Law firm cybersecurity is a challenge that many organizations across the country must deal with. Cyber risks pose a significant threat to U.S. law firms, as they handle highly sensitive client information and have access to highly confidential legal documents.
In today’s predominantly digital world, law firms are not exempt from the pervasive threat of hackers and cybersecurity risks.
As owners of sensitive information, these firms must ensure they do not fall victim to cybercriminals seeking to exploit vulnerabilities and gain access to valuable data. The consequences of a data breach can be terrible, ranging from reputational damage to legal liabilities and financial penalties and losses.
This guide will serve as a thorough overview of everything a law firm needs to know regarding the state of modern cyber threats and the implementation of a robust cybersecurity strategy.
By being aware of the dangers and understanding what constitutes a solid cyber strategy, law firms can strengthen their defenses, mitigate potential risks, and commit to maintaining the confidentiality and security of client data.
What are the biggest cybersecurity risks to a U.S. law firm?
There are a number of cybersecurity risks that all law firms should be aware of; these are principally:
- Data Breaches: Law firms are attractive targets for cybercriminals seeking valuable client information. According to a 2020 survey by the American Bar Association, 26% of law firms reported experiencing a data breach.
- Phishing Attacks: Phishing is a prevalent threat for law firms. In a 2021 report by Verizon, it was revealed that 96% of all data breaches in the legal sector were caused by phishing attacks. Furthermore, the ABA survey found that 88% of law firms experienced a phishing incident in 2020.
- Ransomware: Law firms are increasingly targeted by ransomware attacks. The ABA survey found that 22% of law firms reported falling victim to a ransomware attack in 2020. The average ransom demand has been steadily rising, with a 43% increase from 2019 to 2020, according to Coveware.
- Insider Threats: The risk of insider threats within law firms is a significant concern. The ABA survey revealed that 17% of law firms experienced an internal data breach in 2020. Additionally, a study by Crowd Research Partners found that 74% of organizations, including law firms, consider insider threats a significant concern.
- Third-Party Risks: Law firms often work with external vendors and contractors who may introduce cybersecurity vulnerabilities. The ABA survey indicated that 35% of law firms experienced a security incident caused by a third-party vendor in 2020.
Why are U.S. law firms at risk?
Law firms are especially vulnerable to data breaches due to several factors that make them attractive targets for cybercriminals. The primary reasons for this are:
- Valuable client data: Law firms handle a vast amount of highly sensitive client information, including financial records, intellectual property, personal data, and privileged legal communications. This wealth of valuable data makes them targets for cybercriminals who seek to exploit it for financial gain, identity theft, or to gain a competitive advantage.
- Limited IT resources: Many law firms, especially smaller ones, may have limited IT budgets and resources compared to larger organizations. This often results in less sophisticated cybersecurity infrastructure, outdated software, and inadequate security measures.
- Perception of lower security: Cybercriminals often perceive law firms to have weaker security defenses compared to other industries such as finance or healthcare, and in many cases are correct in their assumptions.
- Human factor: The human factor is a significant vulnerability. Law firm employees, including attorneys and support staff, may unintentionally fall victim to phishing scams and other social engineering tactics, or inadvertently expose sensitive information. Simple human errors, such as clicking on a malicious link or responding to a fraudulent email, can lead to an incredibly damaging data breach.
- Third-party risks: Law firms often use external parties, such as vendors for processing information, which then have access to the law firm’s systems or data, increasing the risk of a breach if their security measures are inadequate.
What are your cybersecurity obligations as a law firm?
U.S. law firms have several cybersecurity obligations that they are expected to fulfill to protect client data and maintain the integrity of their operations.
While specific requirements may vary based on state laws and regulations, there are some common cybersecurity obligations for U.S. law firms:
- Safeguarding confidentiality: Law firms have a fundamental obligation to maintain the confidentiality of client information. They must implement reasonable measures to protect client data from unauthorized access, disclosure, or handling. This includes securing electronic systems, implementing access controls, and employing encryption where appropriate.
- Incident response planning: Law firms should have an incident response plan in place to effectively address and mitigate cybersecurity incidents. This includes establishing protocols for detecting, responding to, and recovering from data breaches or other security breaches. Prompt notification to affected clients and appropriate authorities may also be required.
- Ethical responsibility: Legal ethics rules, such as those established by the American Bar Association (ABA), impose a duty on attorneys to protect client information. This duty extends to taking reasonable steps to secure electronic communications, ensuring competence in technology matters, and maintaining client confidence.
- Due diligence for third parties: Law firms should exercise due diligence when using third-party vendors, contractors, or cloud service providers. This includes assessing their security measures, contractual obligations, and data handling practices to ensure adequate protection of client information.
