It was more than four years ago that I first wrote about lawyers being added to the list of victims who were scammed or whose computer systems were hacked. My last update on that story was more than a year ago, and having recently heard about a Wisconsin lawyer whose email address was hacked into, it appears now is a good time to revisit this societal plague that is also hitting the legal profession.
Data security breaches happen so often and in so many places, it’s impossible to even keep count. We all heard about the high-profile breaches, including Target, TJX companies, the Department of Veterans Affairs, Sony Pictures, Google, AOL, and most recently Anthem Insurance. Those are all in just the past three years. Of course, the legal profession has not gone unscathed in this mess. Cyber criminals are interested in law firm data, too. This is as true for solos and small firms as it is for big law firms. Think about the client information you have in your system, from financial data to personally identifiable information. Are you adequately protecting your clients’ information? Are you protecting your practice?
There is plenty of fraud out there to make you leery, including fraudulent financial arrangements, phony “clients,” and computer hackers. Art Saffran, president of Saffran Technology LLC, an independent technology consulting firm for small businesses in Madison, says law firms can be particularly vulnerable. “Law firms retain confidential information about their clients – information such as Social Security numbers, addresses, and birth dates that can be used for identity theft. Confidential information about clients, business deals and contracts, and case strategies can be of interest, too.”
Saffran also says law firms have many points of access to confidential information. “Lawyers, like others, use mobile devices – laptops, smartphones, and tablets. These are highly vulnerable to loss or theft. If they are not protected, they provide access to data and possible entry into protected network systems. Offices with loose physical security can be vulnerable to someone walking in and taking confidential materials whether they are on paper or electronic storage. Office staff can fall prey to phone phishing calls where callers elicit information that allows entry to a secure network. For example, callers who pretend to be IT staff or service vendors.”
I know what you’re saying. “I’d never fall for anything like that.” Maybe not, but it’s best to be aware of what’s out there. Some lawyers have fallen victim, potentially jeopardizing their practice.
While any law firm could be victimized, Saffran says solo and small firm practices may be more vulnerable. “Solos and small firms don’t have the IT resources of larger firms so they have to provide their own security protection or use a technology vendor to do this. Sometimes, do-it-yourself security can be compromised due to a lack of knowledge or expertise of the responsible lawyer or staff.”
While larger law firms would seem to have more resources to invest in security systems, size can also bring complexity, according to Saffran. “More systems, more staff, and more consulting vendors bring more opportunities for vulnerabilities to remain unnoticed. Every mobile device has to be tracked and managed. Staff has to be trained in safe Internet and technology use. Vendors have to be vetted and managed. There are many security cracks possible in a larger firm’s technology. Security has to be a high priority for in-house or outside technology vendors. Overworked IT departments can overlook security flaws.”
Cyber Liability Risk
What would you do if you lost sensitive client information? Whether because of a data breach due to hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers need to consider how they are protecting client and employee information.
Sandy Hauserman, a lawyer from Vermont and a founder and managing member of Digital Risk Resources (DRe), an insurance product development company, says client records and credit/debit card processing make up a significant portion of the overall risk profile. Law firms gather and transmit personally identifiable information (PII) of clients, employees, vendors, and others. Law firms collect a lot of very sensitive information that could severely damage a client’s reputation.
In addition, cyber criminals want to steal data or damage IT systems. They often plant harmful software (viruses, malware, and so on) on a computer and hope it is accidently transmitted to others.
Aside from the hackers with bad intent, you could lose sensitive client information very innocently. What if you mistakenly left your laptop, tablet, or smartphone at the courthouse, in an airport, or at the local coffee shop and it contained client information? Some lawyers have already experienced this. There are numerous ways that private client or employee information can be compromised:
- An attorney or employee checks her personal email and unwittingly downloads malware onto the company network.
- A company laptop containing PII is stolen from an attorney’s car.
- Customers’ credit card, bank, and health information is stolen by someone hacking into the law firm’s system.
- Paper records containing PII are not shredded before disposal and are retrieved by criminals (dumpster diving).
- An attorney researching online is directed to a website that automatically downloads a worm, which turns the computer into a spamming machine.
How Big Is the Risk?
