If you have been keeping up with the Legal news over the past few months you will have seen that if solicitors and other professional firms fail to prepare for the increased risk of cyber-attacks, they will face fines. Recent reports have detailed how a high profile criminal law firm has been handed a fine as a result of sensitive and confidential court documents being leaked on the dark web, and they won’t be the last.
It’s no surprise that law firms are a profitable target for all forms of cybercrime. The legal sector processes large volumes of valuable, sensitive data which can range from personally identifiable information (PII), intellectual property (IP) and business transactions.
Unfortunately, most legal companies’ cyber protection is inadequate. According to research conducted by the American Bar Association (ABA), 25% of respondents said their firms had had a data breach in the year 2021. A single event may invalidate years of hard work and harm client relationships in an instant, especially if sensitive data is leaked.
Law Firms have legal obligations to protect their clients information
Regulations for legal firms’ cyber security are becoming more stringent. There are an increasing number of laws that govern data privacy, such as: The General Data Protection Regulation (GDPR) and The Personal Information Protection and Electronic Documents Act (PIPEDA). Failure to comply with these laws carries a significant risk. You might lose business, suffer six-figure fines, and even face prosecution if you don’t obey the regulations. You may even be ethically liable for enhancing your defence in addition to legal compliance.
Lawyers should plan for the likelihood of an electronic breach or cyberattack, and understand how model rules apply when an event is found or suspected, according to Formal Opinion 483.
Model norms that may apply include an attorney’s competence, the safekeeping of property, communication with clients in addition to lawyer and nonlawyer control of law practices.
Why failing to prepare for cyber attacks matters for Law Firms
Cyber attacks were once simple, sporadic, and rarely made front-page news. For the most part, cyber criminals acted alone, breaking into systems for the sake of amusement or fame. However, they’ve rapidly progressed. There has been a continual stream of such attacks within the legal industry since the DLA Piper breach in 2017. With the coronavirus epidemic requiring lawyers to adjust to a remote work environment, experts warn that the data security incidents are simply the “tip of the iceberg” of such attacks.
In recent years Seyfarth Shaw and Fragomen and Del Rey, Bernsen & Loewy acknowledged security breaches, including a malware attack that exposed clients’ personal information. Many of Seyfarth’s systems were temporarily shut down due to a ransomware assault, in which hackers locked victims out of networks and demanded money to regain access. The firm announced nine days later that it had recovered all essential systems from the malware attack and that no client or firm data had been accessed or taken.
Fragomen was not so fortunate. According to a data breach report filed with the California attorney general’s office, “an unauthorised third party” obtained access to a file holding Google employees‘ I-9-related employment eligibility data, but the firm did not say how the data was acquired.
Another mentionable attack was the Panama Papers, where in April 2016 where approximately 11 million electronic files from the Panama law firm Mossack Fonseca were made public. In 2017, the Paradise Papers controversy broke, resulting in the public release of more than 13 million documents, much of which came from the Bermuda legal firm Appleby and allied service firms.
With all this in mind attackers have become more organised, with greater skill and speed. Fortune 500 corporations are no longer the only ones at risk; everyone is, including law firms like yours who in many large corporate deals are the middlemen with all the information so are often the prime targets.
You have a duty of care to your clients
Attorneys have ethical and legal obligations to take competent and reasonable steps to secure client information, as well as contractual and regulatory obligations to preserve sensitive information. An example of this coming into play recently was in March 2022 when a law firm in England was fined around £100,000 by The Information Commissioner’s Office (ICO) for failing to protect and secure personal data. These responsibilities are difficult for attorneys who utilise technology because most are not technologists and lack security training and experience.
In the legal profession, trust is crucial. A security breach will jeopardise your company’s brand and integrity. If you lose intellectual property or other secret information, your current clients will seek counsel elsewhere. Before signing a contract, prospects will examine your cyber security posture. Defensive flaws could spell the difference between landing a lucrative contract and missing out on a significant opportunity to a competitor firm.
Lawyers should consider creating an incident response plan ahead of time, complete with precise plans and processes for dealing with a data breach. Before a lawyer is caught up in an actual breach, he or she should be trained on how to adopt the law firm’s plan, they should become competent in the content of any plan, and the steps taken to train and prepare for the plan’s implementation.
While lawyers have their own set of rules, they are only required to operate in the best interests of their clients. And by ‘best interests,’ we mean the client’s best legal interests, while ensuring actions are always ethically and with the highest levels of confidentiality.
Protect what matters most
It’s important to consider cyber security as a whole. To safeguard your workers, clients, and data, you need a comprehensive picture of the complete IT environment – networks, cloud services, the firm’s communications, devices, and remote users.
Many firms have subpar information security practices and procedures. As well as this many legal firms place a premium on unhindered productivity, which can lead to end users engaging in risky information security behaviours. End users, i.e. lawyers and their assistants, have been affected, and the risks connected with working from home have added to the mix.
The legal industry has significant privacy challenges as a result of mobile communications. Client-attorney privileged conversations, private merger/acquisition details, and legal strategy are just a few examples of intercepted mobile communications that have been exploited to the hackers benefit.
Lawyers must be able to advise their clients appropriately on the risks of confidentiality vs the convenience benefits of various forms of electronic communication. Using a secure communications system such as Salt Communications allows Lawyers to discuss sensitive information about their client’s legal matters at all times wherever they are in the world. By using secure communications it demonstrates that client confidentiality is of fundamental importance to your firm and your client’s dedicated lawyer. It protects the firm, the client and their conversations.
To discuss this article in greater detail with the team, or to sign up for a free trial of Salt Communications contact us on firstname.lastname@example.org or visit our website at https://saltcommunications.com/legal/.
About Salt Communications
Salt Communications is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. Salt Communications is headquartered in Belfast, N. Ireland, for more information visit Salt Communications.