Regulations that U.S. law firms must be compliant with
Law firms in the U.S. are generally subject to broader cybersecurity and data privacy laws that apply to all businesses. Here are some notable state-level and federal cybersecurity laws and regulations that impact law firms:
- Data breach notification laws: Most U.S. states have data breach notification laws that require organizations to notify affected individuals in the event of a data breach. These laws typically specify the timeframe and method for providing notifications and may also include requirements for notifying state regulators or attorney general offices. Examples include California’s Data Breach Notification Law (California Civil Code Section 1798.82) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
- Consumer data privacy laws: Several states, such as California, Colorado, Virginia, and Washington, have implemented consumer data privacy laws. These laws impose obligations on businesses, including law firms, regarding the collection, use, and protection of personal information. The California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) are prominent examples of state privacy laws that may apply to law firms with clients in these states.
- Financial sector cybersecurity regulations: Law firms that provide legal services to financial institutions or fall under the purview of state financial regulatory bodies may need to comply with cybersecurity regulations specific to the financial sector. For instance, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500) mandates cybersecurity requirements for financial services companies operating in the state.
Major law firm cybersecurity breaches
In the past several years, there have been many notable data breaches that have affected law firms in the U.S. and around the world.
Given the number of law firms operating in the U.S. and the amount of data many of these companies hold, they naturally present as a prime target for hackers who seek to profit from stealing data.
Here are some noteworthy cases of data breaches that have occurred recently:
- Jones Day: In 2021, Jones Day, one of the world’s largest law firms, experienced a data breach. The breach involved unauthorized access to the firm’s systems and the subsequent theft and publication of internal documents.
- Fragomen: In 2019, Fragomen, a prominent immigration law firm, had a data breach that involved unauthorized access to a file containing personal information, including Social Security numbers and passport details, of its clients.
- Grubman Shire Meiselas & Sacks: In 2020, Grubman Shire Meiselas & Sacks, an entertainment law firm, fell victim to a data breach which resulting from a ransomware attack, leading to the theft and subsequent auctioning of sensitive client data.
What cybersecurity policies should your firm have?
Law firms should establish comprehensive cybersecurity policies to protect their clients’ sensitive information, maintain the integrity of their operations, and comply with legal and ethical obligations.
Here are eight essential cybersecurity policies that a law firm should strongly consider implementing to look after their data:
Information security policy
A comprehensive information security policy is a crucial document for law firms, providing guidelines and procedures to protect sensitive information, mitigate cybersecurity risks, and ensure compliance with legal and ethical obligations. Such a policy typically covers a wide range of areas and establishes a company-wide framework for information security management.
Firstly, it defines the scope of the policy, specifying the types of data covered and the individuals and systems subject to the policy’s provisions. It also establishes the governance structure, assigning roles and responsibilities for managing information security.
It should address access controls, specifying who can access sensitive information and under what circumstances. It also outlines procedures for the secure transmission and storage of data, encryption requirements, and a process for the secure disposal of information.
The policy must also address employee responsibilities, emphasizing the importance of adhering to security protocols, reporting incidents, and participating in ongoing security training and awareness programs. It may also cover acceptable use of technology resources, addressing issues such as personal device usage, internet browsing, and social media guidelines.
The policy highlights incident response procedures, defining steps to be followed in the event of a cybersecurity incident or data breach. It outlines reporting channels, communication protocols, and steps for containment, investigation, and recovery. It may also address business continuity and disaster recovery plans to ensure the firm can quickly resume operations in the event of a disruptive event.
Data classification and handling policy
A data classification and handling policy is a critical component of a law firm’s data security framework. It provides guidelines for categorizing and managing data based on its sensitivity, ensuring appropriate protection and handling throughout its lifecycle.
The policy begins by defining different levels or categories of data based on its confidentiality, integrity, and availability requirements. This classification may include categories such as “Public”, “Internal”, “Confidential”, and “Highly Confidential”. Each category is associated with specific security controls and handling procedures.
The policy outlines procedures for data classification, including who is responsible for assigning data classifications and how to properly label or tag data to indicate its level of sensitivity. It also addresses the process for reclassifying data if necessary as its sensitivity changes over time.
Once data is classified, the policy establishes guidelines for handling and protecting data based on its classification. This includes access controls, encryption requirements, and guidelines for secure storage and transmission. For example, highly confidential data may require additional safeguards such as multi-factor authentication and encryption both at rest and in transit.
The policy should also address data sharing and disclosure, specifying the conditions under which data can be shared internally or externally, including with clients, other law firms, or regulatory bodies. It emphasizes the importance of obtaining proper authorization and ensuring that data-sharing agreements or non-disclosure agreements are in place when necessary.
