Cyber Security: Cyber security and the enhancement of law firm confidentiality

By Carl Mazzanti

A hacker went after a New York City law firm that represented celebrities like Madonna, Elton John, and Lady Gaga — demanding a ransom of at least $21 million to prevent the release of confidential client information. The incident dramatically illustrated the threat posed by bad actors.

Every day, attorneys handle reams of sensitive information, ranging from personal client data to highly confidential corporate matters. Confidentiality is a cornerstone of the legal profession, and clients need to know their information will stay private. As data breaches become more common, the trust of clients and the reputation of law firms are at risk.

According to American Bar Association statistics, at least 25 percent of firms have experienced a data breach. Attorneys who work with experienced cyber security providers can reduce their chances of being victimized.

Law firm hacks have affected more than 750,000 Americans since 2020, with cyber criminals targeting not only large firms, but also solos and smaller firms. Statistics from the ABA’s TechReport 2023 indicate that 29 percent of respondents experienced some sort of security breach last year, including a lost or stolen computer or smartphone, a cyber hack, or a website exploit. Of note, although 29 percent reported a security breach, others said they did not know if their firm’s security had been compromised. The percentage of respondents who reported that they “do not know” was 5 percent for solo attorneys, followed by 5 percent for firms of between two and nine attorneys, 29 percent for firms of 10-49 attorneys, 14 percent for firms of 50-99, 41 percent for firms of 100-499 and 60 percent for firms of 500 or more. Because larger firms tend to hold more data, they make more appealing targets for cybercriminals.

Ripple effects

A data breach can harm a firm’s reputation, and could expose it to class action and other lawsuits from damaged clients. Firms may also face penalties under laws like HIPAA, the California Consumer Privacy Act, New York’s SHIELD Act, and the GDPR, which can result in large fines. And ABA Rule 1.6(c) states that attorneys must take steps to prevent any accidental or unauthorized disclosure of client information.

ABA Rules 1.1 and 1.6 also emphasize the importance of competence and confidentiality in the legal profession. According to the comments accompanying Rule 1.1, a lawyer is obligated to know of the “benefits and risks associated with relevant technology” in the legal industry. To safeguard client and other personally identifiable information, firms need a robust cyber security program.

Keeping client information secure, however, involves more than just protecting it from outside threats. Firms must also ensure that internal processes and employee actions do not put confidentiality at risk.

Cyber security risks include human error, which is a leading cause of data breaches. Attorneys can lose a laptop or smartphone, or thieves may steal devices. Firms also face the threat of online attacks, and are vulnerable to physical break-ins targeting paper records or unsecured devices.

Here are some proactive cyber security strategies to consider::

• Conduct periodic risk assessments

Risk assessments will identify vulnerabilities and address potential security gaps before attackers can exploit them.

• Create, implement and review a cyber security policy

Firms need clear policies to manage risks and ensure employees know how to maintain security. These policies should address specific risks faced by the firm, and employees should be informed about these policies. Periodic reviews of the policies by third parties will ensure they are up to date and functioning as designed.

• Deploy robust cyber security tools

Cyber security tools, ranging from basic spam filters to advanced firewalls and data encryption, should be deployed. Multi-factor authentication and encryption of data at rest and in transit are also among the tools critical to protecting sensitive information.

• Engage with professional cyber security providers

Look for an experienced provider which offers such measures as encryption, compliance with regulations like GDPR and HIPAA, and which conducts security audits at least once a year.

• Sign up for cyber security insurance

Cyber security insurance can provide a safety net for firms in case of a data breach. Cyber insurance does not prevent breaches, but it can cover costs like data recovery, downtime, crisis management, and legal fees. Some policies also offer third-party liability protection against claims arising from a breach.

Today, cyber security is not optional for law firms; it is a necessity. By prioritizing cyber security and working with security-conscious vendors, firms can protect their clients’ confidential data and maintain their reputations in the face of potential threats from hackers and other bad actors.

 

 

Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].