The headlines continue to be filled with reports of data breaches ranging from small businesses to high profile incidents like Sony, Home Depot, and the federal Office of Personnel Management. There appears to be no end (see the Open Security Foundation’s DataLoss DB). Although they generally don’t make the headlines, there have been numerous law firm data breaches; incidents spanning from lost or stolen laptops and portable drives to long-term, deep intrusions, exposing everything in the networks. For example, an FBI speaker in January, 2013, warned, "We have hundreds of law firms that we see increasingly being targeted by hackers." Law firm data breaches are continuing. It was recently reported that at least 80% of the largest 100 law firms, by revenue, have been hacked since 2011.
The ABA 2015 Legal Technology Survey Report explores security incidents and the security measures that reporting attorneys are using. It shows that many attorneys and law firms are employing a number of the safeguards covered in the questions and are generally increasing use of the safeguards. However, it also shows that many are not using security measures that are viewed as basic by security professionals and are used more frequently in other businesses and professions.
The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. These duties present a challenge to attorneys using technology because they are not technologists and often lack training and experience in security. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information, or to get qualified assistance if necessary. These obligations are minimum standards—failure to comply with them can constitute unethical or unlawful conduct. Attorneys should aim for security that goes beyond these minimums as a matter of sound professional practice and client service.
Data security is addressed most directly in Volume I of the 2015 Survey, Technology Basics. It is further addressed in Volume IV, Web and Communications Technology and Volume VI, Mobile Lawyers. This article reviews responses to the security questions in the 2015 Survey and discusses them in light of both attorneys’ duties to safeguard information and standard information practices.
Recognizing the Risk
Information security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment  to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are “the sensitivity of the information” and “the likelihood of disclosure if additional safeguards are not employed.” This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others in the legal profession. The 2015 Survey includes information about threats in its questions about security breaches.
The next factors in the risk analysis cover available safeguards. Comment  to Model Rule 1.6 includes them in the risk analysis for attorneys:
“…the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
Comment  uses a standard risk-based approach. The 2015 Survey includes information about the available safeguards that various attorneys and firms are using.
According to the 2015 Survey, about 15% of respondents overall reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” A breach includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 14% in 2014, 15% in 2013, and 10% in 2012.
Larger firms (100-499 and 500+attorneys) most often report experiencing a security breach (23% each), compared with 10% and 17% respectively in 2014, 13% and 16% respectively in 2013, and 10% and 9% respectively in 2012. Respondents report an increase in the percentage experiencing a security breach for most firm sizes in 2015.
Larger firms have more people, more technology, and more data, so there is a greater exposure surface. They also should have more resources to protect them. It is difficult to tell the accuracy of larger firm’s responses because the percentage of those reporting that they don’t know about breaches (23% overall) directly goes up with firm size—reaching 59% in firms with 100-499 attorneys and 64% in firms with 500+. This makes sense because attorneys in medium and large firms may not learn about lower scale incidents, particularly at remote offices.
The majority of respondents—62%—reported that their firm had not experienced a breach. Hopefully, this does not include many firms that have experienced a security breach and never detected it.
The most serious consequence of a data breach for a law firm would most likely be unauthorized access to sensitive client data. The 2015 Survey shows a very low incidence of this result—about 3% overall. The reports of unauthorized access are about 3% for small and medium firms and 7% for firms with 500+ attorneys. While these percentages are low, any exposure of client data can be a major disaster for a law firm and its clients. The 2015 Survey responses make it difficult to tell how many incidents there have actually been with exposure of client data because almost 8% overall report that they don’t know about the consequences, with “Don’t Know” responses by 20% in firms of 100-499 and 29% in firms with 500+ attorneys. The uncertainty is increased by the high percentage of respondents (23%), discussed above, who don’t even know whether their firm experienced a data breach.
The other reported consequences of data breaches are significant and reported in 20%-30% of incidents. Downtime/loss of billable hours was reported by 30% of respondents, consulting fees for repair were reported by 22%, destruction or loss of files by 18%, and replacement of hardware/software reported by 30%. Any of these could be very serious, particularly for solos and small firms.
