chevron-down Created with Sketch Beta.
December 01, 2017 TECHREPORT 2017

2017 Security

by David G. Ries

Confidential data in computers and information systems, including those used by attorneys and law firms, face greater security threats today than ever before—and they continue to grow! Security breaches are becoming so prevalent that there is a new mantra in cybersecurity today: “It’s when not if,” a law firm or other entity will suffer a breach.

Last year’s TECHREPORT noted that law firm security breaches had become high profile and were making national headlines big time. It included an example of an insider trading scheme in which a cybercriminal was recruiting hackers to target international law firms to acquire non-public information for stock trading purposes. This trend has continued during the second half of 2016 and the first half of this year. In December 2016, the U.S. Department of Justice announced the indictment of three Chinese nationals for breaking into law firms as part of the insider trading scheme. In June of this year, a global cyber attack, that masked data-destroying malware as ransomware, hit a major global law firm hard, forcing the shutdown of its phone, email, and information systems. Law firms have continued to expose W-2 tax forms in phishing attacks, laptops and smartphones have been lost or stolen, and law firms have been victims of ransomware attacks.

New York Ethics Opinion 1019 warned attorneys in May 2014 about this threat environment:

Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans, and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks.

ABA Formal Opinion 477, Securing Communication of Protected Client Information (May 11, 2017), describes the current threat environment:

At the same time, the term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.” Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.

The ABA 2017 Legal Technology Survey Report explores security incidents and the security measures that reporting attorneys and their law firms are using. As in past years, it shows that many attorneys and law firms are employing some of the safeguards covered in the questions, and are generally increasing use of them over time. It also shows, however, that many are not using security measures that are viewed as basic by security professionals, and which are used more frequently in other businesses and professions.

Some attorneys and law firms may not be devoting more attention and resources to security because they mistakenly believe it won’t happen to them. The increasing threats to attorneys and law firms and the reports of security breaches should dispel this mistaken viewpoint. Significantly, 22% of respondents overall reported that their firm had experienced a data breach at some time—up from 14% last year. Reports of breaches ranged from a high for firms with 10-49 attorneys (35%, more than one-third) to a low of 10% for solos.

Data security is addressed most directly in Volume I of the 2017 Survey, “Technology Basics & Security.” It is further addressed in Volume IV, “Web and Communications Technology” and Volume VI, “Mobile Lawyers.”Each volume includes a trend report, which breaks down the information by size of firm and compares it to prior years, followed by sections with more detailed information on 2017 Survey responses. This gives attorneys (and clients) information to compare their security posture to law firms of similar size. This security summary reviews responses to the security questions in the 2017 Survey and discusses them in light of both attorney's duty to safeguard information and standard information security practices.

The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients. (ABA Model Rules 1.1 and 1.6 and Comments). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. These duties present a challenge to attorneys using technology because they are not technologists and often lack training and experience in security. Compliance requires attorneys to understand limitations in their knowledge and to obtain sufficient information to protect client information, to get qualified assistance if necessary, or both. These obligations are minimum standards, and failure to comply with them can constitute unethical or unlawful conduct. Attorneys should aim for security that goes beyond these minimums as a matter of sound professional practice and client service.

Recognizing the Risk

Information security starts with an inventory and risk assessment to determine what needs to be protected and the threats that it faces. The inventory should include both technology and data. You can’t protect it if you don’t know that you have it and where it is.

Comment [18] to Model Rule 1.6 includes a risk-based approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are “the sensitivity of the information,” and, “the likelihood of disclosure if additional safeguards are not employed.” This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others—both generally and in the legal profession. The 2017 Survey includes information about threats in its questions about security breaches.

The next factors in the risk analysis cover available safeguards. Comment [18] to Model Rule 1.6 includes them in the risk analysis for attorneys:

…the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

Comment [18] uses a risk-based approach that is now standard in information security. The 2017 Survey includes information about the available safeguards that various attorneys and firms are using.

