What makes law firm data so vulnerable and what needs to change?

What makes law firm data so vulnerable and what needs to change?

Given the sensitive nature of legal work and the requirements to maintain client confidentiality amidst rampant cyberthreats, data security is a must-have for all law firms. For one, any law firm that consistently secures client data will be in a much better position to serve its clients. Secondly, it sets them apart from the pack of law firms with substandard security, a smart move in a highly competitive legal industry.

This is why law firms must implement a stronger data security strategy, ideally one that covers all the glaring data security lapses within the legal industry.

What makes law firms a prime target

Law firms, like most businesses, handle sensitive data such as social security numbers, payroll data, health plan data, and financial and tax information.

However, a law firm’s network carries a rich cache of data that makes it an even more attractive target for data breaches. Nonpublic issuer data, client trade secrets, confidential information on clients’ business strategies, controversial matters and transactions or sensitive information with reputational impact for public and private persons and institutions, and so on make a law firm a target for malicious actors motivated by financial gain and espionage.

Substandard law firm cybersecurity

Despite having a trove of sensitive information in its servers, law firms’ cybersecurity measures are found lacking based on these findings from the 2018 American Bar Association (ABA) Legal Technology Survey:

  • Less than 50% of the firms surveyed possess the following essential security policies and plans:
    • Only 41% have a computer acceptable use policy;
    • Only 37% have a remote access policy;
    • Only 21% have a BYOD policy;
    • Only 25% have an incident response plan;
    • And only 40% have a disaster recovery plan.
  • 53% of the respondents risk noncompliance with data regulations and exposure of sensitive data by not having policies and processes on managing data retention.
  • 31% of the surveyed firms allow employees and non-employees to use personal devices like tablets, laptops, and smartphones to access their networks without any restrictions.
  • Only 46% of these firms possess file encryption tools that protect data from unauthorized users, while only 38% have email encryption and only 24% have full disk encryption.
  • Among firms that utilize cloud services, less than 50% practice security precautions such as examining the provider’s history; reviewing the provider’s privacy policies and terms of use; using web-based software with encryption; or regularly backing up local data to the cloud.

Underlying causes of substandard security

With new threats emerging every day, the risks of not securing files are more alarming than ever especially since hackers attack every 39 seconds — on average, 2,244 times a day. The average cost of a data breach is $3.92 million as of 2019, while the average cost of a ransomware attack on businesses is $133,000. Accounts with sensitive data stolen from corporations usually run in the millions to hundreds of millions.

And yet law firms still lag behind in cybersecurity. Why is that?

  • Some firms are HIPAA business associates and are subject to regulations like personally identifiable information breach notification statutes. But in general, a law firm’s client-related data security is self-regulated and guided by the ABA model rules of professional conduct.
  • Many firms have a traditional financial model that discourages long-term investments in security, which explains why some are understaffed for IT security.
  • They continue to use legacy systems with inadequate or, in some cases, nonexistent security patches and features.
  • Many firms lack controlled data destruction measures and retain sensitive and confidential data for far too long, thereby multiplying their security exposures risk.
  • Legal staff often work at crunch time mode, which makes them more prone to commit IT systems mistakes and more vulnerable to social engineering attacks.
  • It’s common practice for law firms to make information about its lawyers and client-facing staff publicly available. Much of this public information such as extensive website professional bios can be exploited for spear phishing and other social engineering activities.
  • Lawyers’ professional statures and reputations, their culture of secrecy, and their trusted adviser brand make them targets for ransom extortion.

SpectrumWise is an expert at addressing the unique technology challenges of the legal industry, including threat awareness, incident response, and encryption. Set up and implement a comprehensive IT plan to protect your client data. Talk to us today.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts