Recent years have seen an explosive increase in cyberattacks against organizations, and law firms are no exception. Individual lawyers have become targets as well. This is an especially vexing problem for practitioners, given their ethical and professional obligations to protect client confidentiality — including data — and to stay up to date and competent on technology. Smaller firms and solo practitioners can be particularly vulnerable without an institutional IT infrastructure in place to monitor threats.
Brian E. Finch, author of the new treatise Cybersecurity Obligations for Attorneys: Confidential Information in the Age of Cyber Crime, from PLI Press, notes that small firms and individual lawyers face a host of cyber threats, from hackers gaining access to private systems, to ransomware attacks in which criminals extort organizations and hold their data hostage, to ongoing stealth monitoring of communications in order to gather sensitive information over time. All of these scenarios can spell disaster not only for a business, but for lawyers professionally if they are found to have breached their duties of competency and protecting clients.
For smaller entities, Finch observes, the consequences of a cyber breach are likely to be much more extensive. While a large firm may be able to absorb a six-figure loss or the exit of a few clients, these scenarios can prove financially ruinous to an independent small business.
The good news is that it’s possible for small firms and solo practitioners to manage these risks. Start with these basic steps:
Know your risk and obligations. Don’t assume that a smaller size makes your practice a less appealing target for cyber criminals, Finch says. In fact, smaller practices that focus on a specialized area, like trusts and estates or personal injury, can carry a wealth of sensitive data. It is important to stay up to date on the types of cyber crime affecting organizations in order to fulfill your obligations to protect your clients’ information.
Keep your systems updated — with caution. One common way hackers compromise IT systems is through fake security updates and other pop-ups that appear legitimate to the average user. Always use caution when receiving messages, whether via pop-ups or email, that ask you to click, Finch advises. At the same time, it’s critical to keep your systems current by applying security patches and updates. Don’t rely on older versions of technology, even if they are more comfortable to use — this increases your vulnerability to attacks, he adds.
Take advantage of information and training resources. Finch notes that the U.S. government makes resources and updates available to the public through the Department of Homeland Security, Federal Bureau of Investigation, and local law enforcement agencies. Also look for newsletters and other resources on cybersecurity offered by state bar associations. And don’t overlook training opportunities — with New York’s recent mandate for CLE in cybersecurity, privacy, and data collection, for instance, lawyers in that state will need to keep current with accredited programs.
Ask your vendors. Without a large IT team, it’s even more important for practitioners to familiarize themselves with the technology products they use and the support their vendors offer. Finch recommends asking any prospective providers, whether cloud-based services, document management, or other vendors, about their cybersecurity measures and what specific steps they take in the event of a breach or other incident.