Law Firm Cybersecurity: How Small Firms Can Protect Their Information

With the rising number of cyber attacks, small firms must take reasonable precautions to protect their client data.

“Dear client, I am contacting you to notify you that my firm recently fell victim to a cyber attack. This data breach resulted in unauthorized access to your information.”

This is something you never want to have to say to a client. Not only will it ruin your relationship, but it will also put your entire practice at risk. Law firms that fail to adequately safeguard client information against hackers could face malpractice claims and suffer disciplinary action for not meeting ethical standards of care.

“That would never happen to me. No one is targeting a firm as small as mine.”

That is what many small firm lawyers think about cyber attacks. Yet, according to tech consultant Adriana Linares, 80% of law firms have been hacked, and the other 20% are either lying or don’t know about it.

Why law firms are at risk

In recent years, it has become easier for criminals to breach computer networks as a way to further their range of crimes, and data breaches are now almost a daily occurrence. Additionally, law firms are becoming an increasingly attractive target for cyber criminals.

Hackers can steal your client’s credit card numbers and email addresses that they could use for scams and unauthorized purchases. Corporate lawyers in small firms should be especially wary because hackers will seek information regarding mergers and acquisitions that could be used for insider trading. For lawyers in other practice areas, you never know what information cyber criminals can use to extort money through blackmail or sell on the black market.

In March 2016, Cravath Swaine & Moore LLP fell victim to a security breach that was likely for the purposes of insider trading. The law firm stated that “client confidentiality is sacrosanct,” and this breach could be potentially damaging to their reputation.

However, it’s not only big law firms who should worry about cybersecurity. Small firms that don’t take precautions are leaving themselves and their clients vulnerable. More than two-thirds of firms say they feel inadequately protected against sophisticated hackers.

In addition to protecting your current clients, taking the time to evaluate and improve your cybersecurity could be an opportunity to close new business. As these attacks become more common, clients will want to hire a firm that has taken data protection seriously and put defenses in place.

It’s unlikely small firms can afford to hire an internal IT manager and it may seem overwhelming to take on the task of implementing a cybersecurity policy on your own; however, here are simple steps you can take to protect your firm:

Use strong passwords and change them frequently

You should be changing all of your passwords every 30 days and make them as difficult to guess or randomly generate as possible. Many businesses rarely or never use complex passwords.

Not sure what makes passwords strong? Here are some tips:

• Make them longer than 15 characters.
• Use a variety of characters that would be difficult to guess, including numbers, upper and lower case letter and special characters, such as $, %, &, etc.
• Combine multiple words to create lengthier “pass phrases,” such as “Weebo_&-I_wEnt tO-$hoP!”
• Never use the same password for everything. You should have various passwords for each device and service you use.

Consider using a password manager to make sure your passwords are as strong as possible. Many of these softwares can be purchased at a low cost and it is a small investment to make to protect client information. Recommended password managers include 1Password and LastPass.

Enable two-factor authentication for websites you use

Unfortunately, creating a strong password isn’t enough to completely protect you. Once a hacker has that password, there is nothing to stop them from gaining access to your information unless you add a second layer of protection. That is where two-factor authentication comes into play.

Two-factor authentication will require you to enter your password as usual and will then send a code to your mobile device that you’ll be required to enter in order to gain access. Not all websites allow two-factor authentication; however, you should enable it wherever possible.

LifeHacker provides a pretty good list of websites that allow two-factor authentication, which includes many social media sites, cloud services and email providers an attorney would use. You can also install an app called Duo on your mobile device that helps secure other apps with two-factor authentication.

Encrypt your data

You may have heard the term “encryption” before, but aren’t sure what it means or how it applies to your law firm’s data security policy. It is basically a way for you to protect your sensitive information from hackers by locking it behind a security key or translating it into “gibberish” language called cipher.

Encryption can be used to secure your email, protect your cloud storage or even hide your entire operating system. You should take measures to encrypt all of your files and emails. The only time information should be unencrypted is when it is being used.

If you’re using law practice management software with a client portal, then there is a good chance your communication with clients is encrypted by default. The two most popular softwares used by attorneys, Clio and MyCase, do use some form of encryption. As long as your passwords are secure, cyber criminals won’t be able to access client files and communication being exchanged through the portal without your knowledge or permission.

For lawyers who don’t use a law practice management software to communicate with clients and store files, there are applications available that can make encryption easy. For email encryption, Enlock, Delivery Trust and Virtu are three optional plugins that work with Microsoft Outlook, several webmail services and iOS and Android mobile devices.

To protect your files, you can use an encrypted drive called BitLocker if you’re a Windows user or a full-disk encryption software called FileVault if you’re using a Mac.

Protect your personal devices

You’re probably on-the-go a lot, running from the office to client meetings to the courthouse, which means you try to get a lot of work done on your smartphone or tablet. Unfortunately, 3.1 million smartphones were stolen in 2013 alone. Although Apple is making an effort to combat these thefts with kill-switch technology, it’s still up to lawyers to take precautions to make sure their mobile devices are protected.

Always make sure your devices are password protected and look into using a mobile device management software to enable longer, complex passwords. You can also use 1Password to secure your mobile device with a strong password.

The benefit of using a full-service mobile device management software, such as Accellis, MobileIron or Sophos, is that these programs can wipe your device remotely and ensure that your smartphone data is encrypted. Many vendors also include GPS tracking and secure file sharing. Pricing varies, but most software is available for less than $100 per year.  

Keep showing clients that you take data seriously

These recommendations are a good start for small firms to improve their cybersecurity; however, you should stay up-to-date on best practices and develop an adequate response plan.

Make it clear to clients that you care about their security and share any new policies you’re implementing. If your clients know you’re actively working to keep their information safe, then they might be more understanding in the event something does happen.

There is no doubt that data breaches will put both your business and reputation at risk. You have an obligation to protect your client data, but it’s important to remember that nothing is ever certain. It might not be possible for you to completely avoid data breaches; however, you still need to take reasonable precautions.