It’s long been said that data is the lifeblood of nearly every business. However, it’s not just your firm’s proprietary data that needs protecting. In today’s hyper-connected digital world, it’s a given that all data is at risk, especially as your firm calls upon a growing number of legal technologies and digital workflows. To establish and maintain a deep level of trust with prospective and existing clients, you need to protect their confidential, sensitive data.
Why Law Firms Are Targeted
When you consider the type of data your law firms handles, it’s easy to see why those with nefarious intent would try to access it. In addition to contracts, letters of intent, patents, and investigation results, your firm might manage highly sensitive information for corporate clients. Such information in the wrong hands could be used to influence the course of negotiations or even execute insider trading.
Just last year, The Wall Street Journal reported that hackers had accessed the computer networks of some of the country’s most prestigious law firms working on merger and acquisition (M&A) deals, including Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP. Around the same time, headlines blared the news that a Russian cyber criminal had targeted nearly 50 elite law firms to access confidential client information for insider trading.
More recently, prominent global law firm DLA Piper was the victim of an attack that took its operations offline and was projected to cost the firm millions. That’s no surprise, considering that the average consolidated cost of a data breach grew from $3.8 million to $4.3 million between 2015 and 2016. This covers everything from the cost of crisis management services, communications plans, and forensic investigations to fulfillment of state and credit monitoring, and, yes, even legal counsel.
It’s Time to Take Cybersecurity Seriously
As Jay Kozie, principal at Keno Kozie Associates, a Chicago-based law firm technology consultancy, said, “Though they hold vast repositories of confidential information, many firms are slow to adopt up-to-date defenses against malware and spyware.” Yet it’s every law firm’s in ethical duty to secure their client’s data as the ABA Model Rules state:
A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent (or) the disclosure is impliedly authorized in order to carry out the representation…
Even high-ranking members of the US government’s intelligence community are vulnerable to hacking techniques such as phishing and social engineering. Moreover, your client data can be compromised by the innocent actions of employees who visit websites, download files, or click on an email link without realizing the potential dangers. So, your it’s only logical that your law firm employ best practices to secure client data and avoid landing in the news – and losing business.
8 Security Measures to Implement Now
Fortunately, your firm can follow the well-established guidance already recommended by security experts. Here’s an overview of eight key elements of an effective security posture:
- Verified encryption. When storing or sharing electronic files and documents, make sure to apply a security protocol or measure that encrypts the data both at rest and while in transit. One example is key cryptography, where the sender uses their “key” to encrypt a message, and the recipient uses their “key” to verify the identity of the person who sent the message/information and decrypt it. If your data is stored by a third-party provider – such as a hosting company in the cloud – make sure that company follows this best practice.
- Information access control. A common security measure is to grant information access only on an as-needed basis. In other words, every lawyer and staff member in your firm doesn’t require access to every document and file. Once you’ve determined who executes what responsibilities and the information they need to access, you – or the vendor managing your network and infrastructure – can assign appropriate information access privileges.
- Network security. The goal of network security is to prevent threats from entering or spreading across your network, largely by managing access to it. A variety of technologies and policies are used to enable network security, including firewalls, antivirus software, email security software, intrusion prevention systems and more. The strongest network security is based on a layered – or defense-in-depth – approach that addresses every layer of the network.
- Secure data storage. Whether you store client information on servers, portable devices, in the cloud, or somewhere else, you need to make sure it’s secure from tampering and access. In addition to the layered security mentioned above, common forms of protection include data encryption, access control mechanisms, data-corruption protection, and physical security.
- Data backups. One threat to your client data is that you simply lose it, whether because of accidental deletion, or due to a lost laptop or other issue. By regularly performing data backups and copying and archiving your electronic data, you will have a copy you can use in case of such losses.
- Routine maintenance. Regularly maintaining your network and all the systems connected to it can go a long way toward keeping up strong security measures. The latest updates of operating systems and other software often includes new code to address the most recent known security threats.
- Disaster recovery. In the event that your network or infrastructure is brought down by either a human-induced or natural event, disaster recovery makes it possible to continue operating. In a nutshell, it’s a set of plans, policies and tools that make it possible for your firm to resume operations quickly and efficiently in such situations.
- Staff education. You can’t expect your lawyers and other staff to avoid compromising activities and phishing scams and other social engineering tactics if they don’t understand the dangers. Regularly educate your staff about security risks and preventative measures. This can include everything from the latest cybersecurity threats to best practices for Internet use; sharing, storing, and disposing of client data; reporting lost and stolen devices; and maintaining strong passwords.
All eight of these security practices have been top of mind for us since we created our CRM automation technology. If you need a technology partner that makes your existing CRM easier to use while keeping your data secure, find how we can help by requesting a demo.