Almost every day, there are new reports of cyber attacks on large corporations or small businesses. All are vulnerable. It does not matter if it is a retail giant like Target or a solo practice law firm.
Marriott Hotels is the most recent company to report a significant attack. Personal information of 500 million guests was compromised. The attack lasted over four years before it was discovered. During that time, the personal information, including names, addresses, credit card information, and possible passport numbers of those who stayed at or made reservations at a Marriott, were all discoverable by the attackers who breached the system.
Currently, 15 Chicago law firms are defendants in a class action lawsuit where plaintiffs allege the firms had inadequate cybersecurity which subjected their confidential information to discover. No actual breaches of the systems occurred and no known compromise of data has been detected. The firms were sued based merely on the possibility that there could be a compromise of confidential information due to the inadequate data protection systems utilized by the law firms.
Owners and managers of small law firms may think this only happens to large companies or large law firms. Unfortunately, that is not true. Smaller firms are also depositories of sensitive material. They may have information hackers would like concerning intellectual property, wills, trusts, and other confidential legal information.
In December 2017, the American Bar Association (ABA) published the results of a survey it conducted in which there were more than 4,000 respondents. An alarming 25 percent reported they had no cybersecurity policy in place and 7 percent said they did not know whether or not their firm had a such a policy.
The National Law Review reports that hackers find lawyers not particularly tech-savvy, so are easy targets for cybersecurity breaches. The consequences for a breach can be severe: loss of files, loss of confidential client information as well as client credit cards and other personal information. Also, firms incur the cost of repairing the damage. This includes both the financial cost of repairing the damage to the technology and loss of files, and the intangible need to repair damage to the firm’s reputation. There may even be consequences due to a breach of the ABA Model Rules requiring law firms to have protection of their sensitive data.
There are some law office cybersecurity concerns for 2019. Solo and small law firms mainly need to be on the watch for any or all of the following situations that may subject the firm to a breach of its cybersecurity system.
1. Exploitation of day-to-day employee activities. The ABA reports that this activity is responsible for the most successful cyber attacks. An email appears to be from a client, or maybe a friend or family member that instead contains malware. The employee unwittingly opens the document which allows the hackers access to the personal and confidential files of all of the firm’s clients. The malware often has a mushrooming effect so that it will enable the hackers to access to not only the law firm client files, but access to the data the clients have on their systems.
If an employee uses an unprotected WiFi at a coffee shop, the entire office files are easily hacked into and malware may infect all of the confidential legal files of the law firm. This can happen even if the employee does not open any suspicious files and only does routine work.
2. Watch out for ransomware. Ransomware is one of the easiest hacking methods that exist. It does not even go after sensitive information but blocks everyone in the firm from accessing the office files unless a ransom is paid. It enters the system when an employee opens a particular email or clicks on an unknown zip or pdf file. It can even come in through a USB drive. Remote desktop applications are the most vulnerable.
3. Firms must understand that discarded devices compromise cybersecurity. A few years ago, a managed care healthcare provider returned its copy machines to the retailer when the lease on them was up. No one thought about computers having a hard drive that contained sensitive material. The disposed of devices included electronic health records of more than 344,000 people. The healthcare provider was fined by the U.S. Department of Health and Human Resources. Also, it had to pay to have the copiers returned to it so it could implement a new security plan for protecting the private information contained on the hard drives.
In addition to sensitive information being contained on the hard drive of a copy machine, the data may be on a cell phone and any other mobile device. When these devices are not correctly disposed of, the information can fall into the wrong hands. This could be an ethical violation of the ABA Model Rules in addition to the money it will take to deal with the unauthorized use of sensitive information.
4. Have a breach preparedness plan in place. The response to a cybersecurity breach is “a critical component to managing its impact and damage.” A law firm that has experienced a breach can minimize the consequences of bad press by informing those whose data was compromised about the incident before someone else does. This may mean going public with the information. Doing so will at least give control of the situation to the law firm and not to outside sources. Although the firm’s reputation will still suffer, it will not take “an additional beating” by being accused of hiding the fact of the breach.
5. The law firm’s cybersecurity plan must be compliant with state regulations. All 50 states now have a data breach notification law. Thirty states have legislation concerning cybersecurity. The ABA has rules pertaining to cybersecurity as do many state bar associations. It is up to each law firm to understand and comply with all the relevant laws and association rules.
To learn more about your cyber security law office concerns for 2019 and how to protect your confidential data, contact Parkway Tech. You can reach the IT firm online or by calling (336) 310-9888.
Parkway Tech offers technology management, help desk services, and strategic IT consulting to law firms and legal practices across North Carolina.
We offer a completely customized technology support services for large and small law firms, law offices and law practices.