When attorneys or law practices suffer a cyberattack, the ramifications extend well beyond financial loss. Because attorneys and the firms they work for are subject to an additional set of rules and regulations requiring the protection of client confidences and secrets, the implications can be serious.
For many years, law firms appeared exempt from cyber risks because hackers usually targeted the law firms’ clients, such as banks, companies or individuals. But experts agree that law firms are the next big target for hackers. The reason: law firms possess valuable data about their clients, third parties, their own finances and their own employees, but they rarely have the same protections in place as a financial institution or others with sensitive information.
It is no surprise that cyberattacks against law firms are on the rise. According to the most recent data from the American Bar Association, approximately 80 percent of the 100 largest law firms in the United States have been successfully hacked. Data breaches in California alone grew by 600% in 2013, according to last year’s annual report from the state attorney general’s office. The ABA is considering a resolution that would encourage “all private and public sector organizations to develop, implement and maintain an appropriate security program.”
Cyber breaches also impact attorneys’ ethical obligations. In 2010, the State Bar of California issued an opinion addressing whether an attorney violated the duty of confidentiality by using technology that was susceptible to unauthorized access by third parties to transmit and store confidential information. The opinion addressed an attorney’s use of a personal laptop to access a public Wi-Fi network to conduct legal research and to communicate with the client via email over the public network.
The California Bar opinion concluded that: “An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”
There are things attorneys and law practices can do to address these risks. Here are some tips.
HAVE A PLAN
Like an ostrich with its head in the sand, most firms (especially smaller firms) simply ignore the risk until a breach occurs. Then it’s too late. Once a cyberattack has happened, it can be extremely difficult to identify what needs to be done first and to implement a comprehensive plan to manage the influx of information. Complicating all of this, law firms may have reporting obligations, depending on what information was accessed.
It is critical that a firm has a plan in place before an attack happens. This involves having a point person who would be in charge of the firm’s response upon a cyberattack. This person does not have to be from the IT department, but it is helpful to have someone who is knowledgeable about the firm’s duty of confidentiality and can converse with others about a technical response.
The point person is not in charge of formulating a response, however. Most firms will assign a committee—to be overseen by the point person—that is tasked with formulating a response plan to be implemented upon a cyberattack. It is important to have this plan in advance because there will be many distractions for the firm upon a cyber breach. Having a plan is good security.
Attorneys have a duty to maintain client confidentiality, which extends to client materials stored by the attorneys. Thus, attorneys have to be prepared not only to properly respond to a breach, but also to comply with their ethical obligations to safeguard materials.
PROTECT MOBILE TECHNOLOGY
The practice of law is in a new, wireless era. Attorneys can be connected to their offices through their mobile devices, laptops and tablets. With the swipe of a screen, an attorney can access confidential documents, send emails from a unique email identification, and access confidential materials from a secure server. Hackers have the ability to do the same thing.
Lost laptops and mobile devices create some of the highest, and most preventable, risks of a cyberattack. Once a hacker has a lost or stolen device, the entire firm is at his fingertips. The hacker can use a trusted email address—yours—to transmit viral emails throughout your firm, or use your credentials to access a secure network.
The first thing law firms can do is require that any mobile device—whether a smartphone, laptop or tablet—be secured by a password. A laptop that can access a firm’s inner network just by being turned on creates an unnecessary vulnerability.
Second, users of mobile technology should have the ability to wipe a device remotely.
Finally, professionals should keep track of their mobile devices. Report a missing device as soon as it is lost, rather than wait and hope it turns up. Be careful about loaning a device that has connectedness to a law firm.
KNOW YOUR SENSITIVE DATA
The mistake some law firms make is in assuming they do not have any information of value to hackers. However, hackers are targeting law practices because attorneys have access to their clients’ most confidential materials. This includes draft patent applications, business plans or information that could help a hacker navigate the market.
In addition, given the volume of materials produced in discovery in many litigations, a law practice could find that it has a stack of medical records belonging to a class, or the Social Security numbers of every employee of a client company.
It is not just client records or files that are at issue. Law firms store sensitive data relating to their own employees too. The key is to be aware of what the firm’s sensitive points are and to guard them effectively.
SCREEN VENDORS
Firms can sometimes do everything right but still have a cyber breach. Hackers target the path of least resistance to breach a target. Sometimes this happens through a third-party vendor, particularly if the vendor has access to the information of multiple law practices.
Remember, if a vendor has direct access into a firm’s network or databases, the firm’s defenses are only as good as those of the vendor.
This is a step that many firms overlook. Instead, they fortify their own defenses and forget the doors to which their vendors have a key. Many firms screen vendors to ensure that these vendors have as substantial a security system as the firms themselves do.
HIRE EXPERIENCED PROFESSIONALS
Certainly, there are cyber professionals who know much about securing systems. And there are attorneys who are familiar with the ethical and legal obligations of attorneys. The key is to find and retain professionals at the intersection: experienced in both cybersecurity issues and attorney ethics and legal obligations. There is too much at risk to do anything less
View the original content and more from this author here:http://ift.tt/1zNxYg9
from cyber security caucus http://ift.tt/1GVuPrW
via IFTTT
No comments:
Post a Comment