Many law firms and lawyers fail to focus on the fact that they hold clients’ personal, financial and personal health information, among other sensitive data. Oftentimes, firms also maintain clients’ confidential business information. Yet some do little, if anything, to ensure that such details are protected from theft by cyber criminals and/or rogue employees, or even simple staff negligence. It is not that they ignore the associated risks and exposures. Rather, it is simply a function of the fact that they typically are too busy to think about it. But they should. Whether it comes down to questions of blissful ignorance, penny-wise, pound foolishness, neglect or hypocrisy, many attorneys are not taking the steps necessary to protect themselves—or their clients.
Small- and medium-size firms are not insulated from experiencing the theft or loss of clients’ confidential information; they are as much, if not more, at risk than larger firms that hold a greater degree of client’s (and their own) sensitive information. Indeed, cyber thieves know that small and medium firms are far easier targets than larger firms that use the latest state of the art security processes and procedures. In other words, small and medium firms are low-hanging fruit. According to Chairman Steve Chabot of the House of Representatives Small Business Committee, 71 percent of cyber-attacks occur at businesses with fewer than 100 employees.
An October 2017 study from VIPRE Security adds a fine point to the problem. VIPRE reported that 66 percent of small- to medium-size businesses indicated that they would either go out of business completely, or be forced to shut down for at least a day following a cyber breach.