The 2017 Survey reveals that about 22% of respondents overall reported that their firms had “ever” experienced a security breach at some point (note: not limited to the past year). A breach broadly includes incidents such as a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 14% in 2016, 15% in 2015, 14% in 2014, and 15% in 2013—an 8% increase after being basically steady from 2013 through 2016.

In a change from last year, firms with 10-49 attorneys most often report experiencing a security breach (35%, more than one in three). Firms with 50-99 attorneys are a close second, with 33% reporting breaches. Firms of 2-9 (27%) and 500+ (23%) were next, with about one in every four firms. Solos reported the lowest incidence of about 10%. In the past, reports of breaches generally increased with the size of the firm. This year is different, with the highest incidence reported for firms with 10-49, the second lowest for firms with 100-499 attorneys, and the lowest for solos.

Larger firms have more people, more technology, and more data, so there is a greater exposure surface, but they also should have more resources to protect them. It is difficult to tell the completeness of larger firms’ responses because the percentage of those reporting that they don’t know about breaches (22% overall) directly goes up with firm size, reaching 58% in firms with 100-499 attorneys and 63% in firms with 500+. This makes sense because attorneys in medium and large firms may not learn about security incidents, particularly at remote offices.

The majority of respondents, 56%, reported that their firm had not experienced a breach. Hopefully, this does not include many firms that have experienced a security breach and never detected it. A common saying in security today is that there are two kinds of companies: those that have been breached and know it, and those that have been breached but don’t know it. The same is likely true for law firms.

The most serious consequence of a security breach for a law firm would most likely be unauthorized access to sensitive client data. The 2017 Survey shows a very low incidence of this result for firms that experienced a breach—about 1% overall, slightly down from last year. The reports of unauthorized access to client data by firms that experienced a breach show none for solos and firms with 2-9, 50-99, and 100-499. 7% of firms with 500+ and 3% of firms with 10-49 attorneys that had a breach did report unauthorized access to sensitive client data. While the percentages are low, any exposure of client data can be a major disaster for a law firm and its clients.

The 2017 Survey responses make it difficult to tell how many breaches there have actually been with exposure of client data because almost 5% overall report that they don’t know about the consequences. This includes “don’t know” responses by 3% in firms of 10-49, 8% of firms of 50-99, 25% of firms of 100-499, and 14% of firms of 500+. The uncertainty is increased by the high percentage of respondents (22%), discussed above, who don’t even know whether their firm experienced a data breach.

Unauthorized access to non-client sensitive data is 7% overall, with 10% for solos and firms of 2-9, 5% for firms of 10-49, 8% for firms of 50-99, none for firms of 100-499, and 7% for firms of 500+.

The other reported consequences of data breaches are significant. Downtime/loss of billable hours was reported by 38% of respondents; consulting fees for repair were reported by 34%, destruction or loss of files by 15%, and replacement of hardware/software reported by 23% (percentages for firms that experienced breaches). Any of these could be very serious, particularly for solos and small firms that may have limited resources to recover. No significant business disruption or loss was reported by 62% overall.

About 11% overall responded that they notified a client or clients of the breach. The percentage reporting notice to clients ranges from 5% for firms of 10-49 attorneys to 22% for firms of 500+ attorneys, and the others closer to the average. This is equal to or in excess of the reported incidence of unauthorized access to client data for firms of each size, consistent with the view that ethical and common law obligations require notice to clients.

Overall, 17% of respondents reported that they gave notice to law enforcement, ranging from 8% of firms of 100-499 attorneys to 36% of firms of 500+. The others were close to the 17% average.

The 2017 Survey also inquired about viruses/spyware/malware infections. Overall, 43% reported infections, 34% reported none, and 23% reported that they don’t know. Reported infections were greatest in firms with 10-49 attorneys (63%), 2-9 (53%), and approximately 30% in other firms. Infections can cause serious consequences, including compromise of confidentiality and loss of data. With just under half of respondents reporting infections, strong safeguards to protect against them are clearly warranted, including up-to-date security software, promptly applied patches to the operating system and all application software, effective backup, and training of attorneys and staff.