Finally, the policy covers data retention and disposal procedures. It outlines the retention periods for different data categories and provides instructions for secure data disposal, including shredding physical documents and securely erasing electronic files.
Acceptable use policy
An acceptable use policy (AUP) outlines the rules for the appropriate use of technology resources within a law firm. It sets clear expectations for employees, contractors, and other users regarding their responsibilities when accessing and using the firm’s IT infrastructure.
The AUP begins by defining the purpose of the policy and the scope of its application. It specifies the technology resources covered, such as computer systems, networks, internet access, email, and software applications.
The policy should outline prohibited activities, such as unauthorized access to systems, distribution of malware, or engaging in illegal or unethical activities. It may also address the downloading and installation of software, the use of personal devices, and the management of confidential and sensitive information.
Additionally, the AUP establishes guidelines for responsible internet and email usage. It may specify appropriate web browsing behavior, restrictions on accessing certain websites, and guidelines for email communication, including the handling of sensitive or confidential information.
The policy also covers user account management, emphasizing the importance of safeguarding login credentials and reporting any suspected security incidents or unauthorized access.
Authentication policy
An authentication policy establishes rules for verifying and validating the identities of users accessing the firm’s systems, networks, and sensitive data. It outlines requirements for authentication methods to ensure secure access and protect against unauthorized access attempts.
This may include passwords, passphrases, biometric authentication, hardware tokens, or a combination of these (multi-factor authentication, or MFA).
The policy addresses user account management procedures, such as account creation, modification, and termination. It emphasizes the importance of maintaining up-to-date and accurate user account information, including timely removal of access rights when individuals no longer require them.
Incident response policy
An incident response policy will contain the actions to be taken in the event of a cybersecurity incident or data breach. It serves as a roadmap for effectively detecting, containing, mitigating, and recovering from security incidents while minimizing damage and disruption to the firm’s operations and clients.
The policy outlines the incident detection and reporting procedures, specifying how incidents are identified, who should be notified, and the mechanisms for reporting incidents promptly. It emphasizes the importance of reporting any suspicious activities or potential security breaches, encouraging a culture of proactive incident reporting.
Furthermore, the policy defines the steps to be taken during incident response, including incident assessment, containment, eradication, and recovery.
The policy addresses legal and regulatory requirements, ensuring compliance with data breach notification laws and any other obligations specific to the legal industry. It also covers business continuity and disaster recovery plans, outlining how the firm will resume normal operations and restore systems and data in the aftermath of an incident.
Regular testing, training, and updating of the incident response policy are essential to ensure its effectiveness.
Employee security awareness
Security awareness involves educating employees and stakeholders about various security risks, best practices, and their roles and responsibilities in safeguarding sensitive information. This training aims to raise awareness, promote a security-conscious culture, and empower individuals to understand their role as the first line of defense against cyber threats.
The training covers a wide range of topics, including phishing attacks, social engineering, password hygiene, malware prevention, and secure internet browsing. It educates employees about the tactics used by cybercriminals to exploit vulnerabilities and provides practical guidance on how to identify and respond to potential threats.
Security awareness training also emphasizes the importance of data protection, confidentiality, and compliance with legal and regulatory requirements. It educates employees on handling sensitive information, proper data classification, secure file sharing, and the secure disposal of confidential documents.
It should be mandatory for all employees at every level of the firm, including partners, associates, and support staff, and should be integrated into the onboarding process for new hires.
Vendor and third-party management policy
A vendor management policy will cover the procedures for assessing, selecting, and managing third-party vendors and service providers to ensure the security and protection of the firm’s data and systems.
The policy establishes a vendor selection process that includes evaluating potential vendors based on their security controls, data protection measures, and incident response capabilities. It also includes reviewing their contractual terms, such as data handling, confidentiality, and liability provisions.
Additionally, the policy may address contractual considerations, including the inclusion of security clauses, data protection terms, and breach notification requirements in vendor agreements. It emphasizes the need for clear expectations regarding data handling, confidentiality, and the return or destruction of data upon contract termination.
In the event of a security incident involving a vendor, the policy outlines the steps to be taken, including incident notification, investigation, and resolution. It also specifies the consequences for non-compliance with security requirements.
Data backup and recovery policy
A backup and recovery policy will ensure that best practices for backing up and restoring data are followed. It makes sure that the availability and integrity of critical information in the event of data loss, system failures, natural disasters, or cybersecurity incidents is maintained.
The policy begins by defining the scope of data backup and recovery, including the types of data and systems covered. It establishes the frequency and methods of data backups, such as incremental or full backups, and determines the retention period for different types of data.
The policy should detail the types of data sets covered and the selection and implementation of backup technologies and infrastructure. This includes considerations such as offsite backup storage, redundant systems, encryption, and testing the restoration process to ensure the integrity of backed-up data.
