Cybersecurity Guide for Law Firms

Cybersecurity Guide for Law Firms

March 21, 2023

As an attorney, you handle a wealth of sensitive information daily. Clients need to know that whatever they say to their lawyer is protected via client-attorney privilege, and are confident that their data is being actively protected.

Cyber data breaches are becoming increasingly common. They threaten the privacy of clients’ sensitive information and your law firm’s reputation. ABA’s cybersecurity Report states that 25 percent of law firms have previously suffered a data breach, costing them not just their data, but financial and reputational losses.

While it’s not a stretch to think multinational corporations can afford sophisticated cybersecurity strategies, most law firms either cannot afford much in the way of cybersecurity or do not prioritize it, which is why law firms have become targets within the hacker community. On average, law firms have all the desired information with fewer cybersecurity practices in place.

In our guide on cybersecurity for law firms, we explain:

  • Obligations lawyers have to their clients regarding data protection
  • The risks of being hacked
  • Examples of law firm cyber-attacks
  • Strategies to prevent, detect, and defend against intrusions

Your Obligation to Protect Client Data

You have a duty to protect your clients’ data, and there are three established organizations that take the matter seriously: The ABA, FTC, and SOC. Here’s what each has to say:

The American Bar Association

The ABA has held lawyers to the ethical and model rules of professional conduct since they were approved in 1983. 

Rule 1.6, regarding the confidentiality of client information, states that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

This means lawyers must make efforts to protect their clients’ data.

In 2018, the ABA issued Formal Opinion 483, which discusses the importance of data protection and how to handle the inevitable security breach. 

The opinion states that the risk of law firms experiencing a data breach is not a matter of if, but when.

Formal Opinion 483 lists requirements for before, during, and after a cyber attack targeting law firms:

  • Duty of Competence: In addition to competence in representing your client, adequate security measures must be taken regarding technology.
  • Obligation to Monitor: Lawyers must reasonably and continuously assess their systems, standard operating procedures, and plans for mitigating a security breach.
  • Stopping the Breach: If a breach is suspected or detected, the lawyer must make reasonable steps to stop the attack and prevent any further exposure of data.
  • Notice of Breach: Lawyers who detect a breach must inform their clients in a timely manner and with reasonable information for the clients to make informed decisions.

The Federal Trade Commission

The FTC has recently updated legal requirements pertaining to companies dealing with sensitive information. 

The FTC Safeguards Rule “requires covered financial institutions to develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information.”

In other words, tax preparers must implement cyber security plans to protect client data, with a looming deadline of mid-2023. Failure to do so may result in an FTC investigation. Learn how to comply with these rules and read more guidance on data security in IRS Publication 4557, Safeguarding Taxpayer Data.

The Security Exchange Commission

Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information.  

The rule also requires firms to provide initial and annual privacy notices to customers describing information-sharing policies and informing customers of their rights.

Additionally, Regulation S-ID requires member firms that offer or maintain covered accounts to develop and implement written identity theft prevention programs.

In the following section, we’ll detail the daily cybersecurity risks your firm faces.

How Your Firm Becomes a Target

Think about how your employees might allocate their time during work and life. They might start the day by checking email, updating their Facebook status, making a client call and sending a follow-up email with some kind of sensitive personally identifiable information attached. 

Not just one, but every single one of these actions exposes information that hackers can use to infiltrate your law firm.

Your team members could become victims of email spoofing, which fakes the sender’s identity and can include malicious attachments or links. Hackers could use your employees’ personal Facebook statuses to design a hack based on personal information or location to identify potential passwords. 

According to the ABA, up to 42 percent of law firms with up to 100 employees have experienced a data breach.

In the following section, we’ll showcase three examples of law firms that have undergone cyber attacks.

Law Firm Cyber Attack Victims

1. Wengui v. Clark Hill Law Firm

In 2016, a Chinese businessman and political dissident, Guo Wengui, hired the international law firm Clark Hill to help apply for political asylum in the United States. Wengui explained to the team at Clark Hill that the Chinese government had made him the target of ongoing cyber attacks and that it was likely they would experience similar attacks.

On September 12, 2017, Clark Hill’s servers were hacked, compromising Wengui and his wife’s passport information and their application for political asylum, which was then uploaded online. The hacks were widely believed to be orchestrated by the Chinese government.

After this event, Clark Hill tried to absolve itself of any liability by dropping Wengui as a client. Wengui then brought a $50 million suit against Clark Hill for breach of contract, breach of fiduciary duty, and legal malpractice.

The case is ongoing but the court held that Wengui pleaded viable claims for malpractice.

2. The Panama Papers

One of the largest data breaches of all time occurred in 2016, when more than 2.6 terabytes of data, or 11.5 million documents, were extracted from the international law firm Mossack Fonseca from their Panama headquarters.

The breach exposed data regarding the firm’s participation in forming shell companies for offshore wealth management. Many world leaders were implicated in the breach, including Russian President Vladimir Putin, who was linked to $2 billion in offshore accounts.