A little over 5% overall responded that they notified a client or clients of the breach. This is equal to or in excess of the reported incidence of unauthorized access to client data for firms of all sizes (3%). It is consistent with the view that ethical and common law obligations require notice to clients. The percentage reporting client notice range from 11% for firms with 2-9 attorneys, to 7% for 550+ and the others close to the average.
The 2015 Survey also inquired about infections with viruses/spyware/malware. Overall, 42% reported infections, 35% reported none, and 23% reported that they don’t know. Reported infections were greater in small firms (44%) and medium firms (48%). They were lower in large firms (31%) and 500+ firms (37%), but still an incidence that raises concern. Infections can cause serious consequences, including compromise of confidentiality and loss of data. With just under half of respondents reporting infections, strong safeguards against them are clearly warranted.
Security Programs and Policies
At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” The organizations covered by it includes law firms.
Security programs should include measures to prevent breaches, like policies that regulate use of technology. There has been a growing recognition that security includes the full spectrum of measures to identify, protect, detect, respond, and recover from data breaches and security incidents. Security programs should cover all of these areas.
An important initial step in establishing an information security program is defining responsibility for security. The program should designate an individual or individuals responsible for coordinating security—someone must be in charge. It should also define everyone’s responsibility for security, from the managing partner or CEO to support staff.
While a dedicated, full time Chief Information Security Officer is generally appropriate (and affordable) only for large law firms, every firm should have someone who is responsible for coordinating security. The larger the firm, the more it is necessary to have a full time security officer or someone who has dedicated a large part of their time to security. Consistent with this approach, 34% of firms report that they have a dedicated Chief Information Security Officer or other person charged with data security. It ranges from 15% for solos, to 21% for firms with 2-9 attorneys, 43% for 10-49, 56% for 50-99, 76% for 100-499, and 77% for firms with 500+.
The 2015 Survey asks respondents about a variety of technology-related policies rather than about an overall security program. Attorneys and law firms should view these kinds of policies as part of a coordinated program rather than individually.
According to the 2015 Survey, 55% of respondents report that their firms have a document or records management and retention policy, 46% report a policy regarding email use, 43% for Internet use, 42% for computer acceptable use, 41% for email retention, 34% for social media and 31% for employee privacy. All of these percentages are up slightly from the 2014 Survey, so there has been an increase in their adoption. These numbers increase with firm size. For example, about 34% of solo respondents report having a document/records policy, increasing to 50% in firms with 2-9, 63% in 10-49, 71% in 50-99, 85% in 100-499, and 89% of respondents at firms with 500+ attorneys. 19% of solos report having a computer acceptable use policy, 32% of firms with 2-9 attorneys, 53% with 10-49, 69% with 50-99, and 79% with 100+.
Two responses that raise a major security concern are those that report having no policies and those reporting that they don’t know if their firm has security policies. Overall, about 25% report that they don’t have policies and 10% respond that they don’t know.
There is a clear trend by firm size in the responses of having no policies. None of the respondents in firms of 50-99 and 100-499 report having no security policies and only 1.6% in 500+. The percentage of firms with no security policies range from 7% in firms with 10-49, 25% in firms with 2-9, to 54% (over half) of responding solos. While it is understandable that solos and smaller firms may not appreciate the need for policies, all firms should have them, appropriately scaled to the size of the firm and the sensitivity of the data.
The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises. Law firms have been slow to adopt this security tool, with only 20% of law firms overall reporting that they had a full assessment. Affirmative responses gradually increase from 12% for solos to 21% for firms of 500+.
Third party assessments are often conducted for law firms only when a client requests it or requires it. Overall, 12% report that a client or prospective client has requested an audit. The percentage of firms reporting a client request gradually goes up by size of firm, from 3% for solos to 38% for firms of 500+.
Incident response is a critical element of an information security program. A high of 55% of firms with 500+ attorneys report having an incident response plan to address a security breach, followed by 39% of firms of 100-499, 34% of firms of 10-49, 22% of solo practitioners, and 20% of firms of 2-9 attorneys. As with a security program, all attorneys should have an incident response plan, scaled to the size of the firm. For solos and small firms, it may just be a checklist plus whom to call for what, but they should have a basic plan.