The policy emphasizes the need for regular testing and validation of backup and restoration processes. It establishes procedures for testing backups to ensure data integrity, verifying backup logs, and periodically performing test restorations to validate the effectiveness of the backup strategy.
In the event of data loss or a system failure, the policy provides clear guidelines for initiating the recovery process. It outlines the steps to be followed, the individuals or teams responsible for recovery, and the expected timeline for restoring data and systems to full functionality.
What cybersecurity tools should a law firm use?
Law firms should seek to employ a stack of cybersecurity tools to protect their data.
These tools help detect and prevent cyber threats, monitor network activity, and safeguard against breaches and cybersecurity risks. Here are several essential cybersecurity tools for law firms:
- Firewall: Acts as a barrier between internal networks and the internet, filtering incoming and outgoing network traffic and protecting against unauthorized access.
- Antivirus: Scans and detects malicious software, such as viruses, worms, and ransomware, and helps remove them from the firm’s systems.
- Intrusion detection and prevention system (IDPS): Monitors network traffic for suspicious activity and alerts administrators of potential intrusions.
- Virtual private network (VPN): A VPN establishes a secure, encrypted connection for remote access to the firm’s network, ensuring that data transmitted over public networks remains private.
- Data loss prevention (DLP): Monitors and prevents the unauthorized transmission of sensitive data outside the firm’s network, helping to protect against accidental or intentional data leaks.
- Endpoint protection: Software that provides security for individual devices, such as laptops and mobile devices, protecting against malware, unauthorized access, and data theft.
- Encryption tools: Ensures that sensitive data remains secure during transmission or storage by converting it into an unreadable format that can only be decrypted with the appropriate encryption key.
- Security information and event management (SIEM): A SIEM system collects and analyzes log data from various sources to identify and respond to security incidents in real time.
On-premise or the cloud?
The decision between on-premise cybersecurity and cloud cybersecurity for law firms depends on various factors, including the firm’s specific requirements, resources, and risk tolerance. Both options have their advantages and considerations, but most law firms these days will lean heavily toward cloud adoption, especially if they lack significant existing security infrastructure.
Here is an overview of each approach:
On-premise cybersecurity:
- Control: On-premise solutions provide direct control over the infrastructure, data, and security measures within the law firm’s physical environment.
- Customization: On-premise solutions allow for more customization and tailored security configurations to meet specific needs.
- Compliance: Certain regulatory requirements or client preferences may necessitate on-premise data storage and security.
- Scalability and flexibility: Scaling up or down the infrastructure can be more challenging and time-consuming with on-premise solutions.
Cloud cybersecurity:
- Scalability: Cloud solutions offer the flexibility to scale resources based on demand, allowing law firms to easily adapt to changing needs.
- Cost efficiency: Cloud-based cybersecurity eliminates the need for large upfront investments and reduces ongoing maintenance costs.
- Reliability and availability: Cloud providers often offer robust infrastructure and redundancy, ensuring high availability and business continuity.
- Updates and maintenance: Cloud providers typically handle updates, patches, and maintenance tasks, alleviating the burden on the law firm’s IT staff.
- Expertise: Cloud providers have specialized teams dedicated to security, offering a higher level of expertise and advanced security measures.
The state of cloud cybersecurity
It is worth noting that the use of cloud cybersecurity has been growing steadily. Industry trends and surveys provide insights into this growing prevalence of cloud adoption in the legal sector:
- According to the ABA’s 2020 Legal Technology Survey Report, 59% of law firms reported using cloud computing services, marking a significant increase from previous years.
- Gartner predicts that by 2025, 80% of enterprises worldwide will have migrated away from on-premise data centers to cloud service providers.
- According to a Gartner report, worldwide public cloud services revenue is projected to reach $397.4 billion in 2022, indicating the increasing adoption of cloud solutions across industries, including the legal sector.
There is no doubt of the growing trend of law firms embracing cloud security solutions. The advantages offered by cloud security are appealing to law firms looking to enhance their cybersecurity posture while optimizing operational efficiency.
It’s important to note that the decision to adopt cloud security is influenced by factors such as firm size, regulatory requirements, and client demands. Some law firms may choose to adopt hybrid approaches, combining both cloud and on-premise solutions to meet specific needs.
Conclusion
We hope that this blog post guide has been a useful resource for understanding the landscape of cybersecurity risk as it pertains to U.S. law firms.
For many firms, particularly those who have a limited security or technology profile, the need for a strong cybersecurity setup is essential, and ensuring that the policies they follow ensure the integrity of their data is vital.
Most law firms in 2023 will opt for cloud security for their data protection and its general ease of use. They should also be sure that third parties they use for their service of process needs are secure and trustworthy.