I. Law Firm Cyber Security – Consequences of a Data Breach
A data breach of your law firm can result unauthorized exposure of sensitive client data, a loss of sensitive information (permanent or temporary), disruption to regular business operations, financial losses, and potential harm to a firm’s reputation.
II. Law Firm Cyber Security – Tips to Secure Your Data
Law practice management vendor Clio offer these data security tips:
1. Create and implement a data security policy for your firm
Many data security issues are due to user error, not a technology failure.
Make a clear, easy-to-follow plan for data security and share it with everyone at your firm.
Educate employees and enforce procedures such as using two-factor authentication for logins, only using apps vetted by the firm, or a Bring Your Own Device (BYOD) policy for employees using their own devices.
2. Continuously train staff on mitigating data risk
Don’t assume that everyone knows how to spot and avoid a phishing email—open a dialogue and continue to train employees to avoid accidental user errors and promote law firm data security best practices. Require training to be taken upon hire and periodically (usually once a year) thereafter.
3. Use strong passwords
Is your password simple and guessable, like “Lawyer”? Do you use the same password for every login? If so, you could become an easy target for hackers.
Instead, use long, complex passwords, and a password management tool, so you don’t have to memorize them.
Enforce strong password rules.
4. Encrypt your data
Encryption translates your data—whether it’s stored in an email, a local hard drive, an internet browser, or a cloud application—into a secret code, which then requires a key or password to access it.
Download an application that will take care of encryption for you. It should apply in-transit and at-rest encryption, in accordance with industry standards like HTTPS and TLS, to ensure that your firm’s data is stored and transmitted securely.
5. Secure your communications
One of the primary ways for hackers to intercept your data is in your communications. As part of your firm’s data security plan, review and mitigate any vulnerabilities across your communication channels, i.e., encrypt your firm’s emails.
Consider installing the Signal app, a free app that’s available for Android, iPhone, or your desktop computer. It lets you send secure, high-quality, end-to-end encrypted communications (including group, text, voice, video, document, and picture messages) anywhere in the world.
You can even set your messages to disappear after a specified time period, eliminating the risk of your messages ever being read without your consent in the future.
6. Consider access control
Everyone on your staff doesn’t need to know everything. Granting each person permission to view specific matters, on a need-to-know basis, but no other matters. Abide by the Principles of Least Privilege and Need to Know.
7. Conduct regular reviews
Conduct regular audits (you could build this schedule into your firm’s data security policy) to identify and address risks, i.e., ensuring that anti-virus software and firewalls are operating effectively, any recently-departed employee no longer has access to your firm’s computer network or files, etc.
8. Vet vendors carefully
To ensure your provider will do you more good than harm with your data, carefully vet potential vendors. If you store your firm’s data in the cloud, review your vendor’s security capabilities:
- Does the provider offer a full-spectrum electronic protected health information (ePHI) and HIPAA compliance-ready solution technology?
- Are its data centers in compliance? Given the current cybersecurity threat landscape and increasingly strict compliance standards, it has become common for organizations of all sizes to require strict assurance certifications when contracting with third-party professionals. Those without certification are at a disadvantage. Common compliance standards include, but are not limited to, SOC1/SOC2/SOC3/SSAE16.
- Does the provider offer multifactor authentication? If so, ensure broad implementation throughout your firm.
- Do the data centers leverage biometric authentication?
- Does the provider encrypt at the database level, in transit and at rest?
9. Create an incident response plan
If your firm does incur a data breach, every firm member should know what to do, before it happens.
The plan should detail what needs to be done immediately in terms of communication, changing passwords, and reporting (to impacted individuals or regulatory authorities) if there is unauthorized access to your data. It should also specify your firm’s plan for what to do if a malpractice claim is filed. Also consider including any guidance provided by the ABA with respect to your ethical obligations.
Test the plan, and fix and flaws.
Create a disaster recovery/business continuity plan, so your law firm can continue to operate effectively. It should include considerations for items such as defining critical systems and equipment, identifying appropriate tools/procedures (i.e. backups, remote sites, cloud providers, etc.), and developing communication plans. Also consider any guidance provided by the ABA (Ethical Obligations Related to Disasters).
Test the plan, so you can determine what does and doesn’t work.
10. Improve your law firm’s mobile security
With more and more legal work done remotely, there’s increasingly a need for mobile law firm data security. Making use of secure mobile apps takes a lot of the heavy-lifting out of the process, but your smartphone and laptop, in general, might also need a security makeover. Secure your phone, laptop, and other mobile devices, with steps like:
Enable encryption
While having a lock-screen password on your laptops and mobile devices is a first (essential) security measure, it won’t protect your data if someone gets a hold of your password. Enable encryption on your mobile devices to scramble sensitive data for unauthorized users, and enhance security. Here’s how to encrypt your iPhone or your Android device.
Set up two-factor authentication
No matter how strong your password is, it can still be hacked. Adding two-factor authentication—which requires your password (the first factor) and a temporary code sent to another device (the second factor)—makes it that much more difficult for someone to access your device. In practice, two-factor authentication usually requires the person logging in to verify their identity through the use of their mobile.
Backup firm data to secure servers
Regularly back up your firm’s data to a secure, encrypted location, so you’ll still be able to access it. One of the benefits of using cloud-based software is that backups are taken care of for you and support any incident response and/or business continuity plans you develop.
Keep professional and private accounts separate
Don’t risk mixing confidential professional communications with your personal ones. By using dedicated apps for your professional work, you can keep these two worlds apart.
Have a plan for lost or stolen mobile devices
If you lose (or someone steals) your smartphone, what’s the first thing you’ll do? From having a way to locate a missing device (like Find My iPhone or Google’s Find My Phone), to knowing how to suspend service or disable your device remotely, it’s important to make an action plan before you need it. Make sure you have full disc encryption on your laptop as well so you can know your data won’t be compromised if your laptop is stolen or lost.
11. Train your clients
Clients don’t know their actions are not secure. Yet, law firms are the ones bearing the risk for a client exposing details, like banking information, to scam artists. To prevent this risk from blowing up into trust account errors and payment disputes, lawyers need to train their clients, from their initial conversation, on what methods of communication are most secure and how to use them.
A client should, as part of retention, learn the following:
Whom to expect will be contacting them,
What methods of communication will be used between lawyer and client,
What steps clients are expected to take to help preserve confidentiality, and
How to report anything that deviates from this discussed training.
Show the client how the the firm’s client portal functions, and and how to log in and create a password, during your first meeting.
III. Law Firm Cyber Security – 4 ‘Must Haves’, With Instructions
Crum & Forster, one of the largest cyber insurers of law firms, offers 50% premium reduction to firms that implement these cyber security best practices:
2-Factor Authentication – Prevents hackers from logging into your email, bank account, etc., by requiring entry of another ‘factor’ besides user name and password, i.e., a text message sent to your phone.
Configuring Automatic Software Updates – Enables vulnerabilities and improves security in your computer’s operating system and other software programs, to be fixed, as soon as the manufacturer releases an update.
Updating Domain Name Services – Enables you to use a DNS provider that blocks traffic from known malicious websites, when browsing the internet.
Removing Administrative Privileges From PCs – Prevents users from accidentally installing malicious programs when they clicked on a link or attachment in a phishing email.
Step-by-Step Video Instructions For Each of the 4 Steps
IV. Further Reading
Protect Your Law Firm From Cybercrime: The Basics and Beyond
How to Protect Your Law Firm from Ransomware
Best Practices to Avoid Wire Fraud