Security Programs and Policies

At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” The organizations covered by it include law firms.

A security program should address people, policies and procedures, and technology. All three areas are necessary for an effective program. Security should not be left solely to IT staff and consultants. In addition to measures to prevent security incidents and breaches, there has been a growing recognition that security includes the full spectrum of measures to identify, protect, detect, respond, and recover from data breaches and security incidents. Security programs should cover all of these functions.

An important initial step in establishing an information security program is defining responsibility for security. The program should designate an individual or individuals responsible for coordinating security—someone must be in charge. It should also define everyone’s responsibility for security, from the managing partner or CEO to support staff.

While a dedicated, full-time chief information security officer is generally appropriate (and affordable) only for larger law firms, every firm should have someone who is responsible for coordinating security. The larger the firm, the more it is necessary to have a full-time security officer or someone who dedicates an appropriate part of their time and effort to security. The 2017 Survey asks who has primary responsibility for security in respondents’ firms. As expected, responses vary by size of firm. The respondent has primary responsibility in solo firms (86%); the respondent (29%) or an external consultant/expert (34%) in firms of 2-9 attorneys; IT staff for firms of 10-49 attorneys (40%) and 50-99 (65%); a chief information officer in firms of 100-499 attorneys (58%) and firms of 500+attorneys (55%). A small percentage (2%) report that nobody has primary responsibility for security—a high-risk situation.

The 2017 Survey asks respondents about a variety of technology-related policies, rather than about an overall comprehensive information security program. Attorneys and law firms should view these kinds of policies as part of a coordinated program rather than individually.

According to the Survey, 60% of respondents report that their firms have a policy to manage retention of information/data held by the firm, 56% report a policy on email use, 51% for internet use, 48% for computer acceptable use, 45% for remote access, 80% for email retention, 42% for social media, 24% for personal technology use/BYOD, and 34% for employee privacy. The numbers generally increase with firm size. For example, about 45% of solo respondents report having an information/data retention policy, increasing to 53% in firms with 2-9, 57% in firms of 10-49, 77% in firms of 50-99, and 90% in both firms of 100-499 and 500+ attorneys.

Two responses that raise a major security concern are those that report having no policies (25% overall) and those reporting that they don’t know about security policies (7%). There is a clear trend by firm size in the responses of having no policies. There are no respondents in firms of 500+ reporting no policies. The percentage with none decreases by firm size, ranging from 2% in firms of 100-499 attorneys, 4% in firms of 50-99, 5% in firms of 10-49, 25% in firms of 2-9, to 41% in responding solos. While it is understandable that solos and smaller firms may not appreciate the need for policies, all firms should have them, appropriately scaled to the size of the firm and the sensitivity of the data.

Incident response is a critical element of an information security program. Overall, 26% report having an incident response plan. A high of 66% of firms with 500+ attorneys report having an incident response plan to address a security breach, followed by 51% in firms of 100-499, 43% of firms of 50-99, 31 % of firms of 10-49, 14% of firms of 2-9 attorneys, and 10% of solos. As with a comprehensive security program, all attorneys and law firms should have an incident response plan, scaled to the size of the firm. For solos and small firms, it may simply be a checklist including who to call for what, but they should have some sort of basic plan.

Security awareness is key to effective security. There cannot be effective security if users are not trained or do not understand the issues and the applicable security policies. Obviously, they can’t understand policies if they don’t even know whether their law firm has any.

In accordance with the ABA resolution on cybersecurity programs (and generally accepted security practices), all attorneys and law firms should have security programs tailored to the size of the firm and the data and systems to be protected. They should include training and constant security awareness.

