Cyber security at legal firms – are you exposed?
When it comes to data breaches, law firms are like any other organization trying to fend-off cyber-attacks and protecting confidential and proprietary data. In fact, smaller firms often have a higher proportion of cyber-crimes relating to malicious code and malware, while disgruntled employees and stolen or lost devices tend to be the cause of these incidents for larger organizations. Law firms are prime targets for state sponsored espionage and organized crime groups for three reasons:
- Lawyers are usually at the center of a matter requiring access to data from all relevant sources
- Lawyers are a highly mobile workforce, requiring anytime, anywhere, any device access
- Lawyers are focused on clients, often willing to compromise controls and protocols (within ethical boundaries) to deliver service.
Similar to accounting firms and healthcare providers, law firms have a duty to act competently on behalf of their clients in order to safeguard information relating to the confidentiality of attorney-client and work product data. In addition, the environment in which professional services firms operate heightens the need for these firms to keep up with changes in the law and the risks associated with technology.
Strategy and Protection
The first line of defense for all companies, including law firms, is to establish a security program/protocol. An enterprise security program should include the following:
- Develop a comprehensive security and data breach plan for your law firm.
- Train attorneys and support staff on security and data issues frequently.
- Physically secure computer equipment and file rooms.
- Secure internal computer networks with the use of anti-virus software, malware protection, firewalls, and strong passwords. Consider configuration of software to prohibit use of portable storage for most users.
- Understand security issues that may arise in any cloud computing services used by your firm. Cloud services frequently used by lawyers include email and contacts, storage (such as Google Drive and Dropbox), collaboration software (such as Google Apps), and law firm management applications.
- Minimize production of personal information where possible.
- When production is unavoidable, make an agreement regarding treatment of the personal information. Include an agreement on how and when documents produced are to be destroyed, and the format in which such production must be maintained.
- Encrypt information as much as possible, whether produced to others or stored on your computers. Encryption can result in slower computation, so the cost and benefit should be considered. Mobile devices, such as cellphones and portable storage, are even better subjects for encryption.
- Have a proper file and data destruction policy. Using certified vendors for file and data destruction can provide a safe harbor for file and destruction under certain laws.
- Ask clients if any of their data warrants special protection and discuss how that data should be protected.
- Make sure vendor and expert contracts include provisions for security and confidentiality.
Although technical staff will oversee and implement most of these activities, it’s critical that firm partners and staff provide input into the development of these policies. Without buy-in and adherence, the firm is only as strong as its weakest link.
William Gallagher Associates is a leading provider of insurance brokerage, risk management and employee benefits services to firms with complex risks and dynamic needs, within industries that include technology, life sciences, financial risks, health care, renewable energy & clean technology, and environmental services. WGA has offices in Boston, MA; New York, NY; Hartford, CT; Princeton, NJ; Columbia, MD; and Atlanta, GA.