Security awareness is a key to effective security. There cannot be effective security if users are not trained and do not understand the issues and the applicable security policies. Obviously, they can’t understand policies if they don’t even know if their law firm has any. In accordance with the ABA resolution on cybersecurity programs (and generally accepted security practices), all attorneys and law firms should have security programs tailored to the size of the firm and the data and systems to be protected. They should include training and security awareness.
Cyber Insurance Coverage
As the headlines continue to be filled with reports of data breaches, there has been a growing recognition of the need for cyber liability insurance. Many general liability and malpractice policies do not cover security incidents or data breaches. The percentage of attorneys reporting that they have cyber coverage is small: 11% overall. It gradually increases from 10% for solos to only 15% for firms of 500+. As firm size grows, fewer respondents know if their firm carries such policies. A review of the need for cyber insurance coverage should be a part of the risk assessment process for law firms of all sizes.
Authentication and Access Control
Authentication and access controls are the first line of defense. They are the “keys to the kingdom”—controlling access to networks, computers, and mobile devices. The 2015 Survey covers access controls for laptops and smartphones. It would be interesting to see how attorneys fare on networks, desktops, servers, and other computers.
For laptops, a strong majority of responding attorneys—nearly all—report that they use access controls. Overall, just under 97% report using passwords, with firms from 110+ at 100%. For solos, the figure is 93% (up from 88% last year). In addition, 11% overall report using other authentication, which would include fingerprint readers and other alternatives. While this might suggest that all attorneys use some form of access control (97% + 11%), that is not the case. 2% report that they use none of the listed laptop security measures (down from 5% last year). The response of “None” is limited to solos and firms with fewer than 10 attorneys. As noted above, the larger firms report 100% use of passwords.
Use of authentication controls on smartphones is similar to those on laptops. Reported use of passwords is 92% overall (up from slightly from 90% last year), increasing with firm size from 88% for solos to 100% for firms of 500+. Use of other authentication is 21%, while another 8% use none of the listed measures.
For both laptops and smartphones, all attorneys should be using passwords or other authentication.
Encryption is a strong security measure that protects data in storage (on computers, laptops, smartphones, tablets, and portable devices) and transmitted data (over wired and wireless networks, including email). Security professionals view encryption as a basic safeguard that should be widely deployed. It is increasingly being required by law for personal information, like health and financial information. The 2015 Survey shows that use by attorneys of the included encryption tools is very low.
Full drive encryption provides strong protection for all of the data on a server, desktop, laptop, or portable device. The data is readable only when it is decrypted through use of the correct password or other access control. Respondents report an overall use of full drive encryption of only 20% (up from 14% last year), ranging from 14% for solos to 56% for firms of 500+. File encryption protects individual files rather than all the data on a drive or device. Reported use of file encryption is higher than full disk42% overall (up from 36% last year), ranging from just under 30% for solos to 57% in firms of 500+—but still just over one-third overall.
Use of encryption on smartphones appears to be significantly under-reported. Respondents report an overall use of encryption of smartphones by only 14% (up from 10% last year). However, 68% overall report using iPhones and 92% report that they use password protection on their smartphones. On current iPhones, encryption is automatically enabled when a PIN or passcode is set. It appears that many attorneys are using encryption on their smartphones without knowing it. Encryption can be that easy!
Verizon’s 2014 Data Breach Investigation Report concludes that “encryption is as close to a no-brainer solution as it gets” for lost or stolen devices. Attorneys who do not use encryption on laptops, smartphones, and portable devices should consider the question: Is failure to employ what many consider to be a no-brainer solution taking competent and reasonable measures?
E-mail encryption is another security measure with low reported use by responding attorneys. Overall, 35% of respondents reported that they use encryption for e-mail of confidential/privileged communications/documents sent to clients. This ranges from 26% for solos to 52% for firms of 500+. There has been a gradual trend toward increased use of encryption for e-mail, growing from 23% overall in the 2011 Survey to the current 35%.
