Taking some simple proactive steps to protect confidential information and to be prepared to respond…
Law firms are the new targets of cybercriminals. “Lawyers of every stripe and specialty tend to possess large quantities of their clients’ sensitive data and in many cases present a more desirable target than the clients themselves.” – National Law Journal
However, many law firms do not think they will be attacked due to their size, which is an incorrect assumption. “91% of cyber-attacks target small and medium-sized businesses & 60% of these businesses go out of business after a successful cyber-attack.” – Inc.com
Today, cybercriminals are targeting easier prey of regional and smaller-sized companies. Law firms are particularly at risk because the attackers perceive firms as high-value targets. It is irrelevant whether the firm believes the data is of low value or is sufficiently protected, the attackers are motivated because they think breaching law firms is easy, low risk, and has a potentially high value. Furthermore, the attackers assume (too often, correctly) that their victims have not sufficiently trained their staff. This means they only need to trick one person who is overworked and undertrained. For example, a Free Amazon Gift Card email is the bait and when you click the link, the malicious code begins silently exfiltrating the firm’s data. This simple and easy method is called a “phishing” attack. “90% of successful security breaches start with a phishing email.” -Forbes
Beyond a law firms’ duty to protect itself, lies its duty to protect its clients, which includes:
The Duty of Confidentiality – includes the client’s information
The Duty of Competence – includes implementing sufficient cybersecurity measures
The Duty to Supervise Staff and Third-Parties – includes information technology providers
A law firm is the guardian of their clients’ confidential and valuable information and when this duty is not upheld, the law firm may be responsible. “Cybersecurity legal malpractice claims typically sound in negligence for failure to protect client confidential and personal data.” – American Bar Association
Every law firm must meet its duty of care and Identify, Protect, and Respond to a cyber-attack. To achieve this, a law firm cannot solely depend on their information technology services provider (“IT”). IT typically only covers one-third of real-world cybersecurity. The other two-thirds include executive leadership, policies, training, and insurance:
- Employee testing and training that will help your firms’ employees to resist cyber-attacks such as email phishing scams.
- Incident Response Plan, which will help your firm react and recover to a cyber breach. This includes how to mitigate the attack damage, avoid liability issues, properly insure for recovery, and how to address protecting the firm’s brand
- Policy and procedure gaps that demonstrate a firm’s good faith attempt to promote a secure environment
- Avoiding wire transfer fraud scams, which is an increasingly common cybercrime in the US
Learn more about cyber liability insurance today.