Help Be Prepared for Cyberattacks – Data Security Tips for Attorneys
Recent studies indicate that internet crime may be on the rise in the legal industry. To help reduce your exposure to data breach risk, you should be prepared for cyberattacks well before they take place.
Cyberattacks Against Law Firms: What Do the Numbers Say?
According to the
ABA TechReport 2020, the percentage of law practices that experience cyberattacks grew to 29% in 2020 from 26% in 2019. Of these, 36% were targets of virus, spyware, or malware attacks, some of which resulted in:
- Loss of website access (10%)
- Hardware or software replacement (17%)
- Temporary loss of network access (23%)
- Downtime or loss of billable hours (35%)
- Repair expenses (39%)
Monetary loss and operational hassle aside,
data breaches could also inflict damage that can be harder to quantify but may be just as serious. Examples include reputational damage, eroded client trust, and loss of business.
Help Be Prepared for Cyberattacks with These Tips
The ABA’s Model Rules of Professional Conduct provide relevant guidance that may be helpful to lawyers looking to enhance the data security of their practice.
You can find further and more in-depth recommendations in Formal Opinion 477R (2017), 483 (2018), and 498 (2021) of the ABA Standing Committee on Ethics and Professional Responsibility.
The tips below draw on these sources. However, keep in mind that this summary is by no means exhaustive. There may also be additional rules that apply, so it may be a good idea to check with your local bar association and/or other applicable entities.
What to Do Before a Cyberattack Takes Place
Per Rule 1.6 of the Model Rules, you have a duty to make reasonable efforts to prevent unauthorized disclosure of information pertaining to client representation. Depending on the context, this may involve any of the following:
- Training and education. You should monitor for relevant changes in the law and innovations in technology that may affect the cybersecurity environment and the risk exposure of your practice. This may require you to engage in continuing education as well as independent research.
- Supervision. If you have managerial and/or supervisory authority, you are under an obligation to establish policies and procedures to ensure compliance with the ethics rules of the legal profession, including those that relate to cybersecurity. You also have a duty to ensure the compliance of subordinate lawyers and nonlawyer assistants.
- Hardware and software. Consider reviewing the terms of service of your hardware and software to ensure they provide adequate confidentiality protection. You should also periodically check that all devices and systems are up to date.
- Secure connection. Only use secure Wi-Fi or another internet portal for your work-related online activities. Make sure all routers are secure and consider using a virtual private network (VPN).
- Enhanced protection. Protect all devices, accounts, files, data, and client communications using firewalls, anti-malware/spyware/virus programs, and strong passwords. Change passwords often and consider implementing a password manager, encryption, and multi-step authentication. You should be particularly vigilant if you or members of your team use your personal devices for work.
- Cloud service. If using cloud-based solutions, choose reputable providers.
- Data backup. Back up all data regularly and ensure that you can access it securely in the event of data loss.
- Videoconferencing. Peruse the terms of service of the virtual meeting platforms you use for remote meetings, including any updates, and make sure to only grant access to accounts and meetings through strong passwords. If you make recordings or transcripts, obtain the consent of all participants. You should also ensure that third parties cannot overhear your calls and meetings.
- Listening-enabled devices. Disable the listening functionality of smart speakers, virtual assistants, and similar devices when discussing confidential matters.
- IT support. Consider hiring a dedicated IT security specialist with good credentials and a proven track record. Ideally, you should opt for someone with experience in servicing clients in the legal industry.
- Incident response plans. Only 34% of the respondents in the ABA TechReport 2020 said their firms had cybersecurity incident response plans. If your practice is not one of them, consider developing detailed incident response plans for various contingencies. This may be critical in minimizing your losses in the event of a data breach.
- Risk assessment. To ensure your cybersecurity measures are appropriate, consider carrying out periodic risk assessments – practice-wide and on a case-by-case basis. You should weigh the level of risk, the sensitivity of the information, the probability of disclosure, the cost and difficulty of implementing additional safeguards, and whether your clients can handle the proposed security safeguards.
What to Do in the Event of a Cyberattack
- Notice. You have a duty to keep clients reasonably informed and notify them of any data breaches that may affect them. The notice you provide should be sufficient to enable them to make informed decisions about the representation.
- Prompt action. In the event of a cyberattack, you should take timely and appropriate action to stop the breach and mitigate potential damage. The exact steps may differ depending on the nature of the attack, the affected data, and your hardware or software.
What to Do After a Cyberattack
- Post-breach analysis. Once the attack no longer poses a threat, consider taking the time to analyze what happened and why to identify security gaps and areas of improvement. This may also help you obtain a better understanding of the scale of the damage and how you could mitigate it.
Bonus Tip for Preparing for Cyberattacks: Purchase Cyber Insurance
Regardless of how prepared you may be for cyberattacks, it may not be possible to fend off all hackers.
Here is where
cyber liability insurance comes in. Note that it is not the same as data breach insurance, which typically only covers monetary loss due to hacking, data breaches, or theft of business documents. In contrast, cyber insurance can help protect you against both financial loss and legal action due to data breaches of sensitive information, with the possible exception of
social engineering fraud.
As a result, you can get some much-needed peace of mind – the rapid change of technological innovation and ingenuity of cybercriminals notwithstanding.
Get a free quote today.
This information is provided for general purposes only and is not intended to provide individualized advice. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.