Cybersecurity Is a Fundamental Legal Responsibility

By Brad Smith

All practicing attorneys face daily threats from cybercriminals worldwide. It does not matter whether you work for a large firm or are in a solo practice. Not only do lawyers and law firms deal with substantial sums of money, they possess confidential information that threat actors can use to leverage substantial ransoms. Failing to protect your firm and the money and information provided by clients will be costly financially and to the reputations involved. As IT and tech law specialist Sasa Markota noted, “Only when clients have full trust that their communication with the attorney is confidential can I get all the information I need to do my job. On the other hand, if that confidence is violated, clients could suffer irreparable harm, and my career and reputation would be ruined.” Let’s take a look at some fundamental cybersecurity points for lawyers and firms before going over actionable cybersecurity steps.

There’s a common assumption that only large firms with high-stakes clients are at risk of cyberattacks. Not true. Hackers know that small companies are less likely to have dedicated security teams or tight security practices. For the effort involved in hacking a large company or law firm, hackers can attack multiple smaller businesses or firms and still achieve significant financial gain. Every staff member in a firm is responsible for cybersecurity. From office and support staff to senior partners, cybersecurity is a team effort. Although it is tempting to think that IT will take care of all security matters, this mindset is dangerous. The concept of proper cybersecurity must permeate a firm’s ethos and practices. Below are some key areas that warrant consideration. If your tools are not secure, you are essentially inviting hackers into your systems. All devices that connect to a firm’s system and interact in any way with confidential information and financial data need to be properly secured. Invest in anti-malware programs to help thwart any attacks. You should also install high-quality Virtual Private Network (VPN) software in your office router to encrypt data throughout the network, shielding it from any prying eyes.

Make sure that devices used for remote work are covered by the security software. The signature database should be updated, and the files fully scanned daily. Make sure that all software in use is set to automatically update. Software developers provide updates to patch errors and alleviate exploitable security risks that allow hackers access. Make sure that updates are installed properly. The days when one password was good enough are long gone. Make sure everyone is using strong passwords and that these are being changed regularly. Everyone in a law firm should be using proper multi-factor authentication whenever they do work-related tasks. This should be applied to all devices and any cloud-based storage or software systems in use. Create cyber risk awareness. Far too many cyberattacks occur because someone opens a link that allows a criminal into a law firm’s systems. Cybercriminals use clever social engineering tactics to tempt your staff to click on links. Proper education around the risks is the best way to minimize them. Develop a healthy skepticism around suspicious emails and text messages before opening anything that seems above board initially. It’s easy to be fooled, especially when staff members are working fast and juggling multiple tasks.

Law firm staff should never open suspicious links that arrive via email or short message service (SMS). Some training may be required before lawyers and staff can differentiate between legitimate and dangerous emails. Make sure nobody is opening work emails on public wi-fi networks. Introduce an email deletion and retention policy. Check email settings regularly to make sure no redirects have been set up and emails are not being unwittingly forwarded to cybercriminals. Training by professionals is the best way to ensure a solid cybersecurity culture. Staff members can be the strongest or weakest link in cybersecurity. If your staff is vigilant and well informed, data breaches due to human errors can be avoided. If not, malware on a compromised employee’s device could easily spread to a connected office network. Bear in mind that training carried out a few years ago will not encompass enough of today’s threats. Training should be repeated on a regular basis, and everyone in the team should be involved.

Make sure all team members are on the same page when it comes to cybersecurity by keeping a copy of your procedures and key information in one place, and encouraging staff to review it. Your plan should include information on what to do if a breach should occur. Keep your clients in the cybersecurity loop. Securing your own systems is good; but if your clients, who are equally susceptible to hacks, aren’t adequately managing cybersecurity on their end, you may have an issue. Making sure that clients know about potential risks should be standard practice. The attorney-client relationship is not secure unless it is cyber-secure. In your first meeting, let clients know about the risks that fraudulent emails pose. Confirm those risks in your first letter to clients and consider updating your standard letter of engagement. Require clients to verify an email request for payments before any money exchanges hands. In addition, some lawyers and firms include a warning at the bottom of their email signature. Brush up on any relevant data security laws. Failing to follow proper policies and procedures can result in legal malpractice. It is absolutely critical that all relevant data security legislation is followed to avoid expense, serious reputation damage and possible disbarment. The rules surrounding whether firms and attorneys are governed by state or federal laws when it comes to cybersecurity are somewhat murky. The American Bar Association (ABA) has issued rules and advisory opinions related to cybersecurity obligations, lawyers and law firms. As part of these Formal Opinions, the ABA stipulates that attorneys should exercise reasonable efforts to stop “inadvertent or unauthorized” disclosures or access to client information. This includes staying up to date with technological developments and threats. Firms should abide by guidelines from the National Institute of Standards and Technology (NIST). The NIST provides the most comprehensive cybersecurity framework nationwide, and the one that is in use by the federal government. Under U.S. law, data owners face liability for losses resulting from a data breach even if the security failures are the fault of the data holder, such as a cloud provider.

The worst-case scenario is that a breach occurs, and sensitive client information is revealed to attackers. Having a proper plan in place that details when and how to report the breach can make all the difference to your firm’s liability. Additionally, you may be able to halt any fraudulent transactions if you act fast. Having a plan and acting on it is also likely to be a prerequisite for payment under any insurance policy. Make sure your response plan includes key information such as who you need to contact and when. Add contact information for a cybersecurity professional who can check your systems to ensure no further damage is done. Cybersecurity is a team effort that involves every single staff member in a law firm. Taking the right steps towards securing systems can mean the difference between success and failure. Follow the guidelines above to ensure your data, and that of your clients, is in safe hands.

Brad Smith is a technology expert at TurnOnVPN, a non-profit promoting a safe and free internet for all. blog@turnonvpn.org