Security Assessments and Client Requirements

Clients are increasingly focusing on the information security of law firms representing them and using approaches like required third-party security assessments, security requirements, and questionnaires.

The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises generally. Law firms have been slow to adopt this security tool, with only 27% of law firms overall reporting that they had a full assessment, but it did increase from 18% last year. Affirmative responses generally increased by size of firm, from 13% for solos to 23% for firms of 500+. For firms of 2-9, 10-49, 50-99, and 100-499, it’s about 35%.

Third-party assessments are often conducted for law firms only when requested or required by a client. Overall, 11% report that a client or prospective client has requested an audit or other reviews. The percentage of firms reporting a client request gradually goes up by size of firm, from 2% for solos to 39% for firms of 500+.

Overall, 35% of respondents report that they have received a client security requirements document or guidelines from a client (up from 31% last year). Firms receiving them generally increase by size of firm, from 10% of solos to about 73% of 100-499  attorneys to 79% of firms of 500+. There is a growing recognition in the information security profession of the importance of securing data that business partners and service providers can access, process, and store; this includes law firms. In March 2017, the Association of Corporate Counsel (ACC) published the Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information that provides a list of baseline security measures and controls that legal departments can consider in developing requirements for outside counsel. Attorneys and law firms are likely to face increasing client requirements for security.

Cyber Insurance

As the headlines continue to be filled with reports of data breaches, including law firms, there has been a growing recognition of the need for cyber liability insurance. Many general liability and malpractice policies do not cover security incidents or data breaches. The percentage of attorneys reporting that they have cyber coverage is small, at 26%, but has been increasing (up from 17% in 2016 and 11% in 2015). It gradually increases from 19% for solos to about 30-35% for midsize firms, then drops to 18% for firms of 500+. In addition to cyber liability insurance, covering liability to third parties, there is also coverage available for first-party losses to the law firm (like lost productivity and technical or legal expenses). A review of the need for cyber insurance coverage should be a part of the risk assessment process for law firms of all sizes.

Security Standards and Frameworks

A growing number of law firms are using information security standards and frameworks, like those published by the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). They provide consensus approaches to a comprehensive information security program. Some firms use them as guidelines for their security programs, while a smaller group of firms seek formal security certification. The 2017 Survey asks whether respondents’ firms have received a security certification. Overall, only 8% report that they have received a certification (up from 5% last year), with a low for solos (3%) and a high for firms of 100-499 (13%). It is interesting that 3% of solos and 7% of firms of 2-9 attorneys report that they have received a certification because a formal security certification is a major effort.

Authentication and Access Control

Authentication and access controls are the first lines of defense. They are the “keys to the kingdom,” controlling access to networks, computers, and mobile devices. The 2017 Survey covers access controls for laptops and smartphones. It would be interesting to see how attorneys fare on networks, desktops, servers, and other systems.

For laptops, a strong majority of responding attorneys(nearly all) report that they use access controls. Overall, 98% report using passwords, with firms of 10-49 attorneys, 50-100, and 500+ at 100%. Firms of 2-9 and 100-499 report just below 100%. For solos, the figure is 92%. In addition, 15% overall report using other authentication, which would include fingerprint readers and other alternatives. While this might suggest that all attorneys use some form of access control (98% + 15%), that is not the case. About 2% report that they use none of the listed laptop security measures. The response of none includes solos and firms with fewer than 49 attorneys. As noted above, 100% (or just below) of larger firms report the use of passwords.

Use of authentication controls on smartphones is similar to those on laptops. Reported use of passwords is 94% overall, increasing with firm size from 88% for solos to 100% for firms of 50-99, 100-499, and 500+. Use of other authentication is 38% overall, while another 5% use none of the listed measures.

For both laptops and smartphones (as well as other mobile and portable devices), all attorneys should be using passwords or other authentication.

