If a client’s information is exposed in a data breach, and the firm does not have a data security plan, the firm is arguably violating both rules. Therefore, data security is integral to the attorney-client relationship.
Cybersecurity Protocol
Law firms should develop a robust cybersecurity protocol, emphasizing threat prevention and threat response to protect the attorney-client relationship, privileged material, and other sensitive information relating to their clients and the firm itself.
Law firms can employ in-house cybersecurity teams to manage their data privacy or outsource such tasks to a managed services provider. Either way, to meet their responsibility of core competence, law firms must have a team of experts who are up-to-date with the latest knowledge and tools to protect sensitive information.
This is especially true as law firms are entrusted with many categories of sensitive data, including:
- Client Information—names, contact details, social security numbers, and other personal identifying information.
- Case Details—attorney work product, privileged information, communication between parties, and the general record of the case.
- Financial Transactions—banking information for the law firm and its clients.
- Law Firm Operational Data—information regarding system access and employee passwords.
Social Engineering
Expert advice is only part of the equation. Firm-wide education and training are critical to prevent the exploitation of human tendencies and vulnerability as opposed to technical weaknesses. In cyber-security circles, the term “social engineering” refers to the exploitation of human psychology to facilitate a technical breach. While rapid advances in modern technology facilitate increased security protections, the same advances allow bad actors more potential avenues of ingress into sensitive data systems.
The proliferation of AI in recent years has allowed the creation of tools that exploit human weak points in a data security system. For example, attorneys may be wary of receiving a vague, clumsily written email from a colleague requesting help with a problem. But new technology includes AI programs that mimic a coworker's or superior’s voice, crafted from presentations available on the internet, or simply from audio/video posted on a social media profile. An attorney could receive a call from a bad actor using a voice program and believe they are receiving real-time instructions from their managing partner. Similarly, while internet conferencing software has advanced to the point where people are comfortable with online meetings and remote work, AI deepfakes will ultimately exploit that comfort at a potentially huge cost.
Fulsome risk assessment facilitates identifying potential system vulnerabilities and the sensitivity of data housed in the system. Regularly updated education programs fortify firm staff against potential social engineering schemes. Firms should consider implementing the following effective cybersecurity precautions for their practice.
Data Privacy Protections
There are several established best practices that law firms should employ to mount a vigorous cybersecurity defense.
Create and Implement a Data Security Policy
The policy should outline the roles, responsibilities, and protocols of those individuals falling within its ambit and include the specific steps necessary to implement these rules.
Train Staff on Mitigating Data Risk
Entities should conduct training sessions to ensure everyone understands both the policy and their individual responsibility pursuant to it. Many data breaches begin with a human decision, whether clicking a phishing email or trusting a spoofed identity. The rise in artificial intelligence programs and the development of “deepfake” technology means that employees must be aware of and vigilant against myriad deceptions meticulously crafted to gain entry into sensitive data systems. An enterprise's cybersecurity is the collective responsibility of everyone working there.
Encrypt Data
Encryption converts data into a code to prevent unauthorized access. Data transmitted through email or secure file transfer protocol should be encrypted so that inadvertent recipients or malicious actors cannot immediately access the data once they possess the transmittal. Similarly, encryption passwords should be transmitted under separate cover. Beyond this, law firms should implement multi-factor authentication on all firm devices to ensure an extra layer of access control.
Conduct Regular Reviews in Analyzing the Weaknesses in the Law Firm’s Data Security
Such reviews address weaknesses in technical aspects and human factors essential for staying ahead of new threats. In addition, regular software updates and patching are absolutely necessary to stay ahead of threat actors working to exploit holes identified in older software.
A Robust Data Protection Plan Is Essential
A robust data protection plan in conjunction with regular employee training is non-negotiable. Implementing both is essential to protecting the attorney-client relationship and is key to satisfying an attorney’s baseline ethical responsibility. Technological advances have opened the horizon in the practice of law. Tools will soon be flooding the market with the promise of making all of our jobs easier. On the flip side of the coin, the same technologies will be used by bad actors to gain access to information or hold it hostage. Attorney education around this technology is critical to twenty-first-century law practice.