Cyberthreats, including phishing, hacked email accounts, leaks of sensitive data and ransomware are a liability for every business with a digital presence. For lawyers, who deal with privileged client information and sensitive documents, the impact can be devastating. But how can firms effectively protect themselves against such attacks? According to the experts, preparation is key.

 

What connects a seemingly disparate list of law firms including DLA Piper, Cravath Swaine & Moore, Weil Gotshal & Manges, Panamabased offshore outfit Mossack Fonseca, and a small Philadelphia firm called Griesing Law? Answer: Regardless of size, location and reputation, they have fallen victim to security breaches. Indeed, DLA is itself regarded as of the world’s leading law firms when it comes to cybersecurity.

A study from Microsoft and consulting firm Frost & Sullivan focusing on APAC revealed that a large organization operating in the region could incur a potential economic loss of $30 million as a result of cyber incidents – but the consequences are arguably even more severe for law firms.

Law firms sit atop piles of valuable information that is almost always digitized. While they have careful clauses and wording to protect lawyers, organizations and clients, a cyberattack can expose sensitive information in a just few seconds.

According to the American Bar Association, cyberattacks are now so prevalent, the thinking has shifted to be not “whether firms will be the victim of a cyber-attack, but a question of when and to what extent.” When firms do succumb to attacks, they face serious consequences including loss of billable hours, loss of information, the need to replace hardware and software, and of course, reputational damage.

Tanna Moore, president and CEO of Meritas, a global legal network of independent law firms, says that the information and clients that firms have access to make them “high-value targets of hackers and criminals.”

“Contrary to popular belief, rather than focusing on hacking a lawyer’s computer or the office server, cybercriminals often gain access to confidential client with simple phishing emails that compromise the lawyer and the firm,” Moore explains.

Dave Coughanour, director of security at K&L Gates says while the types of security flaws lawyers are most vulnerable to are dependent on the type of work being performed and the types of clients that are being supported. While different sized firms will have specific security focuses, the platforms lawyers work on is something every practice should consider.

“The first item to understand is, that you may well inherent any emails that your clients have. For example, an adversary may attack your firm directly to gather information on a client you represent or use your infrastructure as a jumping off point to attack them since your addresses are likely trusted,” Coughanour says.

Another vulnerability, he says, is lawyers being “always on” and working on personal devices. “It is vitality important that sensitive information remains on systems controlled and defended by the firm. Allowing people to store attorney-client information on personally owned devices or in personally managed accounts is a data breach waiting to happen,” Coughanour warns.

Moore echoes this point adding that mobile devices, social media and telecommuting also put attorneys or other law firm personnel at risk as the hacker’s access point, and to effectively prevent damage, firm’s information security plan should “incorporate specific training and security policies to help ensure lawyers and staff are a strong line of defence, and not an easy access point for cybercriminals.”

MANY CONSEQUENCES

When a data breach does take place, there are many consequences firms must grapple with. “If a hacker successfully penetrates the confidential client data that is held by the firm, prospects, clients and employees may second guess the management and operations of the firm,” Moore says of the ramifications.

And once data breaches are made public, either by the media or by other means, the firm will be viewed differently. “Even if a firm quickly remedies the situation, the reputational damage may be long-lasting,” Moore says, as coverage and company reviews can continue to haunt firms’ reputations and continue to show up when clients research the firm. In severe cases, should stolen data compromise clients’ reputations, “the overall damage to the law firm involved may be fatal. The continued viability of the firm may not be possible,” Moore adds.

Clients too are also beginning to weigh up firms’ cybersecurity savviness as an important part of their decision-making process. “Clients are increasingly asking to see the formal cybersecurity plans of their law firms, and many will only do business with firms that can demonstrate their cybersecurity. If firms can’t immediately provide this information, a client will likely question their reputation for best practices and operational excellence from the onset,” Moore says.

Preparation is essential to prepare for cyberattacks, with experts advising that every firm should have an action plan in place, regularly audit and assess their security processes, and invest in IT support. But a truly effective response isn’t simply technical.

Coughanour says in addition to being prepared with an incident response plan, firms should also involve their general counsels, as “once an incident has developed into a full-blown breach, there is a myriad of legal risks that can arise out of technical decisions”, but while there are technical components in breaches, he adds that there are many other aspects to consider including public relations, internal communication, legal issues, business decisions.

While Moore concedes the odds are “high” that a law firm will experience a cybersecurity breach at some point, how firms respond to this, can make a significant difference. “Don’t panic – employ the firm’s existing process for breach response and business continuity,” she says.

Moore adds that firms should follow “pre-planned” steps, which include “notification procedures for affected parties and the authorities’ activation of the crisis communications (PR) plan, and securing systems, taking steps to disconnect online connections such as the internet and remote access.” Communicating proactively and transparently with stakeholders is also important, she says.

 

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Related Articles

Features

FORUM: Safe and Sound

by Mari Iwata |

Cybersecurity has emerged as a critical concern in today’s interconnected world due to the escalating frequency, sophistication, and impact of cyberattacks. As a result, the need for lawyers in preventing and mitigating cyberattacks is more crucial than ever.

Features

Calling for Security

by Elizabeth Beattie |

With law firms handling large amounts of sensitive data online, and staff working remotely for prolonged periods, cybersecurity and data protection processes are more critical than ever.

Features

Cyber Crisis

by Ranajit Dam |

The pandemic has heightened the risk of data breaches that could expose corporations to a great deal of liability, so it’s imperative that they start to take steps to mitigate the risk immediately.