Most, if not all, attorneys need multiple passwords for a number of devices, networks, services, and websites—for both work and personal use. It is recommended that users have a different, strong password for each device, network, service, and website. While password standards are evolving—stressing length over complexity—it is still very difficult, or impossible, to remember numerous passwords. Password management tools allow a user to remember a single, strong password or passphrase for the tool or locker, with automatic access to the others. Respondents report that 22% overall use password management tools while 17% report that they don’t know. It is unlikely that these respondents are using these tools because a user would have to know that they are using a single password to access others. There is not much of a difference in use by size of firm, ranging from 12% for solos to 30% for firms of 500+ attorneys.

Encryption

Encryption is a strong security measure that protects data in storage (on computers, laptops, smartphones, tablets, and portable devices) and transmitted data (over wired and wireless networks, including email). Security professionals view encryption as a basic safeguard that should be widely deployed. It is increasingly being required by law for personal information, such as health and financial information. The recent battle between the FBI and Apple, and the current debate about mandated “backdoors” to encryption for law enforcement and national security show how strong encryption can be for protecting sensitive data. The 2017 Survey shows that use by attorneys of the covered encryption tools has been growing, but its use is limited.

Full drive encryption provides strong protection for all of the data on a server, desktop, laptop, or portable device. The data is readable only when it is decrypted through use of the correct password or other access control. Respondents report an overall use of full drive encryption of only 21% (up from 15% last year), ranging from 15% for solos to 42% for firms of 500+, with percentages increasing by firm size. File encryption protects individual files rather than all the data on a drive or device. Reported use of file encryption is higher than full disk at45% overall, ranging from 38% for solos to 65% in firms of 500+. This question is general and is not broken down by servers, desktops, laptops, smartphones, etc. As discussed below, all attorneys should use encryption on laptops, smartphones, and mobile devices. While some law firms are starting to encrypt desktops and firm servers, it is not yet a common practice.

For laptops, 27% overall report using file/data encryption and 25% report using hard drive encryption. File/data protection relies on the user to encrypt individual files or to put sensitive information in an encrypted file or partition on the drive. Full hard drive encryption provides broader protection because it protects all data on the drive. Use of full drive ranges from 22% for solos to 53 % by firms of 500+. Reported use increases by firm size, except for firms with 10-49 attorneys, with a low of 16%. The 2017 Survey also reported on additional security measures for laptops, like remote data wiping (16% overall) and tracking software (9% overall). These kinds of measures can provide additional security, but should not be a substitute for encryption.

Use of encryption on smartphones appears to be significantly underreported by attorneys responding to the 2017 Survey, as in past years. Respondents report an overall use of encryption of smartphones by only 20% (up from 16% last year). However, 75% overall report using iPhones and 94% report that they use password protection on their smartphones. On current iPhones, encryption is automatically enabled when a PIN or passcode is set. Google is also moving to automatic encryption with a PIN or swipe pattern for Android devices. It appears that many attorneys are using encryption on their smartphones without knowing it. Encryption can be that easy! Encryption of laptops may also be under-reported because it can be transparent to the user if it has been enabled or installed by a law firm’s IT staff or a technology consultant.

Verizon’s 2014 Data Breach Investigation Report concludes that “encryption is as close to a no-brainer solution as it gets” for lost or stolen devices. Attorneys who do not use encryption on laptops, smartphones, and portable devices should consider the question: Is failure to employ what many consider to be a no-brainer solution taking competent and reasonable measures?

Email encryption is another security measure with low reported use by responding attorneys. Overall, 36% of respondents reported that they use encryption for email of confidential/privileged communications/documents sent to clients (up from 26% last year). This ranges from 25% for solos, gradually increasing to 60% for firms of 500+. There has been a gradual trend toward increased use of encryption for email, growing from 23% overall in the 2011 Survey to 36% this year (with a reported decrease to 26% last year). Email encryption has now become easy to use and inexpensive with commercial email services. Google and Yahoo, at least in part driven by the disclosures about NSA interception, announced in 2014 that they will be making encryption available for their email services. In its announcement, Google compared unencrypted email to a postcard and encryption as adding an envelope. This postcard analogy has been used by security professionals for years. Hopefully, the percentages of attorneys reporting that they have added the envelopes, where appropriate, will grow in future surveys.

