In this day and age, all industries and companies are subject to cyber security threats. Hackers work hard to breach our securities and obtain sensitive data every single day. Believe it or not, law firms are at a higher risk for cyber security threats than the average business.
Four separate times in the last 6 years (2009, 2011, 2013, 2016), the FBI has issued an advisory that hackers are targeting law firms. In 2013, the FBI stated, “We have hundreds of law firms that we see increasingly being targeted by hackers.”
Why are hackers zeroing in on law firms? The type and amount of data available through a single law firm is impressive. Employee and client data, including data from other companies, is all stored on a firm’s servers. This data could include the following:
- Personal Data
- Health Data
- Protected Health Information
- Financial Data
- Corporate Strategies (beyond the law firm’s)
- Business Transactions
Any of this data could be leaked or held for ransom. Hackers could have a lot to gain from a law firm, especially because many firms may not realize they have been hacked.
What is at risk for a Law Firm? A privacy or security incident will no doubt go beyond being a simple inconvenience for a law firm. The firm could face lawsuits, damage to reputation, regularity fines, and angry clients to name a few negative effects.
Firms are legally obligated to take reasonable effort to prevent any inadvertent or unauthorized disclosure of information without a client’s consent. If HIPAA information is breached, a firm could face fines in excess of $1.5M.
Clients of law firms could be held liable for a data breach and the inevitable fall out, too. This vicarious liability is linked to not completing due diligence on the level of cyber security at a firm before sharing sensitive information.
What does that mean? If a law firm doesn’t have their cyber security ducks in a row, new clients will not choose to partner with them and existing clients might start weighing the options of staying versus finding a new law firm. Without the proper cyber security and protections in place, a law firm might not a popular partner.
In order to assure that a firm’s data is safe and they are ready to take on hackers, a firm should do these 6 things:
- Assess the risk
Find your vulnerabilities and correct them to better protect your practice. Firms should take inventory of all types of data they store and are obligated to protect.
- Assign Responsibility
All privacy issues and data security at the firm should be the responsibility of one individual or outsourced company with one main point of contact. This individual should be a resource for everyone at the firm if they have questions or concerns.
- Security Policy Development
Consult with a Managed Service Provider on how various forms of data should be handled and protected. Make sure this covers portable devices, personal devices, encryption, employee access, and social media.
- Train your People
Arguably, the greatest risk to any company when it comes to cyber security threats are their people. Training employees on the best practices when it comes to handling and protecting data.
- IT Resilience Planning
Have a plan for responding to privacy and security incidents. This should include crisis management, crisis communication, and IT disaster recovery to minimize risk and maximize responsiveness.
- Consider Cyber Liability Insurance
Insuring against the risks should be a major consideration for firms. In case of a disaster, this will help with the cost associated with data breaches, which can be in the tens of thousands. Have a great understanding of what is covered and what security policies MUST be in place for you to successfully file a claim. For instance, if you suffer a privacy breach but you did not have active monitoring to alert you and other measures to prevent the breach, you may be denied your claim.
To learn about how GadellNet can support your firm, fill out the form below.