Law firms have become prime targets for hackers, as they hold much of the valuable data connected to Fortune 500 companies. M&A playbooks, settlement figures, communications, IP filings, and more for many companies can be found in even mid-sized law firms, ripe for the picking.
Under ABA Model Rule 1.6(c), protecting that data is a core ethical duty of law firms, but the sophistication of cyber attacks has made it more difficult in recent years without consistent updates.
The math works out pretty grim for law firms. The ABA’s 2023 Cybersecurity TechReport found 29 percent of surveyed firms experienced a breach, and another 19 percent were unaware whether they had been breached. Attackers know the detection gap is real, and they’re pricing their attacks accordingly.
The 2017 NotPetya attack on DLA Piper took the firm’s global email offline for four days. Fixing it required 15,000 hours of IT overtime to rebuild, not to mention the reputational damage. Firms like Kirkland & Ellis, K&L Gates, and Proskauer Rose have since disclosed incidents of their own. Attacks are now quite regular.
Often, the simplest route for a hacker to get in is through human error. Maybe it’s a fake wire transfer instruction from a ‘client’, or a real estate opportunity. Whatever it is, their goal is to gather information to use to break into your system.
A ransomware attack is when hackers upload a program that locks down your systems and/or data so that you can no longer access it. Then, they ransom you to get it back. It’s a very popular and successful attack strategy, and the hackers can sell your data on the dark web if you don’t pay up.
Related to phishing attacks, other forms of human error can also lead to breaches. A common one is someone accidentally taking home privileged information back from the office, or if you’re working from home, transferring it to an insecure system.
With hybrid and remote work, new challenges have become more apparent, with vulnerabilities such as Wi-Fi networks and personal devices that are harder for a company to lock down.
Model Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. As of ABA Formal Opinion 477R, ‘reasonable effort’ has been specifically required to include a real cybersecurity program, not just a strong Wi-Fi password. GDPR, HIPAA, and client security questionnaires are also becoming more standard in meeting compliance.
Legal IT providers who specialize in law firms understand the workflow and can therefore better secure weak points. Law firms store and move a lot of sensitive data using matter-centric file structures, conflict checks, and document management systems like iManage or NetDocuments. A generic MSP won’t be able to navigate those systems nearly as effectively.
The fundamentals haven’t changed much. But the necessity of them has increased.
The first step is to inventory all the IT systems you have. That allows you to audit each of them and identify the attack surfaces and weak points.
Once identified, you can map your systems against ABA guidance for a foundational layer of protection. Then, state bar opinions and industry regulations related to your client base will likely provide a good basis for a second level of protection and compliance.
Once you’ve mapped out what compliance looks like for your area, you can pick an already recognized security structure as a template. The NIST Cybersecurity Framework or CIS Controls are solid options for law firms.
Even once your framework is set up, it’s important to maintain your security posture and stay up-to-date. Quarterly reviews with your IT partner are good practice.
What’s been happening recently? AI has been the big story in cybersecurity, with the ability to both find and exploit vulnerabilities faster than ever. In addition to reviewing and hardening cybersecurity to higher standards. Zero-trust architectures are becoming more standard for a stronger overall security, while most security audits are also being run more often.
Look for legal-specific IT experience, including familiarity with DMS, references from other law firms, and after-hours support for critical times, such asduring trial. Check whether they’ve handled a ransomware attack on a law firm and how that turned out.
Small to medium-sized law firms have become more and more targets of hacking groups due to the value of the information retained and lack of cybersecurity. Clients are more often asking law firms, rightly, how safe their data is with them. Get the fundamentals right and partner with specialists who understand legal workflows.
Firms hold privileged, high-value data and have ethical duties under ABA Model Rule 1.6(c) to protect it.
Specialized IT services for law firms. Standard legal IT support covers DMS platforms, matter-centric workflows, compliance, and security.
Start with MFA, endpoint protection, secure backups, staff training, and a tested incident response plan. Dedicated IT support is the next major step.
Business email compromise, ransomware, insider error, and cloud or remote work misconfigurations. Human error is often the source of the problem.
Get A FREE Subscription To Weekly Cybersecurity Tips So Your Company Doesn’t Become The Next Victim.
