In the 21st century, company data and customer information are often as valuable as hard currency. Hackers attack weak information security systems to gain access to personal information, and law firms are figurative treasure troves for some people’s most sensitive details. In order to protect their clients — and the success of their business — law firms must be conscientious and proactive in firming up their information security.
A Wealth of Valuable Data
Think of the variety of sensitive information any given law firm holds: privileged communications, intellectual property, and trade secrets, litigation strategies, and client business information — not to mention personally identifiable information (PII) like HIPAA-protected health information and account access details. Entire spreadsheets could be filled with payment information, including credit card numbers, PINs, and addresses.
The business-forward and ethical solutions to this emergent issue are one and the same: safeguarding these secrets with strong security systems.
A Firm’s Responsibilities
The American Bar Association delivered in a 2011 opinion a consensus that lawyers have a duty to protect client email communications against “unauthorized disclosure,” bolstering a 2010 opinion by the State Bar of California that any attorney’s use of technology to represent a client must not subject that client to “an undue risk” of such a disclosure, and that the attorney must “monitor the efficacy” of the secure steps taken to protect the client.
Nevada and Massachusetts were among the first to pass laws that require businesses to encrypt PII under certain circumstances; less than a decade later, 26 states now require technology competence for attorneys in order to “safeguard client information…against unauthorized access by third parties.” To help assist attorneys with these increasingly important issues, the ABA even offers a cybersecurity handbook.
Who’s at Risk?
Perhaps counter to popular belief, the biggest law firms do not have the most robust security systems. According to the ABA’s Legal Technology Survey Report, solo practitioners and small firms were significantly less likely to experience a cyber attack; only 8% of solo practitioners and 11% of firms with fewer than 10 lawyers reported a breach in 2016. Compare those numbers with those reported by firms who have 500 or more lawyers: 26% reported an intrusion into their systems. Penetration testing and other proactive measures can help identify these vulnerabilities before they are exploited.
Law firms can be of particular vulnerability to sophisticated targeting techniques like spear-phishing and spoofing to fool even tech-savvy individuals. Nevertheless, one study showed that three out of five firms fail to install intrusion detection and prevention tools. Moreover, three-quarters of all firms do not automatically encrypt emails, and 86% of firms do not use two-factor authentication. That these basic functions are lacking in the majority of American law firms demonstrates the pervasive nature of information security complacency.
The Cloud Can Help
Solo practitioners appear to be the attorneys that are embracing advanced technology most. The same ABA technology study showed that 35% of these solo lawyers use cloud computing software, compared to 29% of firms with 10-49 attorneys and just 19% of firms with 100 or more attorneys.
Cloud computing offers secure storage, backup plans, and management software that provide a massive bulwark against cyber-borne threats. The software also greatly aids a solo practitioner’s ability to compete in the marketplace by offering access to client information across multiple devices and secure portals to conveniently facilitate communication and collaboration. The cloud presents its own security risks, of course, but there are strategies to tackle these.
Useful Questions Regarding Cloud Software
If your firm has not yet selected cloud computing software or a third-party to handle cloud data storage, ask these critical questions before making a final decision. (These questions are also useful for those who already have cloud computing to evaluate how well it is protecting clients.)
Who has access to the servers and data, and what mechanisms are in place to ensure that data is only accessed by authorized individuals? What security exists at the data center where servers are physically stored, and how well is it prepared for natural disasters? What are the redundancies? Does the contract involve uptime guarantees, and what does it state regarding termination? Are there additional integrations with the product, and if so, how are vendors screened? A list of further questions generated by a panel of experts at the annual law conference Academy for Private Practice can be reviewed here.