Results from the American Bar Association’s 2020 Cybersecurity report surveyed lawyers in private practice on a wide range of data-security topics including technology policies, security tools, breaches, malware, and data archiving. It particularly highlighted heightened concerns about security efficacy when law firms shut down offices and moved to a remote business model at the start of the Covid-19 pandemic.
As it turned out, these concerns proved justified: Reports of increased cyberattacks significantly impacted the legal industry during the pandemic, with widely publicized ransomware attacks striking several prominent firms, resulting in serious reputational damage and significant liability. There’s little doubt that other attacks occurred but did not become public.
Although firms may think they have appropriate protocols for cyberattack prevention and breach-response plans in place, data has shown that less than half of law firms participating in the ABA survey use even basic security tools like encryption, two-factor authentication, intrusion detection and prevention, or remote-device management protocols.
Assuming Responsibility for Law Firm Cyberattack Risk
As the ethical and practical imperatives for data security become clearer, some firms have adopted a stop-gap approach—purchasing insurance to mitigate financial exposure—while others are taking a wait-and-see approach, and the ABA survey reports only about a third of firms hold cyber liability insurance policies.
Although it’s wise to purchase insurance policies, they don’t prevent data breaches, nor do they protect a company from contractual or regulatory consequences.
Compounding poorly mitigated data-breach risk, many Big Law lawyers remain in the dark regarding security incidents at their firms. Whereas about three-quarters of survey respondents from firms with 50 lawyers or fewer report they are in the loop, nearly two-thirds of lawyers working in firms with 100 lawyers or more say they have no visibility into their firms’ data breaches.
Preventing Ransomware Attacks
Ransomware—a specific type of malware that infects devices and lets hackers encrypt or steal files and demand a financial payout for their return—presents a serious threat to law firms, which manage highly sensitive client data and typically maintain weak data-security protocols.
As ransomware threats continuously evolve, law firms are particularly vulnerable considering the nature of the sensitive client data—banking records, tax documents, and other private information. Law firm staff typically use multiple devices, presenting a significant volume of access points for hackers to infiltrate.
Concurrent with new apps and products flooding the legal industry, many firms are taking steps to migrate the software they use to the cloud, which compounds the complexity of managing data security.
Migrating to the Cloud for Next-Gen Security
Largely resulting from resistance to change, loss of control, and data security and compliance concerns, law firms have traditionally shied away from cloud services. Although protecting on-premises data presents a wide host of data-security challenges, including managing a multitude of firewalls and intrusion-detection software, many firms believe that it’s safer and less complicated than storing data in the cloud.
Firms rightfully worry about cybersecurity in the cloud generally and client contractual obligations specifically. Because outside counsel guidelines usually stipulate that client data must be stored in a specific fashion—which often entails keeping sensitive information in a firm-managed environment—firms are obligated to audit and update these contracts transparently before migrating client records to the cloud. For a large firm staring down thousands of contracts, it’s an onerous and expensive exercise
Further, some clients may not be ready for the cloud, which forces decisions on whether a firm is willing and resourced to run two data-management systems.
Although advanced cloud models for risk and compliance incorporate key elements of secure computing by meeting or exceeding common regulatory requirements—and often provide a higher level of safety than on-premises deployment—the EU General Data Protection Regulation (GDPR) has generated renewed concerns about cloud storage for the legal industry.
Because the regulation itself is sweeping and amorphous—and penalties for violating privacy and security standards are substantial—GDPR compliance presents a daunting hurdle, particularly for small and midsize firms.
In addition to providing elevated security, cloud platforms automate identity management processes to ensure users are granted permissions only to the specific tools and data sets deemed necessary—which can be changed, disabled, or deleted when appropriate.
In contrast, when in-house IT teams handle identity management, it’s common to apply a one-size-fits-all security policy giving users access to all applications and obscuring unusual access patterns. Once hackers breach the firewall, they gain access to the full corporate network.
Leveraging Cloud Insights and Tools
Because cloud service providers’ reputations and business models rely on state-of-the-art data security, these vendors invest heavily in robust security teams and rapid platform updates. It’s a simple matter of scale: It’s impossible for a single firm to develop and execute the same breadth and depth of security and innovation protocols as a cloud service provider.
Cloud technologies save law firms money by eliminating not only the high cost of data storage but also the investment required to maintain and upgrade equipment. Because cloud solutions are subscription-based and scalable, firms enjoy the advantages of predictable expenses and automated updates.
Most cloud service providers have a wide range of clients. As a result, they may be subject to stringent regulatory requirements; many voluntarily adhere to industry best practices and guidelines, such as ISO27001, which entail strict standards for building and maintaining data centers, as well as regular independent audit cycles to ensure compliance.
On a practical level, working with a well-vetted cloud service provider not only reduces the risk of a high-stakes breach, but also facilitates procuring applications, monitoring usage, and enforcing security protocols.
Navigating the Regulatory Environment
In the past, law-firm data breaches often went unreported—and possibly undetected. Now, all 50 states plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws requiring businesses to inform affected parties when their personal information is breached.
Today, lawmakers continue to expand existing laws; 22 states strengthened security breach regulations in 2021, including shortening the window for firms to report breaches and requiring private sector entities to report breaches to the attorney general or other state entity.
Very few law firms maintain the necessary IT infrastructure to inspect and curtail malicious traffic—which can require reverse-engineering code—or remediate potential damage.
Compounding the impact of this gap, the business implications of a large-scale security breach are especially devastating because of law firms’ contractual and compliance obligations. If a law firm experiences a data breach, it may lose clients that view the incident as a failure of the firm’s fiduciary and ethical responsibilities.
Protecting Your Firm from Risk Exposure
Survey data shows that cybersecurity remains a key challenge for law firms, and the sector finds itself increasingly targeted due to its wealth of sensitive data—and deep pockets. With representatives of nearly two-thirds of the 100 leading Big Law firms identifying cybersecurity threats as a key concern, it’s eye-opening that less than one-quarter of these firms employ a cybersecurity committee that reports into the party charged with governance.
Although many persist in the belief that in-house servers are more reliable and secure than cloud-based solutions, cloud storage offers strategic redundancies that both protect data durability and availability and prevent file loss due to equipment error, damage, or data breach. As threats become increasingly relentless and sophisticated, firms focused on long-term data security are embracing the protections afforded by the cloud.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Thomas Hadig is the company security officer at Intapp, where he served in IT and systems engineering roles for more than 17 years.
Robert Barrett is corporate legal counsel at Intapp. He has held business and legal roles at two Fortune 200 companies and currently focuses on global privacy in the software-and platform-as-a-service industry.