Why law firms are a top target.
As a practicing attorney or law firm IT professional, you know the huge variety of valuable confidential information even a solo or small firm may possess.
Law firms are attractive targets for cyber criminals because by definition firms deal with a great variety of high value client data — from patent filings, business strategy documentation, board minutes, to M&A data and beyond. For some cyber criminals, law firms are seen as a convenient concentration of exploitable and salable data.
Beyond data value, there is also the vast volume of data being managed and reviewed by many law firms, for example as part of e-discovery in litigation and investigations. Data being transferred to and from clients, then managed, reviewed, produced, accessed and administered by multiple internal actors and external vendors multiplies the threat vectors, from both inside and outside the firm. That data itself may contain malware that can infect your firm.
Rightly or wrongly, the perception has also been that the legal industry has been slower than others to adopt technology and respond to the growing cyber threat, so that law firms are seen as easier targets for cyber criminals.
Law firms are also subject to the risk of the ever growing number of devices, such as smart phones, and software applications and third party vendors being used to support law practice, increasing the “attack surface” that can be exploited by cyber criminals.
The varied and growing cyber threat to small and medium law firms is not theoretical, nor is the threat just rogue individuals. UK authorities recently identified over 650 organized criminal entities deliberately targeting UK law firms.
ABA Formal Opinion 477R states: “Cybersecurity recognizes a…world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if…’”
We can help.
Law firm security by law firm professionals.
CrossKey is almost unique in the security industry because it is almost entirely staffed by legal professionals or legal technology professionals with decades of experience providing value to the legal industry.
We believe our understanding of the peculiar challenges and requirements of the legal industry — and your practice — brings great value when securing your firm, compared to that of a generalist information security provider. We understand your world, its pressures and practices.
We understand the workflow of a firm how firm use data and by who and where, this is critical to reducing cyber risk. And we understand the software tools you use and how you use them from data review tools like Relativity to intellectual property management software. The ways that firm and client data is stored, managed and accessed. The legal industry has its own unique working methods and unique needs for a cybersecurity infrastructure.
This provides a sound basis to assess your current state of cybersecurity readiness, recommend remediation and deliver ongoing cybersecurity services to keep you and your clients secure and your firm profitable.
We also believe the cybersecurity threat is an opportunity for those law firms bold enough to position themselves as secure, as F1000 clients increase their cybersecurity requirements for any firm that wants to do business with them.
New rules, new client demands.
Law firms lie at a unique intersection of complex professional rules, heavy regulation and possession of high value client data.
Many of those clients are of course increasingly heavily regulated around cybersecurity, passing on security obligations to their law firms.
Take the Health Insurance Portability and Accountability Act of 1996 (HIPAA): lawyers may qualify as “business associates” under the Act, which brings with it a host of data security, privacy and compliance obligations —and serious penalties for failing to meet those standards.
Meanwhile, the trend of the professional rules is toward ever heightened obligations toward security and privacy of client data. Examples would be ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017); and ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018).
Formal Opinion 483 also recommends specific action: “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.” CrossKey can help by performing a Risk and Vulnerability Assessment (RVA).
At the same time, as a condition of doing business corporate clients demand ever more rigorous cyber security and privacy compliance from their law firms via extensive documentation, controls and audits.
What began with simple security questionnaires is evolving to on site audits of security arrangements claimed by the firm and check lists of specific security controls the firm must have in place. Small, medium and boutique law firms with ambitions to work for leading high growth companies will need to keep up to win their business.
Corporations are also moving beyond the professional rules: so where Opinion 477R observes “[data] encryption, are warranted in some circumstances” more and more corporate clients now routinely demand encryption of data including data at rest as a standard precondition to engaging a firm.
Recent statistics from the ABA illustrate the extent of the cybersecurity challenge for US law firms:
- 26% of firms report some sort of security breach (including hacker activity, website exploits to more mundane incidents such as lost or stolen laptops)
- 19% of firms do not know for certain whether their firm has ever experienced a breach–a more worrying statistic
- 36% report viruses, spyware, and malware infections to their systems; but 26% are not certain whether any such infection has ever occurred
- Only 31% of firms reported having a cyber security incident response plan
- Just 44% use file encryption, 38% email encryption and 22% whole/full disk encryption
- Only 33% of responding law firms in 2019 report their firms have cyber liability insurance
You have seen the headlines. Some of the consequences of poor cyber security or a successful cyber attack are obvious, some less so and worth reviewing:
- Lost firm growth: inability to pass cyber security requirements and audits of desired clients, who increasingly require features such as encryption of data at rest and extensive security audits
- Lost business: a denial of service (DOS) or ransomware attack can close your practice for days or weeks resulting in frustrated clients and loss of billable hours
- Funds stolen: funds stolen from your law firm or client accounts in your custody
- Future attacks set up: emplacement of other malware in your systems for future exploitation
- Administrative burden: the burden of notifying clients about a breach and dealing with regulatory authorities around breach
- Lost clients: lost or compromised confidential or business critical client data may mean customers will never trust your firm again
- Lost data: many cyber attacks result in file corruption or other forms of data loss you need to run your practice and service your clients
- Litigation and investigations: malpractice suits and state bar discipline
- Destroyed reputation: resulting bad press and social media can quickly ruin the reputation of a law firm of any size and the associated attorneys
- Increased costs: in the aftermath of a cyber attack you may high unbudgeted expenses, including litigation expenses around clients or IT service providers and cost of breach notification