Why is cyber risk something to which lawyers should pay attention? First, most states have enacted breach notice laws that require a business suffering a security breach or losing PII to notify victims so they can take action to protect themselves from identity theft. In addition, any law firm storing medical information is subject to the notification rules of HIPAA. Notification costs can grow rapidly. Even a modest-sized breach can result in huge legal liability that could potentially bankrupt a small law firm. At the very least, notification of a security breach is expensive and disruptive to your practice.
Second, if an individual who has been notified actually suffers a monetary loss or, more important, if financial or medical information collected by the law firm gets into the wrong hands, the law firm can get sued.
That’s where cyber liability insurance coverage can help a law firm. Hauserman says, “Buying liability insurance coverage for lawsuits involving an information breach, whether they have merit or not, is the easiest and most efficient way to arrange for legal help and other assistance and to help pay for damage inflicted on others.”
Cyber Risk Prevention: 12 Security Basics
Unfortunately, there is no magic answer to protecting your data. But there are some security basics that every lawyer should be familiar with. Some security tips are fairly obvious but worth mentioning anyway. Saffran’s list is a great place to start:
- Perform a security audit of all technology systems. Include office computers and servers as well as mobile devices and any computers that provide access to office systems. In-house IT staff can do this if available, but an outside perspective is often helpful.
- Remember that not all breaches are due to technology. Break-ins and theft of computer systems can result in data loss. Focus on physical office security in addition to technology. Manage public access to offices.
- Train staff on techniques used to gain access. A common technique is a phone caller who says there is a technology issue and requests email or other system logon information. They often warn of system failures if the information is not provided. Similar techniques are found in false emails that warn recipients of problems and provide a link to a website that requests logon information. These attempts are referred to as phishing. Teach staff to not open email attachments from senders they do not recognize.
- Set up computer logons as “standard” users. Windows user accounts default to having administrative rights to the computer. This allows any malicious software to be installed and have full access to a computer. Configuring logons as standard users will reduce the ability of malicious software to install. Software installation will require input of the administrator password.
- Be suspicious of emails warning of problems that need to be resolved by clicking a link and entering a username and password via some website. This is a common method of gathering logon information.
- Use a password management program. Everyone knows passwords should be complex and different for all the various websites and systems we use. Two leading password managers are LastPass (lastpass.com) and Dashlane (dashlane.com). Both offer computer and mobile tools to manage passwords and have free and paid versions.
- Secure all mobile devices. Laptops, smartphones, and tablets are vulnerable to loss or theft. Encrypt laptop drives so data can’t be accessed by unauthorized individuals. Set all tablets and smartphones with access codes and configure them so the data can be remotely wiped.
- Even small law offices should centrally manage email services. Avoid setting up staff email accounts on Gmail or other free services. Law offices need to centrally manage email accounts. This allows deactivation of accounts when employees leave.
- Change passwords with staff turnover. When staff changes occur, it is a good practice to change passwords, especially for systems to which the staff had access.
- Back up data to secure online services or rotate backups offsite. Data loss can cripple a law firm, whether due to system failure or malicious acts. Backing up office systems to a secure online service will provide ability to recover data including previous versions of data. Backups kept onsite are vulnerable to loss. Today’s cloud backup services are fast, secure, and reliable. Be sure to use a service that sends daily reports and assign staff to review and report any errors.
- Use two-step authentication. This security feature requires entry of a one-use code when logging in to a web service, such as email. A code is sent by text message to a registered mobile phone. Entry of username, password, and the code is required for access. Two-step authentication helps prevent access by a hacker who has your password. The required code is sent to your phone, which the hacker does not possess. Two-step authentication is recommended for accounts accessed by smartphones and tablets. Frequently used computers, such as those at an office, can be registered so two-step authentication is not required.
- Treat security as a priority. Take the time to review your computer systems and ask how they might be compromised. If you don’t feel qualified, find an expert who can help. It needn’t be complex or costly.
Every law firm has liability in handling personal information. Many Internet users, whether at a law firm or not, sometimes do not implement good practices. Training and education can help manage the risk. As a solo practitioner or someone who runs a law office, you should know who has access to the personal information you handle. Also, implement a written information security plan. That plan should include security controls and business practices for handling PII and can help protect you and your firm. Restrict access to personal information within your firm. Be sure to encrypt electronic data. Shredding paper documents and deleting electronic data when appropriate is also important. (View sample written information security plan.)
As we move deeper into the electronic age, more lawyers are scanning files and saving them electronically. Lawyers must adequately protect and preserve client files, maintaining confidentiality and security, on whatever computer server is being used.