American Bar Association’s Results Cybersecurity 2020 report surveyed lawyers in private practice on a wide range of data security topics, including technology policies, security tools, breaches, malware, and data archiving. He particularly highlighted heightened concerns about security effectiveness as law firms closed their offices and moved to a remote business model at the onset of the Covid-19 pandemic.

As it turns out, these concerns have proven to be justified: reports of an increase in cyberattacks have had a significant impact on the legal industry during the pandemic, with widely publicized ransomware attacks hitting several prominent companies, resulting in serious damage to reputation and a significant responsibility. There is no doubt that other attacks have taken place but have not been made public.

Although companies may believe they have appropriate protocols in place for cyberattack prevention and breach response plans, the data showed that less than half of law firms participating in the ABA survey even use basic security tools like encryption, two-factor authentication, intrusion detection and prevention, or remote device management protocols.

Assuming Responsibility for Law Firm Cyberattack Risk

As the ethical and practical imperatives of data security become clearer, some companies have taken a palliative approach – buying insurance to mitigate financial exposure – while others are taking a wait-and-see approach, and the ABA survey does not reports that about a third of businesses hold cyber liability insurance policies.

While it’s a good idea to have insurance policies, they don’t prevent data breaches, nor do they protect a business from contractual or regulatory consequences.

Compounding the poorly mitigated data breach risk, many Big Law lawyers remain in the dark about security incidents in their offices. While about three-quarters of respondents to the survey of firms with 50 or fewer lawyers say they are aware, nearly two-thirds of lawyers working in firms with 100 or more lawyers say they have no visibility into their firm’s data breaches.

Prevent ransomware attacks

Ransomware, a specific type of malware that infects devices and allows hackers to encrypt or steal files and demand financial payment for their return, poses a serious threat to law firms, which handle client data highly sensitive and generally maintain weak data security protocols.

While ransomware threats are constantly evolving, law firms are particularly vulnerable given the nature of sensitive client data: banking records, tax documents and other private information. Law firm staff typically use multiple devices, which presents a high volume of access points for hackers to infiltrate.

Along with new apps and products flooding the legal industry, many companies are taking steps to migrate the software they use to the cloud, making it harder to manage data security.

Migrate to the cloud for next-gen security

Largely due to resistance to change, loss of control, and data security and compliance issues, law firms have traditionally avoided cloud services. Although protecting on-premises data presents a wide range of data security challenges, including managing a multitude of firewalls and intrusion detection software, many companies believe it’s more secure and less complicated than storing data in the cloud.

Businesses are rightly concerned about cybersecurity in the cloud in general and customer’s contractual obligations More precisely. Because outside attorney guidelines typically state that client data must be stored in a specific way, which often involves keeping sensitive information in a firm-managed environment, firms are required to audit and transparently update these contracts before migrating customer records to the cloud. For a large company managing thousands of contracts, this is a onerous and costly exercise.

Additionally, some customers may not be cloud-ready, making it necessary to decide whether a company is willing and resourced to run two data management systems.

Although advanced cloud models for risk and compliance incorporate key elements of secure computing by meeting or exceeding common regulatory requirements – and often offer a higher level of security than on-premises deployment – the EU General Data Protection Regulation (GDPR) has raised new concerns about cloud storage for the legal industry.

Since the regulation itself is vast and amorphous, and the penalties for violating privacy and security standards are significant, GDPR compliance is a significant hurdle, especially for small and medium-sized businesses.

In addition to providing strong security, cloud platforms automate identity management processes to ensure that users are only granted permissions for the specific tools and datasets deemed necessary, which can be modified, disabled or deleted as required. optionally.

In contrast, when internal IT teams manage identity management, it’s common to enforce a single security policy that allows users access to all applications and hides unusual access patterns. Once hackers get through the firewall, they have access to the entire corporate network.

Leverage cloud insights and tools

Because the reputations and business models of cloud service providers rely on state-of-the-art data security, these providers invest heavily in robust security teams and timely platform updates. It’s a simple matter of scale: it’s impossible for a single company to develop and run the same breadth and depth of security protocols and innovation as a cloud service provider.

Cloud technologies save law firms money eliminating not only the high cost of data storage, but also the investment required to maintain and upgrade equipment. Because cloud solutions are subscription-based and scalable, businesses reap the benefits of predictable spending and automated updates.

Most cloud service providers have a wide range of customers. As a result, they may be subject to strict regulatory requirements; many voluntarily adhere to industry best practices and guidelines, such as ISO27001which involve strict standards for the construction and maintenance of data centers, as well as regular independent audit cycles to ensure compliance.

On a practical level, working with a well-vetted cloud service provider not only reduces the risk of a high-stakes breach, but also makes it easier to provision applications, monitor usage, and enforce security protocols. .

Navigate the regulatory environment

In the past, law firm data breaches often went unreported or even undetected. Now all 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws requiring companies to notify affected parties when their personal information is breached.

Today, legislators continue to expand existing laws; 22 States strengthening security breach regulations in 2021, including shortening the window for companies to report breaches and requiring private sector entities to report breaches to the Attorney General or another state entity.

Very few law firms maintain the IT infrastructure necessary to inspect and limit malicious traffic (which may require reverse engineering code) or to remediate potential harm.

Compounding the impact of this gap, the business implications of a large-scale security breach are particularly devastating due to law firms’ contractual and compliance obligations. If a law firm experiences a data breach, it may lose clients who view the incident as a breach of the firm’s fiduciary and ethical responsibilities.

Protect your business against risk exposure

Survey Data shows that cybersecurity remains a major challenge for law firms, and the industry finds itself increasingly targeted due to its wealth of sensitive data and deep pockets. With representatives from nearly two-thirds of the top 100 major law firms identifying cybersecurity threats as a major concern, it is telling that less than a quarter of these firms employ a cybersecurity committee that reports to the party responsible for the governance.

Although many persist in believing that internal servers are more reliable and secure than cloud-based solutions, cloud storage provides critical redundancies that protect both data durability and availability and prevent file loss due to equipment error, damage, or data breach. As threats become more relentless and sophisticated, companies focused on long-term data security are embracing the protections offered by the cloud.

This article does not necessarily reflect the views of the Bureau of National Affairs, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Write for us: guidelines for authors

Author Information

Thomas Hadig is the Chief Corporate Security Officer at Intapp, where he has held computer and systems engineering roles for over 17 years.

Robert Barrette is corporate counsel at Intapp. He has held business and legal positions at two Fortune 200 companies and is currently focused on global privacy in the software and platform-as-a-service industry.