A new report by Legaltech News suggests law firms might be at a heightened risk of cyberattacks.
Jeffrey Norris, senior director of information security at LexisNexis, told Legaltech News that law firms have become a bigger target for cybercrime because they might not have the most sophisticated data handling abilities and they handle sensitive data that could contain personal data.
Norris’s sentiments have been echoed by the New York Financial Services Department, which views law firms as a secondary access point for criminal activity because of the volume and sensitivity of data they deal with.
Legaltech News quoted the New York state agency as saying “Heightened risk of cyberattacks puts pressure on law firms to bolster defenses.”
However, local firms are saying cybersecurity issues are already top-of-mind and they have experts in the field on staff.
Timothy J. Toohey is a partner in Morris Polich & Purdy’s office in Los Angeles. The firm also has an office in Las Vegas. He is both a U.S. and European Union certified information privacy professional as well as a certified information privacy manager. His practice concentrates on privacy and data protection matters, as well as intellectual property and technology litigation. He has spoken and written on privacy, data security, technology and intellectual property matters.
“Law firms have a great deal of valuable information that they hold on behalf of their clients, and much of that is confidential and much of it the most valuable information clients have,” Toohey said. “For example, patent applications, business plans and all sets of documents related to ongoing litigation of a high-stakes nature. So, law firms everywhere are custodians of their client’s most valuable documents.
“Some cyberattackers believe, and there is evidence of this, that law firms don’t always have the same level of security as their clients do. Sometimes, not always, law firms are easier target than clients themselves.”
Toohey added that law firms might be seen as easier targets because they may not have the same hierarchal structure of their clients. Their clients usually have privacy officers, chief security officers and are organized to look at risk management issues in a more comprehensive way.
“Law firms are in the business of providing legal advice and may not have people as sophisticated in security issues and technology as their clients do,” he said. “I don’t know if it’s a fair criticism because the level of sophistication of lawyers in terms of technology varies a great deal.”
The level of concern about cybersecurity has certainly been on the rise in all industries after the hacks at retail giants Home Depot and Target.
“There are certain requirements under state law that requires certain notices about breaches as far as any information that is breached, even information that could be considered confidential and needing protections by ethical obligation,” said Jennifer Roberts, a cybersecurity expert at Duane Morris LLP in Las Vegas.
“From what I am aware of, law firms have been taking cybersecurity seriously for several years. From my understanding, the FBI has notified law firms of possible attacks several years ago. I think with advances in technology and with the requirements to protect client confidentiality, it has always been on their radar. The American Bar Association has a cybersecurity task force and resolutions that encourage that cybersecurity protections. It’s not anything new.”
To make sure their client’s information is secure, Toohey said law firms can lock down computer systems so that it is not easy for a careless employee to take data that are confidential; restrict access to information; make sure permissions are proper so that people cannot get into parts of the computer system that are not authorized to access; and restrict ability to take data off the system with a thumb drive.
Roberts added that law firms need to have policies and procedures internally on how to handle data; encrypt information that is sent outside the office; control which employees have access to what information and how it is transmitted; track company cellphones, laptops and thumb drives; and of course, make sure those devices are highly password protected.
“First and foremost, and this is near and dear to my heart, is training the workforce, not just lawyers — everyone — to be aware of all the dangers that exist out there in terms of people trying to get information from you,” Toohey said.
Because the consequences of a cyberattack at a law firm can have dire consequences, Toohey said, some firms are investing in cyberinsurance in addition to professional liability insurance to protect themselves.
“Cyberinsurance is a very recent product that is typically used by businesses to cover a whole range of costs that are related to cyberincidents,” he said. “For example, if there is a data breach, cyberinsurance can pay for the investigation of reasons for the breach, repair the system if it was down, pay for notification costs if information was affected, and in some instances, lawsuits that arise out of that.”