In turn, the Ponemon Institute found that most small businesses have had to pay an average of $690,000 to mitigate the damage caused by a cyber attack. The figure increases to over $1 million for mid-market companies.
Regrettably, many small- to medium-sized law firms do not have (and many cannot afford) sophisticated and/or updated security procedures and policies, have not adequately trained their employees on data security, do not maintain dedicated information technology specialists, and/or may outsource information security to unqualified contractors or systems administrators. It’s a question of asset deployment. And where assets are limited, so too are the security protections and procedures in place.
Still, attorneys must always be mindful that they have a basic ethical obligation to protect clients’ confidential information. As technology has evolved, so too the Rules of Professional Conduct have been updated, obligating attorneys to keep up.
For example, the ABA’s Model Rules, Rule 1.6 in particular, impose a duty on lawyers to use reasonable efforts to prevent unauthorized access to client data and have incorporated provisions and added comments that address the advances of technology. The ABA has also published a Cybersecurity Handbook to help lawyers and law firms improve their information security programs.
Yet, many law firms still do not give cybersecurity its due. In this rapidly changing interconnected world, their failures to do so are a significant, perhaps practice-threatening, mistake.
At a minimum, law firms should consider adopting the following basic practices and procedures to protect their clients’ confidential information, much less the vitality of their practices:
(1) Allocate a portion of your firm’s budget to IT and data security. In doing so, you should take into account the firm’s financial, human, and technical resources so that they can be deployed wisely.
(2) Appoint a knowledgeable firm attorney and/or retain outside counsel to assist your firm in developing cyber incident avoidance, loss mitigation and breach response plans, provide updates on legal developments, and report on significant and specific threats, risks and loss events affecting the legal sector.
(4) Retain and work with a computer forensic consultant to evaluate and, if necessary, assist your firm in ensuring that its technology-based security solutions are reasonable and appropriate to the nature and scope of its practice.
(5) Work with your firm’s advisors and human resources personnel to develop written cybersecurity policies and procedures, then train your attorneys and staff in their use and application. Law firms in particular have been the targets of phishing, ransomware, and email fraud.
(6) Perform periodic analyses of your firm’s security plans, procedures and systems to ensure that they are current and appropriate for your firm’s business and business sector.
(7) Periodically audit your firm’s administrative, technical and physical infrastructure, among other assets, to reaffirm that they are properly protected.
(8) Implement a protocol that requires senior management to receive and meaningfully review periodic reports on your firm’s current information and technical plans and procedures, security issues, and related matters.
(9) Work with counsel to develop templates and information security tools for use with vendors and third-party business partners, among others. Such documents could include non-disclosure agreements, business associate agreements under HIPAA, indemnity and insurance agreements, and other legal instruments intended to mitigate or avoid economic loss. These documents should be disseminated to all personnel with contracting authority, who also should receive training.
(10) Treat your firm’s clients’ and your own confidential personal and commercial information, “big data,” and other critical proprietary data with the same level of care and attention your firm devotes to the preservation and growth of other core assets.
These recommendations are simply the first steps to properly secure your firm’s clients’, employees’ and its own sensitive information. Still, they will go a long way to protecting your firm from lawsuits and maintaining its reputation as one that clients can trust to safeguard their most critical resources.
Richard J. Bortnick is with Traub Lieberman Straus & Shrewsberry LLP, New Jersey.