Part One of this series focused on the immediate risks law firms face from hackers, and the potentially devastating harm a single cyberattack can cause. Now we turn to some common assumptions and errors that law firms make in considering cyber issues.
Often, when a cyber breach reaches the news, it is because something bad has already happened. Some cyberattacks may be unforeseeable, but there are common mistakes made by many in responding to attacks. There are opportunities to learn from the mistakes made by other firms and attorneys, and avoid similar issues in the future.
Focus on Prevention
Many law firms develop plans for what to do once a cyberattack happens. However, it is just as important for firms to focus on prevention of attacks. Notably, preventing a cyberattack is not solely an IT issue, but is also a risk management issue.
Firms that have successfully prevented cyber breaches have generally followed four key steps. First, some law firms have implemented a cyber security program incorporating some common elements, such as anti-virus protections, firewalls, secure connections, and requiring passwords for mobile or desktop devices.
An often overlooked principle of a cybersecurity program is determining what actually constitutes a “breach” that will require a response or, possibly, notification of authorities and impacted individuals. For some law firms, any unsanctioned access of a firm system may be a “breach”; others may not call it a “breach” until someone has taken something (like data or files or money) that does not belong to them. Defining this line ahead of time can be helpful after a breach has occurred.
Second, some firms have adopted a robust incident response plan. Once a breach event occurs, it is easy for panic to set in. That is why many law firms design a response plan before a breach occurs. It may also help a law firm defend against any claims of negligence after a breach; preparedness is a good defense.
There are a few common elements that most firms consider for their incident response plan: appointing a person to be in charge of the response upon a breach, the reporting chain of command for addressing a breach, physical locations of servers and where certain information is stored (to help support the internal investigation), a plan for conducting interviews and collecting and preserving evidence, a policy of determining when to involve authorities, a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements), and media strategy.
Third, firms may test their systems. Law firms experienced in this arena routinely review their records and activity logs to determine a baseline for what activity on the system is “normal.” Most hacks, malware, or phishing emails do not alert the law firm: “You have been compromised.” More often, evidence of a hack is more subtle. Other times, the law firm notices the impact (i.e., money missing from an account), but did not notice the breach in real time.
A law firm can only really determine what activity is “abnormal” after it knows what activity is “normal.” Some law firms treat this issue like their corporate clients might — by hiring a “white hat” hacker to try to test the system. This shows a law firm where the vulnerabilities are in the law firm networks. It also helps a law firm identify what sort of suspicious behavior to look for in the future.
Fourth, firms may decide to train their employees to recognize what some risks look like, what the firm’s security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.
All Law Firms Are At Risk
One of the biggest mistakes a law firm can make is thinking that it cannot happen to them. Even small firms possess confidential data on their networks, such as employee social security numbers and privileged communications. Also, it does not take a sophisticated hacker to penetrate a network. If a firm does not have proper security protocols in place for mobile devices, a phone left in a cab can provide a person an open door to the law firm’s files.
This is a Business Development Opportunity
By having protocols in place to protect client data, law firms may be able to stand out in the marketplace as a good option for clients. This is another way that firms can distinguish themselves and land new clients. If a firm does not have the appropriate security protocols in place, or is unable to implement them, that may be the difference that results in a client choosing another firm to represent them.
Also, law firms can be more competitive by understanding their clients’ security needs. Whenever a client imposes or requests security guidelines, the attorney in charge of the matter might want to run them by the IT department or the in-house cyber “czar” to ensure that the law firm can certify its compliance. A law firm should avoid taking a representation for which it cannot provide proper cybersecurity or where it cannot meet the client’s expectations of security. Doing otherwise may expose the firm to civil liability.
Consider Cyber Insurance
While nearly all law firms have a professional liability insurance policy in place, firms may also consider whether they need something more — such as specific cyber or data breach coverage — to protect them from the costs and exposure of a cyberattack.
A professional liability policy will likely provide coverage for the breach of client information, IP infringement, or third-party losses. But the costs of notifying clients, business interruption, investigation of a breach, or penalties assessed as a result of the breach may not be covered by a traditional policy.
Hire a Lawyer
Law firms do not have to go through this alone. Counsel with experience in cybersecurity and malpractice defense issues can assist a law firm in developing a cyber response plan, investigating an incident, and responding to the same. Involving counsel also helps cloak the situation in the privilege. (Some states also recognize other privileges — such as the self-critical analysis privilege — to provide additional protection.)
Shari L. Klevens is a partner at Dentons and serves on the firm’s U.S. Board of Directors. She represents and advises lawyers and insurers on complex claims and is co-chair of Dentons’ global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”