Illegal in the legal realm: Cybersecurity and law firms

In the course of an organizations journey towards survival, growth and profits, understanding obligations that go with having access to latest technologies, are often ignored. These Technologies like cloud computing, remote accesses, smartphones, USB drives fuel the efficiency and effectiveness of work but they pose some real threats too. Right to privacy and duty to provide confidentiality are the two most compromised areas.

It used to be hackers that organizations and individuals would worry about, in the past, but other players like disgruntled employees, careless temps, and threats which come posing as something they are not are very common nowadays. One of these major problems can land up in the lap of the attorneys. To deal with cybercrimes, there are laws in place but most of it caters to the charges made after the firm goes through the breach.

Let’s ask this legitimate question: How prepared are the law firms to deal with the legal problems relating to cybersecurity?

American Lawyers Media conducted a survey on the state of Cybersecurity in legal field. The reports say:

  • 90 % of law firms had formal security assessment in 2017 but 1/3 rd. of law firms were not comfortable with their cybersecurity readiness.
  • 48% of the law firms had drills in the cybersecurity systems in 2019

Why cybersecurity is important for law firms?

Clients entrust law firms with information about trade secrets, financial reports or healthcare information. If there is a breach of trust, the client may sue the law firms for malpractices. The laws do not regulate the firm’s cybersecurity practices but it does provide the rights to the client to sue the firms on account of any breach. Some clients require law firms to complete a detailed data security questionnaire and also the client may send a due diligence team to inspect the technology and security of the firm.

Not only can a data breach or cyber attack subject a law firm to a legal suit, some firms have been sued because their security systems were not adequate to prevent cyberattack. The law firm’s inability to protect client information can cause damage to the firm’s reputation and result in huge losses.

How can a law firm become a victim of a cyberattack?

Phishing: A type of social engineering where attackers trick the users into disclosing personal and confidential information by clicking on links that arrive by emails. The world trademark review 2019, stated that 32 phishing attacks occurred in law firms in a 3-month period from April to June 2019. Also 52 % of the law firms have experienced some sort of cyber-attacks.

Data leakage and breaches: insider threats, user errors or hackers can cause breach of privacy of the legal documents contained in systems. Someone within the firm who has an easy access to information can lead to accidents or malicious exposure sabotaging the reputation of the law firm. Hacking is one of the most common type of data leaks, with 40 % of law firms experiencing hacking or unauthorized intrusion every year.

In march 2018, Duncan Lewis, UK based solicitors had their customer data broadcasted on twitter via a folder, costing them high profile and high net worth clients. A similar thing happened with “The Panama Papers”- an offshore Panamanian law firm was forced to closing in march 2018, as assessment of irreversible damage from more than 11.5 trillion documents being leaked publicly by an anonymous source.

Supply chain compromise: one of the biggest issues is when a third-party supplier fails to adequately secure systems that hold secure data. The cyber criminals can obscure the process of transmission and direct the data to some other source.

Ransomware: It is design to infect a user’s computer via drive- by downloads, email attachments, mal-vertising etc. A hacker identifies vulnerabilities within an application and exploits it by sending a malware to the system of the law firms, capturing client’s confidential information.

Developing resistances

Large law firms can hire chief information officer or cybersecurity experts to assess the firm’s vulnerabilities and prepare needed actions in event of a cyber-attack. Mock attacks can be hosted and the systems should be tested against the threats. The firms should have cyber security insurance. The law firms must appoint a crisis management team with- information and communication experts and cybersecurity experts and firm’s spokesperson to address the public on account of any scandal. Independent freelancing cybersecurity experts are being much in demand in this decade, to be brought in to assess the security of the systems and databases.

According to Forbes -Cybersecurity is very obviously a job sector of the future. Official estimates put job growth in the sector at 37% per year at least through 2022 – and that is probably conservative