How Safe Is Your Law Firm From Data Breach?

With the pressure of minimizing data security breach threats mounting on firms, law firms are expected to set aside a considerable percentage of their budget to tackle information security challenges. According to a survey released by Chief Cost Management (CCM) with the sample comprising primarily of major companies, law firms are expected to spend nearly $7 million on enhancing in-house security by identifying security gaps in their networks.

Quotation Mark


Identifying cybersecurity priorities and knowing what makes a reasonable investment will help law firms gain the highest returns on their information security budgets. Otherwise, they risk spending too much and draining firm profits, or spending too little and jeopardizing the privacy and integrity of their information assets

–Len Levy, President, CCM

According to the report from CCM, more than two fifths of the companies surveyed have annual gross revenues between $100 million and $500 million. Law firms have considerable information assets, which, if lost due to a data breach, can significantly compromise their business integrity. Jerry Brandt, who wrote an article in 2012 regarding the bleak security conditions of law firms, referenced a study highlighting that more than 80% of law firms do not employ two-factor authentication and nearly 60% do not encrypt their laptops.

Managers, therefore, need to ask critical questions to ensure the safety of their law firm. Here are 5 questions every law firm should ask to assess their security risk level.

What level of confidential information do we collect?

For any business to determine its level of data security risks, it should first consider the type of information it stores on its data servers. If the stored data is highly sensitive and cannot be replaced or substituted easily, then the risk of a data breach can be regarded as very high. Law firms in particular are a trove of confidential information, which if stolen can mean immense financial and legal ramifications. Data pertaining to confidential information about clients, their weak points, clients’ intellectual property relating to patents and copyright information, client’s contact and address details, and confidential attorney-client information are stored on the networks of law firms.

Law firms and lawyers are required to meet a number of legal responsibilities to ensure that sensitive client information is not compromised in any manner. If a data breach occurs that leads to the loss of such essential information and data, a company could face a number of legal problems.

Which third parties gain access to our data?

Another factor to consider is the number of third parties that can acquire, access, and exploit a company’s confidential data records. Lawyers, for instance, are frequently required be on the move and work from their laptops. There is a possibility that third parties such as employees, friends, and clients themselves can gain access to important files and folders pertaining to a case and steal important information that can lead to a successful case.

The American Bar Association in 2011 urged lawyers to safeguard communications between them and their clients from unauthorized disclosure from the lawyer or other persons. Also, in 2010, the State Bar of California questioned whether the confidentiality between the client and the lawyer was compromised if the technology used to store the information was exposed to unauthorized access.

The issue was raised after an attorney used his laptop to conduct research from his home by using internet from a public Wi-Fi network and communicate to the client via e-mail. The California Bar considered the attorney to have acted incompetently and urged that he take appropriate steps to fortify sensitive information from others.

Who are the main stakeholders?

Businesses should also take into account the impact of a data breach upon its various stakeholders. In the case of law firms, the main stakeholders are the clients. However, there are also a number of other stakeholders that can be impacted such as board members, regulatory authorities, the press, and investors.

In the case of a data breach, it is important to outline in advance which stakeholders should the loss of data be communicated to first. Law firms would first report the news of a data breach to their clients, then to their board members and law enforcement agencies.

The law firm Foley & Lardner for example, provides 24/7 hotline 365 days a year to enable clients to speak with a designated data security attorney to provide counseling on what to do during the first stages of a data breach.

Have we experienced a data breach in the past?

Previous incidents of data breaches can also reveal a lot about the security condition of a firm. Revisiting the details can provide important learning tools such as indicating which measures worked well and which did not and the areas for improvement. Perhaps a firm did not have the assets to invest in a next generation firewall or implement an advanced company-wide network security program.

Furthermore, firms should delve into the minute details of how third parties gained access to the data, the channels used, whether the breach occurred internally or externally, and the location of the hacker.

How do we prevent future attacks?

Businesses need to embrace the fact that there is no fail safe button for data breaches and must ensure that any data breach that occurs is detected and managed quickly. The security team can investigate the root cause of previous incidents and implement or upgrade their intrusion detection systems and encryption methods to safeguard their data from sophisticated malicious software programs.

More importantly, it needs to ensure that employees are provided with an on-going training that incorporates the latest security measures and viruses that all need to be aware of. Attorneys need to make sure that they do not conduct any research on and for clients without using a highly secure internet connection and that e-mail are checked on a daily basis for any indication of malicious activities.

Other measures such as using two-factor authentication, passphrases, and having a periodic data backup and recovery routine should also not be overlooked.



IT Planning For Law Firms – why, and how

Apparently there is a growing threat of cyber attack of law firms. What’s surprising is the number of law firm intrusions which often go unreported.

In fact, since March of 2014, financial institutions and law firms have begun talks to establish a collective effort to share hacker threats. The Financial Services Information Sharing and Analysis Center (F.S.-I.S.A.C) is in development to thwart hackers through a threat management advisory council.

Having worked with many law firms over the years, we’ve seen some that suffered from data overload both in security as well as internal processing of client records. In these scenarios, these firms are decades behind their competition in managing their networks and data.

Growing your legal firm is a work in progress. Prospective clients contact you in various forms including email and by phone. However, we speak with many office managers who struggle with piecing together more robust systems to not only manage their network but also keeping records on pending client cases.

Successful law firms receive hundreds inquiries everyday. Perhaps you’re wondering what techniques they use to handle these amount of data. For starters, they don’t rely on closed data systems such as Microsoft Office and the like which are highly unsecured. Instead, thriving law firms have invested in developing a robust IT plans and security gateways to support their busy offices as well as protect sensitive client information.

Big data is a trend that you’ve probably read about in the news in the last few months. But how does big data management add value to your business?

Often we speak with law firm owners who tell us there’s very few hours left in their workday to worry about IT and security issues. However, the firms we consult with on a long-term basis see the time-savings by implementing a scaled approach to managing their networks.

Remember, scale is critical to your business. An IT network designed without plans to grow avoiding expensive upgrades offers the worst return-on-investment. But not only in costs. Actually, lost manpower time impacts whether your office staff can help your firm grow.

An IT network designed without plans to grow avoiding expensive upgrades offers the worst return-on-investment

One of the areas we see needing the most improvement in law firm IT is database management. Too many firms rely on task-oriented processing of traditional paper-based client records. The smarter approach is to convert your contact management software to a secure web-based product which allows your employees to pinpoint critical client information in seconds as well as providing better security measures.

A new trend we’ve witnessed by firms is their lack of security management of client records. Specifically by storing records on thumb drives, emailing private data across unsecure networks and even storing information on laptops and iPads. The problem with this type of data management is it’s highly unsecure if accessed across wireless networks.

Law firm IT support and security is critical to controlling your risk. With cyber threats growing more robust in recent months, it’s no longer a question of if you’re firm will be attacked, but when. The question on your mind if you’re reading this far is what types of security will protect your organization?

We recommend analyzing access gateways to your networks. Typically in hacker testing scenarios. Often these types of tests can pinpoint parts of your network which can be infiltrated with minimal effort. The most obvious invasions we see are poorly encrypted networks as well as outdated firewalls. However, these are only a few of the many ways hackers are invading law firm data.

Despite many major retailers experiencing cyber attack, law firm threats go unreported due to these organizations being privately held. But the risk and liability of breach is exponential based on the proliferation of cyber threats.