Guidance for protecting your law firm from the next data breach

The threat of the disclosure of personal data is ever-present in today's society, as seemingly every week there is another report of a large company suffering a serious data breach incident resulting in the exposure of personal information. From Target to, most recently, Marriott, there have been numerous high-profile breaches, even though companies and customers often treat cyber security as a high priority.

The consequences of a data breach can be especially acute for law firms given that clients trust their attorneys with not only personal identifying information, but also a host of other confidential information, including trade secrets and business strategies. For that reason, hackers are increasingly targeting law firms, and a number of reported data breaches confirm that law firms are not immune to the threat faced by all companies in today's society.

The American Bar Association's 2017 Legal Technology Survey Report highlighted the serious risks faced by law firms. However, perhaps the most surprising aspect of the report was the finding that data breaches are not limited to only the highly-publicized breaches that occur at large firms. Indeed, an astounding 22 percent of survey respondents reported that their firm had experienced a data breach, which was up from only 14 percent during the previous year. In addition, for firms with 10 to 49 attorneys, over one-third of firms reported a breaching incident.

In many ways, a data breach at a law firm can be even more serious than other breaches in the corporate world in light of the heightened duties owed by attorneys to their clients. A hacking incident certainly can result in significant financial loss simply by means of responding to the data breach, but for attorneys it can also lead to ethics grievances, legal malpractice claims, or even claims for lost trade secrets, financial data, or stolen funds.

Accordingly, it is clear that data breaches are a threat for all firms. Below are some tips for how firms can address the increasing risks.

Know How to Respond

Given the data indicating the frequency of data breaches, firms that take the "it will never happen to us" approach do so at their own risk. When an incident does occur, firms taking that approach are often left flailing to come up with an appropriate response and thus may struggle to limit the fallout resulting from the exposure of confidential information and any associated media coverage.

Indeed, in the aftermath of a cyberattack, it can be extremely difficult to identify what needs to be done first and to implement a comprehensive plan to manage the influx of information. Complicating all of this, law firms may have reporting obligations, depending on the nature of the information that was accessed.

To help navigate these issues, it can be helpful for firms to identify ahead of time a point person who will assume leadership for the firm's response upon a cyberattack. This person does not have to be from the IT department, but it is helpful to have someone who is knowledgeable about the firm's duty of confidentiality and can converse with others about a technical response.

While the point person can help formulate an initial strategy and take steps early to mitigate the consequences of a breach, it can also be helpful to have a committee assigned to developing the firm's response plan to ensure that the firm takes a comprehensive approach and complies with all of its duties owed to clients. A response to a data breach requires efforts on several fronts, from client relations to responding to media inquiries, and thus having individuals ready to handle those responsibilities can help the firm respond in the most effective manner.

Protect Mobile Devices

While hackers are using increasingly sophisticated methods to gain access to data, many breaches still occur through decidedly less sophisticated means. For example, lost laptops and mobile devices can create some of the highest risks of a cyberattack. Given that technology allows attorneys to access virtually limitless client information from a mobile device, a single compromised device can provide a hacker with a wealth of information. The hacker can use a trusted email address to transmit viral emails throughout the firm, or use the attorney's credentials to access a secure network.

Law firms can consider a number of steps suitable to their specific clients and practices to protect against these risks. These include requiring a password for any device that allows access to confidential information and having the ability to wipe a device remotely. In addition, allowing the firm or the attorney to track their device can help the firm identify lost devices as quickly as possible. These practical approaches can provide a first line of defense to highly technical data breaches.

Identify Sensitive Data

Some law firms fail to appreciate the scope of information that may be valuable to hackers. However, as noted above, law firms are increasingly targeted because of the sheer quantity of confidential information that they often possess. This can include draft patent applications, business plans, or information that could help a hacker navigate the market.

In addition, given the volume of materials produced in discovery in many litigations, a law practice could find that it has a stack of medical records belonging to a class, or the Social Security numbers of every employee of a client company. Besides client information, law firms also store sensitive data relating to their own employees. The key is to identify the confidential information and to guard it effectively.

Use Trusted Vendors

Even when firms themselves have protections in place, a breach can still occur if a third-party vendor does not likewise take appropriate precautions when handling sensitive information. Indeed, hackers will often target the path of least resistance to breach a target.

Accordingly, some firms fortify their own defenses and forget the doors to which their vendors have a key. To help limit this risk, firms can screen vendors by assessing their protocols for maintaining client information and protecting against data breaches.

Consider Using Outside Professionals

While some firms may have the necessary technical expertise in-house, for certain situations it may be helpful to engage cyberprofessionals specializing in responses to data breaches to assist the firm. In addition, it may be helpful to engage outside counsel to help the firm navigate the complex ethical and legal obligations that arise in the face of a data breach. While retaining outside help may come with a cost, such cost often pales in comparison to the potentially severe financial, legal, and other consequences of a data breach.