Is your law firm protected from a cybersecurity attack? Most experts agree that whether a business will experience a cyber attack is not a question of “if” but “when.” According to the ABA, one out of every four law firms has already been a victim of a cybersecurity attack.
What can a cybersecurity attack do to a law firm? Take the case of DLA Piper, one of the largest and respected firms in the world. In 2017, a cybersecurity attack effectively shut down the firm’s operations globally within 20 minutes. The attack started at the firm’s Ukraine office, where a user with administrative privileges clicked on an “update” to an accounting program that was actually malware. The attacked knocked out the firm’s phone system and most of its computer network. It took a week to get the firm’s emails servers back online. And it took months for the firm to become fully operational again. The attack cost it tens of millions of dollars (which does not include the loss of clients and damage to reputation).
It makes sense that law firms should be targets of cyberattacks. Why? Law firms are often soft targets. Many firms have a treasure trove of potentially valuable and highly sensitive information. But they often do not have strong cybersecurity controls in place.
Firms that have had a “cyber event” in recent years include Cravath, Swaine & Moore, Weil, Gotshal & Manges, Foley & Lardner, Proskauer Rose, and Jenner & Block. And despite the number of high-profile law firm breaches that have occurred in recent years, there is evidence that law firm cybersecurity attacks are occurring at an increasing rate. And it appears that mid-size law firms (10-49 attorneys) experience the most breaches.
Significant and negative business consequences follow from having a cybersecurity incident. The ABA’s 2019 Legal Technology Survey Report lists the consequences that firms have reported as the result of a cybersecurity incident. These include consulting fees, downtime and loss of billable hours, expense of replacing hardware and software, destruction or loss of files, and notifying law enforcement and clients of the breach.
Law firms share the same cybersecurity risks that every business faces. But they also face additional risks. The reason? For attorneys, cybersecurity is also an ethical responsibility. As the ABA stated in its 2019 Cybersecurity Tech Report, “lawyers’ duties of competency, communication, and confidentiality according to the ABA Model Rules of Professional Conduct require consideration of cybersecurity issues.” The comments to ABA Model Rule 1.1 also state that “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” (emphasis added). These ethical obligations make law firms more likely than other businesses to suffer serious business, financial, and reputational harm if they experience a significant data breach.
Failure to have reasonable cybersecurity safeguards in place has resulted in professional malpractice lawsuits. For example, in Millard v. Doran, No. 153262/2016 (Sup. Ct. N.Y. Cty.), plaintiffs brought a malpractice suit against their real estate attorney for allegedly allowing cybercriminals to hack the firm’s email system. As a result of the hack, the plaintiffs wired $1.9 million to the cybercriminals, thinking they were wiring the money to the sellers.
A law firm’s inadequate cybersecurity protection can harm its business development efforts. Some more sophisticated clients are now sending law firms they are considering engaging a detailed data security questionnaire. Some even send a due diligence team to a firm to inspect its technology and security. These clients are not willing to work with law firms that do not take cybersecurity seriously.
Cybersecurity needs to be seen as everyone’s responsibility in a law firm. Buy-in needs to flow from the top down to make sure the firm has a culture of cybersecurity. And after the proper tone is set, employees need training so that they are aware of and can follow the company’s security procedures. As the DLA Piper example illustrates, a law firm’s own untrained employees can be the greatest cybersecurity threat.
But a firm’s data and reputation do not need to be at the mercy of cyber-attackers. It is entirely possible to take the initiative and vastly reduce your cybersecurity risk. This should include a) having proper data storage and backup, b) implementing network segmentation and apply firewalls, c) having a cybersecurity employee training program, and d) developing an incident response plan.
Feel like developing a cybersecurity plan for your law firm is more than you want to handle right now? You don’t need to do it on your own. Smart organizations know that if they want something done right, they need to invest in real expertise.
Let us help you. We understand the unique cybersecurity concerns of law firms. We can assess your situation and provide you with solutions that maximize your cybersecurity protection and minimize their burden on your firm.