Left to right: Eamon Merrigan and Jason Rubin Goldberg Miller & Rubin

Who’s minding the store—of information? In a law firm, decisions must be made constantly or nothing would get done. You’ve made countless decisions on what type of law to practice, your location and who to hire. Your whole operation, however, relies on your computer system and the internet to operate on a daily basis. You might even be paperless. You have ethical and legal responsibilities to safeguard the confidential information that is stored on your computer system for your clients and must ensure that only the right people have access to the system.  This article explores managing cybersecurity from a law firm management standpoint.

Cyberinsurance

You should have cyberinsurance. Case closed. The cost is relatively modest and the benefits extend beyond payment of benefits to helping manage issues you may have before they become more costly. Obtaining the insurance is likely to require you to fill out an extensive application. If the insurance does not require you to do so, it may not be the best insurance solution. When buying life insurance, if you are not a smoker, you don’t want the same insurance rates as smokers. When buying cyberinsurance, you would want to be insured with entities that are proactive in protecting their systems. The application will most likely pose questions regarding password strength, backup frequency and location, encryption, multi-factor authentication, etc. If you have to do a lot of work to be able to give favorable responses in the application, your current computer consultant has not really been providing cybersecurity and you may need a different consultant. You should be at a point where your IT infrastructure is strong enough so that you can provide favorably honest answers on the application which will, of course, lead to a better insurance rate because you are less likely to make a claim, but also make you feel comfortable you are sufficiently protecting the information in your custody.

Switching Your IT Consultant

This can be difficult, of course, and many firms operate on the “if it ain’t broke, don’t fix it” model. There are some signs short of a breach or emergency that may cause you to examine whether you have the right IT consultant. For example, even if you work with your existing IT consultant to get you to the point where you are able to submit a favorable cyberinsurance application, you should seriously question why these cybersecurity issues were not addressed previously. What is the company doing proactively to make sure there are no cybersecurity issues? How is your data protected, encrypted, backed up?  How is your system protected from internal and external threats? Some consultants will bill on an hourly basis for work performed on your account and others will have a monthly retainer with a charge for work outside the scope of the retainer. As your system is likely to require some sort of regular monitoring, it makes sense to have a company on retainer as long as they can substantiate the protection they are providing by providing the monitoring results. Before you change consultants, meet with at least three companies and get personal references. Consultants are likely to offer a range of services and have different systems for dealing with issues and various competencies. Depending on the size of your organization, it is helpful to have an employee who has some degree of technical proficiency, ideally a degree or at least certificate in computer network administration. This employee can be invaluable in helping you select an IT consultant and being the firm’s regular liaison with the consultant.

Vet Your Vendors

We all are aware that a chain is only as strong as the weakest link. Anyone you let into your system, whether it be an employee, an independent contractor, an IT consultant or a vendor can be that weak link. Your clients realize this and probably require that vendors meet the same security requirements they have for your company. You should make sure vendors verify their IT security protocols in writing. Having certain requirements may remind vendors of additional security requirements they should have. You are in the driver’s seat with many of your vendors and they are likely to make the changes that are necessary to keep your business.

To ensure that vendors can do as little harm as possible, you should make sure access to system controls and the ability to make changes is limited to the extent possible. This is known as the principle of least privilege. Although all access changes can and should be tracked and notifications should be sent to management regarding access changes, you cannot be too careful about who has access to your system controls. These are essentially the keys to the kingdom. The systems administrator can let everyone in or keep everyone out. This cannot fall to just one person in case that person is unavailable or incapacitated. However, if there are too many people with access then there is a loss of control and more of a potential for a system intrusion going unnoticed.

The next step is to ensure that access to the actual data is limited to the extent possible. You might let many people into your home, but only a very limited number of people would need access to a wall safe. Allowing anyone to have access to the safe is just asking for trouble. It would be ideal if only certain people even knew the safe existed. With the use of hidden directories, it is possible to hide the safe. We are not suggesting that this could thwart a master hacker intent on getting into your system, but it does set up a roadblock.

For IT consultants or vendors, you need to investigate their policies of how they do business.  For instance, do they perform background checks on their employees? Are there specific people who will have access to your information or can it be anyone at the company? For any business that has access to your data, it ideal if the business has a recent SOC 2 Certification which is provided by a service auditor, generally a CPA firm. Basically, this is an outside auditing report that certifies that the company is actually doing what it says it is doing in terms of security. This SOC 2 Certification is likely to skew towards larger companies due to the resources required to obtain the certification. Many smaller vendors have excellent security protocols as well, but they may not subject themselves to outside testing to expose potential flaws. You should certainly ask if they have had any outside, independent testing performed on their own systems and it would be ideal if you could review the results.

Ultimately, effective cybersecurity is a team effort but requires specific expertise. As discussed above, you will probably have to rely on outside consultants to a certain extent, but firm management is ultimately responsible for the consultants and if there is a security issue that affects your clients, blaming the consultants is likely to fall on deaf ears. The consultants should have recommended strong security protocols which limit access to your system. Your consultants might not be considering which vendors have access to your system, but you certainly must take this into consideration because these vendors can be the proverbial weak link. Keep in mind, however, that no level of security is impenetrable. There are a multitude of internal and external threats to your system and the potential for rapid transfer and destruction of data. Therefore you should make sure you have robust on- and off-site backup and cyberinsurance.

Eamon Merrigan is the chief information security officer and a shareholder of Goldberg, Miller & Rubin and Jason Rubin is a shareholder and managing partner of the Philadelphia office. Both are active trial attorneys who focus their practices on defending various types of civil claims. They have valuable cybersecurity experience, particularly as it pertains to law firms.