Organizations across all fields are facing increased pressure to be able to respond to an ever-increasing array of cyber threats as well as ever-tighter regulations regarding data privacy. Far from being immune to these threats, law firms face their own unique cybersecurity challenges that must be addressed proactively.
- The 2020 Legal Technology Survey Report by the ABA surfaced some concerning findings:
- The number of firms experiencing a data breach of some kind increased from 26% to 29%.
- The larger the firm is, the less likely it is to know whether it has experienced a data breach.
- Expenses as a result of replacing hardware/software as well as notifying clients and the police has risen.
- The unauthorized access of both sensitive and non-sensitive client data has increased.
Despite these findings, only 34% of respondents indicated that they have an incident response plan in place. Ironically, this puts law firms at risk of falling on the wrong side of the law when it comes to upholding regulations regarding information security and consumer data privacy.
The LIFARS New York City Lab was established in collaboration with the FBI, Department of Homeland Security and US Secret Service to examine digital evidence of all forms of cyber crime. We operate globally on cases including ransomware, cyber extortion, data breaches, celebrity hacking, Facebook hacking, insider threats, Twitter hacking, Gmail hacking and more.
Why should law firms take note?
The ABA Standing Committee on Ethics and Professional Responsibility has released a Formal Opinion called “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018) that asserts “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
The opinion further explains the responsibility of law firms and practitioners: “As a matter of preparation and best practices… lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
Of course, law firms, like all other entities, are also subject to federal and state legislation regarding information security and data breach compliance, such as Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act enacted by New York in 2019 and the California Consumer Privacy Act (CCPA) which became effective in January 2020.
Being in violation of these regulations can lead to serious repercussions, even legal action, and sizeable fines.
However, the ABA strongly coming out in favor of a responsible approach to cybersecurity also puts the ethical onus on law firms to protect themselves and their clientele. Should an incident occur, and a law firm is found to not have met cybersecurity standards, they will be viewed with disrepute by the public as well as the general law community.
What are the most critical challenges facing law firms in 2021?
Any threats that lead to an eventual breach of data are the most poignant threat to law firms today. It is understood that law firms handle and store information on their clients that can be regarded as extremely sensitive.
To illustrate this, a high-profile incident occurred involving Grubman Shire Meiselas & Sacks law firm and the REvil ransomware in June of 2020. The firm has refused to give in to the ransomware gang’s demands, threatening the release of personal data of its clients, which includes names like Nicki Minaj, Mariah Carey, and LeBron James.
Other frequent threats facing law firms are:
- Phishing scams
- Hacked email accounts
- Legal action due to not adhering to regulatory guidelines or cybersecurity standards
An incident response plan is an essential part of any information security strategy. Not only does it help manage risk and reduce the damage of cybersecurity incidents, but it helps you conduct better digital forensics. This can assist in further improving your incident response process as well as illustrate compliance should legal action be taken against you.