Data Breaches at Law Firms: Is Human Recklessness the Weakest Link?

Judging by the catastrophic data breaches at so many top law firms lately (not to mention the rise of broad-scale data breaches across all industries), the legal industry’s security standards could use some upgrading. The ABA’s 2016 Legal Technology Survey reported that one-fourth of all large firms (500+ lawyers) have experienced data breaches. About 40 percent of these led to major business disruption and income losses.

Meanwhile, a study of US law firms conducted by the IT security company LogicForce found:

  • An average of 10,000 intrusions occur every day at law firms of all sizes
  • 66% of firms have reported a data breach
  • 40% of firms were breached without realizing it in 2016
  • 59% of all emails to law firms were classified as phishing or spam

The weakest link might not be any technological incapacity, but rather undisciplined human behavior vis-à-vis the technology. The LogicForce study revealed that 95 percent of assessed law firms failed to comply with their own data security policies, and 100 percent failed to comply with their clients’ policies. The pitfalls include overreliance on certain security measures without making sure the measures actually do work.

Physical media: Law firms religiously reformat data drives but don’t carelessly dispose of the physical “erased” objects. It is very possible to recover data from a formatted SSD, and that’s exactly what hackers will do once they get into that pile of supposedly “blank” media in the dumpster behind the office.

Encryption complacence: Firms confidently transmit and store sensitive but encrypted data on a network with many access points. But depending on the type of encryption used, data could be decrypted and exposed each time anybody accesses and manipulates it. Also, data that’s used in one service among a network of linked services might be exposed to all of those services. There are methods, like homomorphic encryption, that can help avoid this kind of exposure, but not all encryption does this. Another solution would be to use Full Disk Encryption (FDE) so that nothing is accidentally left unprotected.

Key and password management: The good news is that your IT folks created a complicated, 63-character, virtually unbreakable, decryption key. The bad news is that, naturally, it’s tough to remember it every time you need to access. So you write the key on a note and stick it on your computer. You just defeated the entire purpose of encryption.

Internet of Things: Because we live inside the IoT, anything can become a network entry point. A camera, a baby monitor, the DVR – things with weak security are easily hacked, thus rendering anything else hackable. In 2015, a smart refrigerator was used to hack an email account. If that happened to a lawyer working from home or taking her personal laptop or tablet (now infected via the home appliance) to a BYOD workplace, it would mean her firm’s network would be infected as soon as she logged in. To combat this, it is crucial to make sure we know all the entry points and either take some of them offline or make sure there each device has strong security.

It’s is an ongoing process. You can’t just implement some protective measures—no matter how thorough—and then just coast.  Your IT demands (and the hackers’ cunning) will ultimately outgrow whatever fortress you built.
For further guidance, we recommend the best practices developed by Information Sharing and Analysis Centers in partnership with several departments of the U.S. federal government.

     Law Firm Cybersecurity Best Practices

At a minimum, every firm should periodically do the following:

  • Assess the risks; locate all vulnerable points.
  • Designate a person to be responsible for data security.
  • Consider getting (and rigorously vetting) an outside data security consultant.
  • Apply firewalls.
  • Use strong passwords, change passwords periodically, and use other access controls procedures like multi-factor authentication.
  • Develop and enforce policies and procedure.
  • Provide training and develop a culture of cybersecurity awareness and “digital hygiene.”
  • Update software and implement patches.
  • Look to NIST (National Institute of Standards and Technology) publications for cybersecurity framework.
  • Consider limiting access to certain resources (limit by user, access point, or type of traffic).
  • Limit BYOD.
  • Take some communications offline.

It’s important to remember that data security implicates lawyers’ professional ethics. The ABA’s Ethics committee recently advised that certain circumstances may require lawyers to use encryption or other heightened data security processes to protect clients’ confidential information. The lawyer must do a fact-based analysis of what’s needed—and also involve the client in the decision. The mandate flows from an interplay of the lawyer’s duty to preserve client confidences, duty to communicate, and duty of technological competence. Lawyers must keep up with technology and acquire any necessary expertise, either through education or through association with another professional who has the requisite knowledge and skills.