Partners in Regulatory Compliance provides an array of cybersecurity services to law firms in the greater New York Tri-State area.
While the FBI issued a warning to large law firms in March of 2016 that hackers were targeting their confidential client information,1 it was a very public ransomware attack on one of the world’s largest a year later that alarmed the entire community.2 The breach at DLA Piper, an organization with lawyers in over 40 countries, forced the firm’s leadership to shut down its entire U.S. IT infrastructure for days costing the firm 15,000 hours of overtime pay and countless other undisclosed expenses in addition to significant lost productivity.3
It was a watershed highlighting that law firms that fail to react to this high-profile cautionary tale are in jeopardy of being next, particularly since 22% of the 4,000-plus respondents to the 2017 ABA Legal Technology Survey experienced a data breach in 2017, up from 14% in 2016.4
Lawyers were even forewarned about the importance of adapting to a digital era in the summer of 2012 when the American Bar Association approved a change to the Model Rules of Professional Conduct supplementing one’s duty to be competent in the practice of law with an understanding of the benefits and risks associated with technology.5 While only 35 states have formally adopted that obligation, the pace of adoption seems to be increasing.6 Two states – Florida and North Carolina – now also require continuing legal education in technology.7
The lack of universal interest in this type of mandatory CLE is a concern since cybersecurity experts have repeatedly recommended that law firms train their professionals on the basics of security, particularly on the nuances of phishing vulnerabilities and deceptive email scams, as well as how to avoid using unprotected public wireless networks in airports and coffee shops.
They have also encouraged professionals to properly evaluate and audit critical third-party vendors in light of the DLA Piper hack, which originated through an overseas supplier and leveraged the cloud with caution given the current body of ethics guidance focusing on the use and selection of a cloud provider. Data encryption, stronger passwords, and improved disaster recovery plans are also easy ways to strengthen a firm’s security profile.
After all clients expect their lawyers to employ all of these techniques since they know that cybercriminals are better, faster, and cheaper than their outside counsel. They also earn billions from stealing valuable documents from unsuspecting custodians, large or small. One breach could result in a loss of revenue and, even worse, a lack of trust.
Law firms face a triple threat in the current environment: (1) an ever-growing array of devices they need to protect and monitor; (2) an increase in the number of employees, who could become potential insider threats with legitimate network credentials and a penchant for mischief; and, (3) a surprisingly gullible, unsophisticated workforce that could accidentally grant access to a dangerous criminal.
Failing to protect against all three dangers could slow client development, increase insurance premiums, erode existing client confidence, and invite regulatory scrutiny. It has been almost seven years since the ABA put lawyers on notice of the heightened interest in being tech-savvy and three years since the FBI provided fair warning about infrastructure vulnerabilities, but hackers know that they still have the upper hand.
For that reason, among others, law firms must implement industry-standard cybersecurity monitoring and threat detection. They also need to be prepared for in-depth audits and provide comprehensive cybersecurity training to their employees, including contractors with access to the networks. Otherwise, billing partners could be forced to make a few very awkward calls to their clients about a very embarrassing, and likely preventable, disclosure or data loss.
Partners in Regulatory Compliance provides an array of cybersecurity services to law firms in the greater New York Tri-State area. Contact us for a complimentary consultation with one of our New York-based law firm cybersecurity experts today.
5 Comment 8 to Model Rule 1.1 states: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”