Is Your Data Secure?
Nearly one in four law firms has experienced a data breach, according to a 2017 American Bar Association survey. The figure was 35 percent for firms with 10-49 attorneys. And because law firms are entrusted with a large amount of sensitive client information, clients are increasingly taking the lead and conducting security audits of the firms that represent them.
The risk is real, yet a quarter of the lawyers responding to the ABA survey said their firms had no plan for responding to a data breach.
Ensuring your firm’s data security can be a complex endeavor. As a first step, firms must install and maintain security measures like firewalls, malware and anti-virus software. But these relatively simple steps may not be enough to truly ensure data security. Unless your firm is large enough to have an IT staff experienced in data security issues, many experts recommend outsourcing security needs rather than attempting to configure a solution yourself.
Experts also recommend that law firms use encryption technology on servers, laptops, desktops and mobile devices. They advise firms to encrypt all client correspondence, and say that lawyers should refrain from using Gmail or other email programs from companies that admit to using personal information from emails.
Personal information such as social security numbers and credit card numbers is especially vulnerable to cyber attack because the perpetrators can use it to engage in identity theft. To guard against this, avoid collecting personal information such as social security numbers if it is not essential, and develop a document retention policy that destroys this type of information when it’s no longer needed.
The ABA recommends that law firms designate a chief security officer to oversee these efforts. Law firm employees should be trained on good data security procedures and on how to recognize and avoid emails that may contain security threats.
Law firms should also recognize that security threats can come from within the firm, not just from outsiders. Computers that contain personal client data should be locked down and secured with passwords that are changed frequently, since law firm personnel may also change. Educate employees in proper internet usage, and restrict access to sensitive files to only trusted people who need to see them.
And all firms should have a data breach preparedness plan that will enable them to respond quickly if a breach does occur. This may help limit the size of the breach and minimize the harm to employees and clients, as well as any negative publicity.
Finally, consider purchasing cyberliability and data security insurance. These policies cover the costs of a data breach when personal information such as Social Security numbers and credit card numbers are stolen. They may cover such things as credit monitoring, notification costs, claims by state regulators, and losses resulting from the identity theft.