3. Class Action Suit for Threat of Data Breach

Over the last couple of years, lawsuits have begun to emerge based on the threat of a cybersecurity data breach, even before any data has been compromised. 

For example, Chicago-based law firm Johnson & Bell is the defendant in an ongoing case where the plaintiff argues their web portal is vulnerable to attack and therefore continues to put client information at risk.

Johnson & Bell argue their system is secure, but their servers are running on outdated JBoss software that has verifiably known vulnerabilities. With clients in the healthcare, insurance, and other industries, Johnson & Bell have significant cybercriminal targets in the form of sensitive business information like financial statements, merger and acquisition deals, and more. 

If the judge rules in favor of the plaintiff, a new precedent will be set regarding how law firms are expected to manage and maintain client data.

How You Can Protect Yourself

Here are some policies that can help prevent cybercriminals from exploiting vulnerabilities in your systems.

1. Create a Security Feedback Loop

Having an email address for users to contact your security team if a vulnerability is believed to exist can help avoid future exploits. Some companies even offer a “bug bounty,” where they incentivize security experts to alert them of potential issues and receive compensation, instead of simply exploiting the bug for financial gain.

In recent years, some sites are implementing a security.txt standard, which offers a centralized place for sites to define their security policies. This can help individual security researchers who find vulnerabilities quickly and easily report them to strengthen the site over time.

2. Regularly Check and Update Permissions

When you own an office, you know that not everyone in your organization needs a key to every door in the building. When considering the level of access each employee should have, you should provide the minimum level of access possible. 

Or, to continue with our example, figure out the minimum number of doors this person needs access to, and give them keys to those doors and those doors only. This is known as least privilege access.  

You can automate the process of re-certification and/or revocation of access. This process becomes especially important when employees get promoted or resign. You should have a recurring event when all permissions within the company are re-evaluated.

3. Maintain an Audit Trail of Data Access

It’s important to have a process in place to track irregularities or strange occurrences when it comes to data touchpoints to help highlight when an administrator’s account has been compromised, the employee has gone rogue, or any number of other scenarios. 

A User and Entity Behavioral Analysis (UEBA) tool, uses sophisticated machine learning algorithms to analyze and highlight any out-of-the-ordinary activity within your organization. 

For example, if an IT Manager has historically downloaded 100 MB of data on a daily basis to run reports, your UEBA tool would signal if and when a deviation of significant magnitude occurred. For example, if one day the IT Manager downloaded 100 GB of data or 1,000x of the normal amount, this would trigger an alert. 

4. Enforce Strong Passwords

One of the most common entry points for hackers is via insecure passwords. If you have ever used “password” as a password or reused a password for more than one account login, you are not alone. According to a survey by Google, 65% of users reuse passwords for multiple, if not all, accounts. 

When making a password, ensure your system has a validation in place to reject passwords that do not meet minimum criteria. It’s also recommended that you have employees, clients, and anyone else with access to your system reset their passwords regularly.

5. Use Multi-Factor Authentication

Many cybersecurity breaches could have been thwarted by multi-factor authentication. The most common form is two-factor authentication, where the user must provide at least two pieces of evidence regarding their identity. 

In MFA, when a user is logging into a web portal, a unique code will be sent via an SMS text message to verify the person logging in has access to the phone number on file. Other forms of multi-factor authentication include security questions, captcha, and more.

6. Stay Up-to-Date with Government Regulations

Data and privacy have taken center stage in many regulatory arenas around the world. From GDPR in Europe to CCPA in California, understanding how to comply with regulations where you practice law is essential to protect your clients and their data. 

For example, to be GDPR-compliant, a company is legally required to have a nominated Data Protection Officer responsible for the inflows and outflows of data.

7. Incident Response Plan

The incident response plan is how your team will handle the various phases of a cyberattack, including: 

  • Detection: Discovery of the event through software tools, unusual activity, or reports by personnel or outside sources. 
  • Containment: The stage where the compromised component is identified and isolated. 
  • Investigation: Determine the entry point and scope of the attack.
  • Remediation: Repair systems affected by the breach, notify affected parties, report to law enforcement if necessary, and conduct a post-mortem of the attack.
  • Recovery: Use the lessons learned from this attack to iterate your process and improve.

Wrapping Up

The number of law firms reporting they had cyber insurance declined by 1% from 2018 to 2019, despite the projection that cybercrime will increase by 70% over the next 5 years. 

Law firms are under a constant threat of cybercrime and must take steps to defend their clients’ data. Don’t wait until it’s too late, take steps today to prevent future data breaches and the consequences that follow.

If you need guidance on risk assessments and incident response plans, or are looking to beef up your cybersecurity, contact us or book a meeting. Partner with Blue Light IT for cybersecurity services and leave chaos and worry behind.



Related Posts


Enter your details below and we will contact you within 1 business day.

"*" indicates required fields