During the last several years, some state ethics opinions have increasingly expressed the view that encryption of email may sometimes be required to comply with attorneys’ duty of confidentiality. On May 11 of this year, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, “Securing Communication of Protected Client Information.” The opinion revisits attorneys’ duty to use encryption and other safeguards to protect email and electronic communications in light of evolving threats, developing technology, and available safeguards. It suggests a fact-based analysis and concludes “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,” but “particularly strong protective measures, like encryption, are warranted in some circumstances.” It notes that attorneys are required to use special security precautions, like encryption, “when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security."

If encrypted email is not available, a strong level of protection can be provided by putting the sensitive information in an encrypted attachment instead of in the text of the email. In current versions of Microsoft Office, Adobe Acrobat, and WinZip, setting a password for the document encrypts it. While password protection of documents is not as strong as encryption of a complete email and attachments because it depends on the strength of the password, it is much more secure than no encryption. If this approach is used, it is important to securely provide the passwords or passphrase to the recipient(s), preferably through a different communication channel like a phone call or text message (and certainly not in the email used to send the document).

It has now reached the point where all attorneys should generally understand encryption and have encryption available for use in appropriate circumstances.

Some Basic Security Tools

In addition to authentication and encryption, the 2017 Survey asks about security tools that are available to responding attorneys. Most, if not all, of these tools are security basics that should be used by all attorneys and law firms.

The most common tool is the spam filter, used by 87% of respondents. This may be under-reported because most email service providers have at least basic spam filters. Spam filters can be a strong first line of defense against phishing (malicious emails that try to steal information or plant malware). Filters are only part of the defense that weeds out some phishing emails but are an important first step.

Other tools with high reported use include anti-spyware (79%), software-based firewalls (77%), and antivirus for desktops/laptops (70%), for email (69%), and for networks (64%). Use of intrusion detection and prevention systems is reported by 35% of respondents overall. There has been a growing trend for a number of years to use security suites that combine some of these tools like malware protection, spyware protection, software firewalls, and basic intrusion protection in a single tool. Availability of the various security tools is generally stable across firms of all sizes, with increases for a few of them with the size of the firm. For all of these security tools, the use by firms should be 100%. There is a generally low incidence of “don’t know” responses for these tools—about 8% overall.

Remote Access

95% of respondents reported that they remotely access work assets other than email, like applications and files; this is consistent with today’s mobile practice of law. They report using the following security measures: virtual private networks (VPNs) (40%), web-based applications (38%), remote access software (37%), and other (11%). Security for remote access is critical because it can provide unauthorized access for outsiders if it is not properly secured with an encrypted communication connection and strong authentication. There is a growing practice of using multifactor authentication or two-step verification for authentication in remote access. It requires a second method of authentication, in addition to a password, like a set of numbers transmitted to a smartphone or generated by an app. Multiple inexpensive and easy-to-use options are available.

Wireless Networks

Public wireless (WiFi) networks present a high-security risk, particularly if they are open, as in not requiring a password for connection. Without appropriate security measures, others connected to the network, both authorized users, and attackers, may be able to intercept or view data and electronic communications transmitted over the network. The 2017 Survey asks about security measures that attorneys use when accessing public wireless networks. 25% report that they do not use public wireless networks. Overall, 38% report that they use virtual private networks (VPN) (a technology that provides an encrypted tunnel over the internet or another network), 25% report that they use remote access software; 13% report that they use website-provided SSL/HTTPS encryption; 3% report using other security measures. The remaining 16% are living dangerously, reporting that they use none of the security measures.

Cell carriers’ data networks generally provide stronger security than public WiFi, either with access built into a smartphone, tablet, or laptop or using a smartphone or tablet as a personal hotspot.

