who is responsible for what
Who has access to what (and when)
How your data should be protected
Who is responsible for protecting firm data

Your cybersecurity plan should include instructions on (a.) the security programs you’ll need to implement (e.g., antivirus, firewall, and anti-exploit software). (b.) how hardware and software patches or updates will be applied. (c.) how your data will be backed up when it will be backed up and where.

2. Move to the cloud

The implication here is this: The majority of small to medium firms aren’t prepared for a data breach. This isn’t because law firms are somehow inadequate or lazy.

Not at all.

It makes sense that many firms aren’t prepared for the inevitable disaster. First, there’s cost. Here’s what you’ll need to spend to build your own IT department.

Title/Role	Small	Medium	Enterprise
Network Operations Manager	$109,260	$123,729	$139,641
Network Administrator	$69,782	$79,194	$89,733
Help Desk Support Rep	$49,248	$55,123	$62,368
Installation and Maintenance Technician	$88,978	$106,212	$126,511
	$317,268	$364,258	$418,253

These numbers are only focused on employee salaries; they don’t include benefits, bonuses or incentives. It also doesn’t include:

Laptops, mobile devices, and other hardware
Software licenses and setup fees
Consistent data backups, maintenance and archiving
Internet and network services
24-hour support (including higher on-call salaries)

These expenses make a compelling case for law firms to move their operations to the cloud. Cloud-based practice management software, document management platforms and project management tools enable you to offload your network security to a trustworthy provider.

With cloud software, the responsibility rests on your provider’s shoulders.

They’re responsible for security, backing up your data regularly and maintaining compliance. It’s your provider’s job to protect your firm from criminal activity, inappropriate access, freak accidents and acts of God. From negligence and mistakes.

3. Create a disaster response and data recovery plan

According to the LogicForce Cyber Security Scorecard, law firms experience a never-ending avalanche of attacks. Their report shows law firms experience:

10,000 network intrusion attempts per day
1,000 invalid login attempts per day
59 percent of all emails are classified as spam, phishing or ransomware

How can cybercriminals keep up this frantic pace? These attacks are carried out by automated scripts or programs. They’re equal opportunity predators. While small firms are low hanging fruit predators will pursue firms of any size, specialty or classification. If you have the resources they want they’ll search for a way in.

Good data security makes your law firm a hard target

A breach may be inevitable, but data loss isn’t mandatory. At some point, these predators will find the “in” they need. Will they find a firm that’s protected all of its data or a firm filled with sensitive (and exposed) client data? It’s up to you. With a disaster recovery plan in place, you’ll have the resources you need to limit the damage done to your business.
It’s not a matter of if your organization is attacked but when and how hard. The time to prepare is now. Make security a top priority, utilize data loss prevention tools, be ready. They’re coming for you either way.