chevron-down Created with Sketch Beta.

Business Law Today

January 2024

Three Things Midsized Law Firms Can Do Now to Mitigate Their Cyber Risk

Corey Garver


  • Learn three key steps midsized law firms can take to mitigate the risk of cybersecurity breaches, including investigating their service providers, educating and training employees, and having a robust response plan in place to respond responsibly and ethically.
  • As cybersecurity breaches continue to increase in number, complexity, and impact, it’s important for law firms to take stock of and strengthen their cybersecurity practices to be best prepared to defend themselves, and their clients, against the compromise of information and data.
  • Best practices for law firms to strengthen their risk preparedness and responsiveness can include enhancing training with cybersecurity test-and-learn exercises and gamification, as well as regularly updating and pressure-testing incident response plans.
Three Things Midsized Law Firms Can Do Now to Mitigate Their Cyber Risk

Jump to:

In 2020, approximately forty-six law firm data breaches were reported, according to a recent Law360 Pulse survey. In 2022, that figure more than doubled and exceeded one hundred.

Many midsized firms mistakenly assume that cybersecurity breaches won’t happen to them—that breaches only happen to large firms or that their firm is adequately defended by their current technology systems. Not only is this thinking naive, it is risky.

In 2022, 70 percent of reported breaches occurred at firms with fifty lawyers or less. Research shows that cyberattacks are increasing in size and becoming more sophisticated, occurring through a variety of tactics including social engineering and phishing, which can lead to stolen credentials such as usernames and passwords.

Here are three proactive steps your firm can take to help mitigate both the risk and the potential negative impacts of a data breach.

1.       Investigate Your Managed Service Provider (MSP)

Many law firms rely on a third party to provide technology and related services to support firm operations and infrastructure (phone systems, email, video conferencing, document management systems, etc.). However, in addition to supporting law firm technology operations, MSPs are also a primary resource for defending against and mitigating cyber risks. Thus, it makes sense to ensure your MSP is secure.

One way to assess your MSP’s security is to request to see its latest SOC 2 audit. SOC 2 (System and Organization Controls 2) is an audit report that indicates the trustworthiness of the services provided by an MSP and is used to assess the risks associated with third-party service providers that store consumer data online. MSPs are not required to have SOC certifications, but SOC certification has become an industry benchmark for recognizing high security standards; it indicates an added measure of proof that an MSP is secure. An increasing number of businesses, especially those operating in regulated industries such as banking, financial, health care, energy, and retail, only work with law firms that use an MSP that is SOC 2 certified or law firms that have their own SOC 2 certification.

While investigating your MSP’s SOC status, here are additional questions to ask your provider:

  • What’s being done to protect my organization from breaches, hacks, and attacks?
  • What cybersecurity-related services am I paying for?
  • How are these services protecting me? What reporting is available?
  • What security awareness training services can you offer my firm?

2.       Don’t Lose Sight of Your #1 Risk: Access Points into Your Data through Your Employees

Each individual working at your firm represents a potential entry point for hackers to gain access to your data and client data. It’s also possible to encounter employees who decide to steal or compromise data.

It’s important to note, though, that employees can also be your best protection against cybersecurity breaches. With proper security awareness training and other strategies, law firms can decrease the chances of being breached and defend themselves.

For example, firms can start, increase, and mandate cybersecurity awareness training for employees. Many firms conduct such training on an annual basis, yet given the increased complexity and sophistication of cyberattack methods, this may no longer be frequent enough. Formal cybersecurity awareness training, which includes cybersecurity test-and-learn exercises such as penetration testing and phishing attack simulations, should happen often and at random, to simulate how unexpected a hack attempt can be and reinforce readiness at all times.

Another option to strengthen a firm’s cybersecurity training is the gamification of the training to drive the desired employee behavior. Law firms can create healthy competitions among employees, whereby an award or prize goes to the most vigilant employees for efforts such as detecting and properly reporting the most (simulated) phishing attempts within a given time frame.

Firms that prioritize training create a culture of cybersecurity compliance and a stronger shield from cyberattacks than those firms that are not adopting training, creating awareness, and simulating attack situations. Firms that proactively build, implement, and test (or literally practice) their defense measures will be much better prepared than those that choose to wait and react.

High adoption of security-compliant practices happens when firms make a concerted effort to track and reward participation in cybersecurity training and make it part of the employee evaluation process, building in incentives. This helps the firm identify areas for cybersecurity improvement and employees who pose a cybersecurity risk.

3.       Maintain a Robust and Up-to-Date Breach Response Plan

Given the plethora of security and privacy regulations, it is critical that any cyber incident is met with a timely and appropriate response. While no organization wants to experience a breach, for law firms, such incidents invoke a particularly unique ethical obligation. Lawyers have an obligation to protect their client’s information and to disclose any breach.

Rule 1.6 of the ABA Model Rules of Professional Conduct states that lawyers must not disclose information related to the representation of a client. This includes information that is communicated in confidence by the client and any other information related to the representation. The rule also states that lawyers must make reasonable efforts to prevent the unauthorized disclosure of client information.

Notably, the European Union’s General Data Protection Regulation (GDPR) applies to law firms that offer services to clients in the EU, among other circumstances, and if a firm falls under the GDPR’s definition of a controller, it is required to report personal data breaches to the relevant supervisory authority “without undue delay and, where feasible, not later than seventy-two hours after having become aware” of the breach. The notification must include information about the nature and scope of the breach, including the number of data subjects and records involved.

Firms need to follow all legal requirements and should also have their own detailed, formal breach or incident response plan in place. A robust breach response plan should include:

  • Incident response team roster with clearly defined roles and responsibilities
  • Procedures for monitoring and detecting threats
  • A clearly defined process for reporting incidents internally
  • Training for all firm personnel on how to detect and respond to cyber threats
  • Procedures for handling the discovery, investigation, and containment of threats
  • Procedures for correcting any security problems
  • Reporting requirements to respective regulatory authorities
  • Notifications to affected persons, particularly clients

Review and update your response plan after every incident and note what worked, what didn’t, takeaways, and necessary updates to the plan.

If your firm already has a breach response plan in place, regularly review it. When was the last time it was updated? Perhaps it’s up to date but needs to be tested. Consider implementing simulated breach scenarios to pressure-test your plan, tracking personnel, processes, response times, and other important elements against relevant benchmarks and standards.

The best practices noted in this article are excerpted from Meritas Cybersecurity Standards.