Google and Yahoo, at least in part driven by the disclosures about NSA interception, announced in 2014 that they will be making encryption available for their e-mail services. In its announcement, Google compared unencrypted e-mail to a postcard and encryption as adding an envelope. This postcard analogy has been used by security professionals for years. Hopefully, the percentages of attorneys reporting that they have added the envelopes, where appropriate, will grow in future surveys.
Some Basic Security Tools
In addition to authentication and encryption, the 2015 Survey asks about security tools that are available to responding attorneys. Most, if not all, of these tools are security basics that should be used by all attorneys and law firms.
The most common tool is the spam filter, used by 87% of respondents. This may be under-reported because most email service providers have at least basic spam filters. Spam filters can be a strong first line of defense against phishing (malicious emails that try to steal information or plant malware). Filters are only part of the defense that weeds out some phishing emails, but are an important first step.
Other tools with high reported use include anti-spyware (78%), software-based firewalls (79%), antivirus for desktops/laptops (70%), e-mail (68%), and networks (61%). Use of intrusion prevention systems is reported by 22% of respondents overall. There has been a growing trend for a number of years to use of security suites that combine some of these tools like malware protection, software firewalls, and basic intrusion protection in a single tool. Availability of the various security tools is generally stable across firms of all sizes, with increases for a few of them with the size of the firm. There is a general low incidence of “don’t know” responses for these tools, about 5% overall.
Disaster Recovery/Business Continuity
Threats to availability of data can range from failure of a single piece of equipment to a major disaster like a fire or hurricane.
Overall, 17% of respondents report that their firm had experienced a natural or man-made disaster, like a fire or flood. The highest incidence was 41% in firms of 500+ (up from 27% last year), moving toward half of respondents. The lowest reported incidence was for solos at 10% (up from 6%). Disasters of this kind can put a firm out of business, temporarily or permanently. These positive responses and the potentially devastating results demonstrate the importance for law firms of all sizes to be prepared to respond and recover.
Despite this clear need, only about a quarter of responding attorneys report that their firms have a disaster recovery/business continuity plan. The overall response is that 28% have a plan, 48% do not, and 25% of respondents don’t know. Firms with a plan generally increase with the size of the firm, from 22% of solos, to 34% of firms with 10-49 attorneys, to 55% of firms with 500+.
In the equipment failure area, 37% of respondents report that their firm experienced a hard drive failure, while 37% reported that they did not. The remainder reported that they do not know, with the “don’t knows” increasing by firm size. In firms of 500+, 73% responded that they don’t know. In firms of 100-499, it was 68%. It is very likely that most large firms have suffered multiple hard drive failures, just not known by the individual responding attorneys. Even limiting the analysis to known hard drive failures, they have impacted over 1/3rd of respondents. That’s a high risk, particularly considering the potential consequences, and all attorneys and law firms should implement backup and recovery measures.
The most frequently reported form of backup is external hard drives (42%), followed by offsite backup (31%), online (26%), network attached storage (16%), USB (11%), tape (10%), RAID (7%), CDs (7%), and DVD (4%). Less than 1% of respondents report that their firms don’t back up their computer files.
The 2015 Survey responses show that 49% of respondents back up once a day, 19% more than once a day, 13% weekly, and 5% monthly. 9% report that they don’t know, with unknowns increasing with firm size. Attorneys and firms that don’t back up on a daily basis, or more frequently, should reevaluate the risk in light of the incidents reported in the 2015 Survey.
The 2015 Survey provides a good overview, with supporting detail, of what attorneys and law firms are doing to protect information. It generally shows increasing attention to security and use of safeguards, but also demonstrates that there is room for improvement. Those who are behind the reporting attorneys and firms on safeguards should evaluate their security posture to determine whether they need to do more to provide competent and reasonable safeguards. Those who are in the majority, or ahead of the curve, still need to review and update their security, as new technology, threats, and available safeguards evolve over time. Effective security is an ongoing process, not just a “set it and forget it” effort. All attorneys should have appropriate security programs that include training and constant security awareness.