We now live in a world where some of the greatest business threats come from cyber attacks. While governments and large corporations are targeted for their large data sets, corporations’ outside counsel may have a smaller set of more valuable and relevant documents. Accordingly, there is a growing trend of computer-savvy intruders becoming more and more attracted to law firm’s quality and quantity of documents. Law firms retain documents that include investment plans, business strategies, descriptions of technology secrets, and materials on mergers. One data security company reports that 10% of the advanced cyber attacks it investigated in the past 18 months were targeted at law firms. Just last year, Chinese hackers attacked several Canadian law firms working on a $40 billion acquisition to steal strategic data.
Breaching the security of law firms jeopardizes a long-standing tradition that people should be able to seek legal advice with confidence that their secrets will not be exposed.
Often law firms have worse security for their client’s data than the client themselves, which attracts cyber attackers to law firms. Generally, the client will usually have greater incentive to protect their own private information than the law firm because the clients are protecting their secrets while the law firm would suffer a smaller loss in the hypothetical fees that they could not bill to their client. A small law firm may lack the resources, technological knowledge, or the will to consistently keep its clients’ data adequately protected.
There are many problems that arise when law firms are cyber attacked. Law firms might be tempted to not report cyber attacks because they may suffer damage to their reputation, reduce client confidence, and lose clients. However, if law firms remain silent, it would limit their ability to make corrective measures and share experiences with other law firms in a collaborative fashion to prevent future cyber attacks to others firms. Ethically, if a client’s information has been stolen, a lawyer has a responsibility to tell the client so they can mitigate the damage if possible.
Here is list of measures law firms can implement to thwart cyber attacks. By utilizing these measures, firms will be in a better position with their clients, the bar, and regulators by showing their security is aligned with the best practices, its management is engaged, and the most effective tools are deployed.
1. Hire a chief information security officer and give him/her a budget to hire the staff needed to safeguard digital assets with a security program. In hiring and creating the position, it is important that officer is not outranked by senior attorneys who think the security policies are too restrictive and detailed.
2. Set policies throughout the company regarding the use of encryption, remote access, mobile devices, thumb drives, laptops, Web email accounts, and Wi-fi “hotspots.” A good start to setting such policies is getting lawyers to take modest steps towards maintaining a minimum level of competent online security.
3. Compartmentalize extremely sensitive data that could cause the greatest harm if breached. One suggestion would be to keep this data on a separate server with stronger security protections.
4. To gauge how well the previous steps have worked, contract third parties to run vulnerability and penetration scans.