Security Breach? Urgency for Law Firm Management to Assess Cyber Risks

Cybercrime. This one word is enough to send chills down any legal or IT professional’s spine; and it’s no wonder why. The estimated annual cost to the global economy from cybercrime now exceeds $400 billion, according to a report from The Center for Strategic and International Studies and McAfee.

Cybersecurity should be a top priority for law firms of all sizes, especially in light of recent high-profile security breaches. The State of California now requires its residents be notified when their “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” In addition, any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system needs to electronically submit a sample copy of the security breach notification (absent any personally identifiable information), to the Attorney General (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)). The American Bar Association House of Delegates also is encouraging both private and public sector organizations to deploy robust cybersecurity programs.

A growing threat

According to law enforcement officials, law firms, in particular, are prime targets for cybercriminals. At the annual meeting of the ABA Cybersecurity Legal Task Force last August, cybercrime experts emphasized why lawyers must take cyber attacks seriously. During a presentation, “The Evolution of Cybersecurity and Planning for Response,” panelists discussed how law firms aren’t doing enough to protect their sensitive information against cyber threats and revealed the disturbing evolution of cybercrime. Panelist Sean Kanuck, national intelligence officer for cyber issues in the Office of the Director of National Intelligence, pointed out that not only is cybercrime on the rise, but the attacks are increasingly sophisticated and disruptive.

Preparation is critical

To protect their firm’s confidential data and reputation, IT and legal teams need to work together to ensure network defenses are keeping pace with these mounting threats.

“You need someone to keep watch over the issue, and it is much more than technology,” said session panelist Michael McGuire, CIO at Littler Mendelson, at the annual meeting of the ABA Cybersecurity Legal Task Force. “It involves technical controls, administrative controls and physical controls.”

McGuire added that some of these responsibilities are beyond the scope of many firms’ existing IT departments. After all, their focus may be more on ensuring technology is running properly so employees can accomplish their work than on information security.

As John Reed, senior executive director of Robert Half Technology, observes, the very tools that enable legal professionals to work more effectively, such as cloud computing and mobile devices, also are making law firm networks more vulnerable to data breaches. “So while law firms are upgrading outdated systems to become more efficient, they’re also strategically hiring data privacy officers and other specialists with strong backgrounds in document retention, security and records management to safeguard confidential information,” Reed says.

These highly specialized professionals constantly monitor an organization’s network and perform risk assessments to strengthen security and prevent potential threats to the firm’s network infrastructure. Such experts typically employ a layered approach to protecting paper and digital information, including management controls, restricted access, security software, and regular audits to ensure proper security procedures are being followed and all programs are effectively minimizing threats.

Additionally, defending against cybercrime should start at the top. Law firm management, including senior partners and administrators, work closely with their IT counterparts to manage the organization’s cybersecurity efforts on an ongoing basis; and they need to allocate sufficient resources to ensure effective protection against risk.

A single data breach can be costly to a law firm and cause irreparable damage to its brand and reputation. While no cybersecurity program can ensure 100 percent prevention of attacks, the goal is to minimize attacks and identify and resolve threats at lightning speed.

In the long run, the time and resources associated with taking a proactive approach to cybersecurity are well worth the expense and effort.