When it comes to IT security-related risks, law firms are a prime target. Unfortunately, law firm security is not where it needs to be. Think about it: There’s a ton of juicy information on any given law firm network, and it’s all stored on mobile devices, email systems, web portals and more, both locally and in the cloud.
These organizations are concentrated sources of intellectual property and other sensitive business information, including:
- Client trade secrets;
- Attorney-client privileged information involving past, current and future cases;
- Strategies and tactics involving approaches to litigation;
- Details on mergers and acquisitions; and
- Personally identifiable information (PII) as part of security incident investigations.
Not only do law firm network environments serve as an entry point to all this sensitive information, but many organizations are behind the times in terms of allocating reasonable funds to bolster security and minimize risks. This creates the perfect scenario for cybercriminals.
The Risks of an IT-Centric Approach to Law Firm Security
It’s easy for legal professionals to assume that they don’t have anything of value to cybercriminals and that their firm is not a target, but the threat is real. It might even come from inside the network in the form of a negligent or conniving employee exposing sensitive records. External threats could include competitors or foreign governments looking to disrupt legal operations or steal information.
In my experience working in the legal field, IT employees have had to lead the charge for security. Larger firms have begun hiring chief information security officers (CISOs), but many still take an IT-centric approach to security tasks, including:
- Policy development;
- Policy enforcement;
- Ongoing information risk oversight; and
- Security assessment and audit.
Whether in-house or outsourced, IT management of security functions can lead to a false sense of security among law firm partners and other stakeholders. Perhaps even more dangerous, I have seen situations in which firm partners with little to no IT or security background were in charge of security and risk management. This cost-saving shortcut to security can create more liabilities than it mitigates.
Assuring Clients and Preparing for a Breach
It’s one thing to have a dysfunctional security program, but when it becomes known, bigger issues arise. For example, when law firm clients start questioning security initiatives via those dreaded security questionnaires or worse, a breach occurs, the core of the law firm’s business, integrity and livelihood are impacted. To nip these issues in the bud, law firms must:
- Manage oversight of security initiatives.
- Document security policies along with disaster recovery and incident response plans.
- Implement reasonable security technologies, and hire the right personnel to help enforce policies and oversee sensitive information.
- Establish a cyber liability insurance policy.
- Conduct periodic vulnerability and penetration testing.
Preventing security breaches is a worthy goal, but security leaders must also prepare to respond to exploits and outages that will inevitably get through the organization’s defenses. Otherwise, the firm will develop a reputation for negligence and recklessness.
To demonstrate that they are integrating security into the firm’s business practices, security teams should take the following steps.
- Know what you’ve got, including intellectual property and PII, along with critical systems and the vendors involved.
- Understand how it’s all at risk, including both technical and operational risks that are placing these assets in harm’s way.
- Reconfigure business processes, technical controls and organizational culture to protect the data identified in the first step and mitigate the risks outlined in the second step.
Collectively, this approach to information security involves a deep understanding of how both the business and the technology operates in the course of client representation. The key is to understand that you cannot secure the things you don’t acknowledge. Overlooking both technical and nontechnical areas of the practice that deal with sensitive information will lead to a misunderstanding of how security needs to be addressed, and that’s when security breaches happen.
Laying Down the Law on Security Practices
These best practices go beyond security. The American Bar Association’s Center for Professional Responsibility documented its own industry-specific guidance for protecting client information in its “Model Rules of Professional Conduct.” These rules involve not only understanding the technologies you’re using in your law firm, but also demonstrating reasonable efforts to properly handle and secure sensitive information.
Security is not that complicated until it is. That’s why law firms should heed Stein’s Law and address security gaps now before a data breach occurs.
Independent Information Security Consultant