Attorneys handle a wealth of sensitive information each day. Not surprisingly, confidentiality is a core tenet of the legal profession. Clients expect that anything they say to their lawyer is protected via client-attorney privilege.
Unfortunately, data and security breaches are becoming increasingly common. Consider findings from the American Bar Association’s (ABA) 2022 Legal Technology Survey Report, which reveals that 27% of law firms have previously suffered a security breach, such as a stolen computer or website exploit. These security breaches threaten the privacy of clients’ sensitive information—and can also affect a law firm’s reputation.
Cybersecurity must be an ever-present priority for law firms. This article explains why lawyers have a duty to protect their clients’ information, highlights the main risks to the average law firm, and offers top tips on optimizing your law firm’s cybersecurity approach.
Why does cybersecurity matter to law firms?
Cybersecurity refers to the effort to protect attacks occurring in cyberspace—such as phishing and malware—which target data, storage, and devices.
Law firms are ripe targets for potential hackers. That’s because they store incredibly valuable and sensitive information, while some may even have access to trust accounts filled with their clients’ money. All of this makes them susceptible to theft and ransom.
Take the Grubman, Shire, Meiselas and Sacks breach, for example. In 2020, the entertainment law firm was the victim of a $42 million ransom, which resulted in vast amounts of sensitive and confidential data stolen.
When such breaches occur, law firms are put in a tricky position: Acquiesce with the ransomer’s demands (and lose a significant amount of money) or risk having their clients’ dirty laundry aired publicly.
Firms might also have additional obligations to protect data, such as personal health information under the Health Insurance Portability and Accountability Act (HIPAA). Or there’s New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD), which stipulates that law firms must implement “reasonable” security safeguards to protect their clients’ information.
Unsurprisingly, data breaches can have a devastating effect on both law firms as well as their clients. The firm might face fines, legal action, and their reputation will obviously take a massive hit. According to an IBM Report, the global average cost of a data breach was $4.35 million in 2022.
The takeaway is clear: No firm, regardless of its practice area, size, or location can afford a data breach.
What duties do lawyers have to protect their information?
In 2014, the ABA adopted a resolution on cybersecurity for all law firms, which “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.”
Beyond resolutions, firms must understand their ethical and professional duty to protect their clients’ data—and if a breach occurs, to report it as soon as possible to the relevant bodies.
Consider ABA Rule 1.6: Confidentiality of Information, which states that lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
However, the precise nature of your firm’s responsibilities might vary depending on the type of information—for example, if it falls under HIPAA. Your firm must also consider state-specific requirements, such as those outlined in BakerHostetler’s Data Breach Charts guide.
Want more? Check out our resources hub on cybersecurity for lawyers.
What cybersecurity risks do law firms face?
Sensitive information could fall into the wrong hands in various ways.
The main culprit? Human error. For example, when attorneys accidentally lose their computer, smartphone, or briefcase (or if these are stolen from them).
Meanwhile, firms may also suffer from an online hack, their website might be exploited, or they might be on the receiving end of a physical break-in.
Generally speaking: the larger the firm, the greater the risk. ABA statistics show that in 2021, 17% of firms with nine or fewer employees suffered a data breach, 35% of firms with under 10 – 49 employees, and 46% of firms with between 50 – 99 employees. This is hardly surprising, as bigger firms tend to hold more sensitive data.
Top tips for cybersecurity for law firms
Right, enough of the theory—let’s explain how you can optimize your law firm’s cybersecurity approach and safeguard your clients’ sensitive data going forward.
Conduct a risk assessment
Conduct regular assessments to determine whether your firm has any key vulnerabilities or weaknesses that could risk your clients’ data privacy. No firm wants to discover that it’s at risk of a breach—but it’s far better to know your blind spots so you can take the necessary steps before a breach occurs.
You might want to also consider hiring a third party that can:
- Conduct an independent audit.
- Identify cybersecurity gaps.
- Create an incident response plan.
- Implement security measures.
- Train your staff on the latest best practices.
It’s also worth obtaining security certifications to understand your firm’s risk and prove your security credentials. For example, ISO 27001 certification teaches firms everything they need to know while demonstrating their data security prowess to potential clients.
Get law firm cybersecurity insurance
Cybersecurity insurance provides an additional level of security for firms that suffer from a data breach. While insurance does little to protect the data that was stolen, some policies do compensate for certain financial impacts of a breach, such as fees associated with:
- Restoring the data.
- Loss of income due to downtime.
- Crisis management.
- Forensic investigations.
Alternatively, you could opt for third-party cyber liability insurance, which protects firms from liability claims in the event of a data breach. According to ABA’s TechReport, 56% of firms of 10-49 attorneys have cyber liability insurance, followed by 43% of firms with over 100 attorneys, and 42% of firms with two to nine attorneys.
Develop a robust law firm cybersecurity policy and incident response plan
While important, too many firms today lack robust cybersecurity policies and incident response plans.
When they do create a cybersecurity policy, firms can’t simply adopt a copy-and-paste approach. Each policy must be designed around their specific needs. In other words: no two policies will be alike.
It’s important for firms to thoroughly audit their potential risk areas, such as email use, internet use, and remote access. Then, create a customized policy that takes all of these weaknesses into account.
Finally, be sure that everyone within the firm is aware of their cybersecurity duties. There’s little point in implementing a robust policy if nobody is aware of it, understands it, or knows their own role within the framework. At Clio, we enforce regular security training for employees, along with office access policies and two-factor authentication.
While you’ll hopefully never have to use it, it’s also a good practice to outline the steps you’ll take if your law firm is hacked—from connecting with a data breach expert to reporting the incident to law enforcement.
When it comes to incident response plans, it’s clear that more can be done among law firms. ABA reports that only 42% of firms have incident response plans in place. As may be expected, larger firms are most likely to have incident response plans—with 72% indicating to have them, compared to only 9% of solo respondents.
Conclusions on cybersecurity for law firms
While you can’t guarantee a breach won’t occur, you can optimize your law firm’s cybersecurity approach. Remember to prioritize cybersecurity before it’s too late. Focus on working with vendors, such as Clio, that are also committed to keeping your data safe and secure.
Take your cybersecurity approach to the next level with our Law Firm Data Security Guide.