Up-to-date equipment and secure configuration (using encryption) are also important for law firm and home wireless networks.

Disaster Recovery/Business Continuity

Threats to the availability of data can range from failure of a single piece of equipment to a major disaster like a fire or hurricane. An increasing threat to attorneys and law firms of all sizes is ransomware, generally spread through phishing. It encrypts data and releases the decryption for ransom paid by Bitcoin. Effective backup, which is isolated from production networks, can provide timely recovery from ransomware.

Overall, 14% of respondents report that their firm had experienced a natural or man-made disaster, like a fire or flood. The highest incidence was 20% in firms of 50-99 and firms of 500+. The lowest reported incidence was for solos at 10% and the rest were between these numbers. Disasters of this kind can put a firm out of business—temporarily or permanently. Although from a relatively low number of respondents, these positive responses, and the potentially devastating results demonstrate the importance for law firms of all sizes to be prepared to respond and recover.

Despite this clear need, only 42% overall of responding attorneys report that their firms have a disaster recovery/business continuity plan. Firms with a plan generally increase with the size of the firm, from 25% of solos to about 71% of firms with 100+. As with comprehensive security programs, all law firms should have a disaster recovery/business continuity plan, appropriately scaled to its size.

In the equipment failure area, 32% of respondents reported that their firm experienced a hard drive failure, while 38% reported that they did not. The remainder reported that they do not know, with the “don’t know” responses increasing by firm size. In firms of 500+, 85% responded that they don’t know. In firms of 100-499, it was 64%. It is very likely that most large firms have suffered multiple hard drive failures, just not known by the individual responding attorneys. Even limiting the analysis to known hard drive failures, they have impacted about one-third of respondents. That’s a high risk, particularly considering the potential consequences, and that all attorneys and law firms should implement backup and recovery measures.

Backup is critical for business continuity, particularly with the current epidemic of ransomware. Fortunately, most firms report that they employ some form of backup. Only 9% report that they don’t back up their computer files, but that’s up from 2% last year. The most frequently reported form of backup is offsite backup (35%), followed by external hard drives (34%), online backup (31%), network attached storage (17%), USB (9%), tape (6%), RAID (7%), CDs (4%), and DVD (4%).

The 2017 Survey responses show that 48% of respondents back up once a day, 24% more than once a day, 12% weekly, 3% monthly, and 2% quarterly. 10% report that they don’t know, with unknowns generally increasing with firm size. Attorneys and firms that don’t back up on a daily basis, or more frequently, should reevaluate the risk in light of ransomware and the incidents reported in the 2017 Survey.

Conclusion

The 2017 Survey provides a good overview, with supporting details, of what attorneys and law firms are doing to protect information. Like the last several years, it generally shows increasing attention to security and increasing use of the covered safeguards, but also demonstrates that there is still a lot of room for improvement. Attorneys and law firms who are behind the reporting attorneys and firms on safeguards should evaluate their security posture to determine whether they need to do more to provide competent and reasonable safeguards. Those who are in the majority, or ahead of the curve, still need to review and update their security, as new technology, threats, and available safeguards evolve over time. Effective security is an ongoing process, not just a “set it and forget it” effort. All attorneys and law firms should have appropriate comprehensive security programs that include training, periodic review, and updating, and constant security awareness.

David G. Ries

Counsel at Clark Hill PLC

David G. Ries is of counsel in the Pittsburgh, PA office of Clark Hill PLC where he practices in the areas of environmental, technology, and data protection law and litigation. For over 15 years, he has increasingly focused on cybersecurity, privacy, and information governance. He frequently lectures and writes nationally for legal, educational, and professional groups. He is a co-author of Locked Down: Practical Information Security for Attorneys, Second Edition (American Bar Association 2016) and Encryption Made Simple for Lawyers (American Bar Association 2015) and a contributing author to Information Security & Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (American Bar Association 2011).