One of the biggest dangers in the modern digital world is the risk of a data breach. Unfortunately for the legal industry, law firms are some of the biggest targets for cyberattacks and data leaks.
While firms need to understand how to protect themselves from these breaches, you also need to know how to respond when they do occur. The reality is that you’re probably going to deal with this at least once in your career, no matter how much precaution you take.
What if your firm is part of a data breach? As a legal professional, you may feel out of your depth in dealing with such a tech-focused matter. But the truth is that you should be aware of the firm’s obligations and best practices for dealing with the breach.
Why law firms are at elevated risk of data breaches
The legal industry risk is highlighted by the recent California State Bar data breach, where 250,000 confidential attorney discipline records were accessed and published on a judicial records website.
Law firms are especially vulnerable to data leaks. In fact, 25% of respondents to the ABA’s 2021 Legal Technology Survey Report stated their firms had suffered data breaches at some point.
There are several reasons for the increase in data breaches within the legal industry.
Law firms make excellent targets for these cyberattacks. They hold a great deal of sensitive and valuable information.
Attorneys are ethically obligated to protect this information, which may make them more likely to pay ransoms for ransomware attacks.
And legal professionals — especially attorneys — do not tend to be tech-savvy, which increases their vulnerability.
Types of cyberattacks leading to data breaches
There are numerous types of cyberattacks that can lead to law firm data breaches.
One of the most common is malware, a term that refers to any malicious form of software that harms or compromises a computer system.
Ransomware is a specific type of malware that locks the firm’s computers, systems or files, with the aim of extorting a ransom in exchange for unlocking the system or information.
Data breaches can also result from various forms of social engineering attacks. These attacks rely on human interactions to trick people into providing access or information.
One example is phishing, which uses electronic communications — emails, text messages, instant messaging, and so on — to lure recipients into entering login information or otherwise providing access.
Your firm’s legal and ethical obligations
Immediately after a data breach, a law firm must look to its legal and ethical obligations.
One guideline is ABA Formal Opinion 483 pertaining to lawyers’ obligations after an electronic data breach or cyberattack. Opinion 483 provides for the following general actions to be taken by a firm after a data breach:
- Take reasonable and prompt actions to stop the data breach and mitigate damages resulting from the breach
- Make reasonable efforts to assess whether any electronic files were accessed, and to identify any such files
- Provide notice of the breach to the firm’s current clients “to the extent reasonably necessary to permit the client to make informed decisions” regarding the firm’s representation of the client
Professional liability issues could also arise if a client claims it was not notified of the breach promptly.
Law firms may also be subject to statutory requirements. For example, regulations promulgated by the New York Department of Financial Services require firms representing financial institutions to comply with those clients’ cybersecurity standards.
Best practices for responding to data breaches
The following are some best practices for law firms seeking to contain the damage from data breaches.
Notify your cyber insurance carrier
One of the first steps to take is to notify the firm’s cyber insurance carrier.
Cyber insurance policies are meant to protect against costs involved with damages and recovery after a cyberattack. These costs include business interruption losses, data retrieval, system failure, and ransomware.
Even if the policy does not cover all losses – many carriers will not cover ransom payments, for example — they can tell you the extent of coverage and recommend digital forensic companies.
Conduct a digital forensics analysis
Your firm should also hire a strong digital forensics team to analyze the cyberattack.
That team can paint a broad picture of the attack and help mitigate the risk of future attacks. They can provide the details — the who, what, when, where, how and why — of how a bad actor or piece of malware got into the system.
The point here is less to lay blame on a certain individual, and more to prevent future security breaches.
Contact law enforcement
The regional FBI office is generally the best law enforcement agency to notify in case of a cyberattack.
While they may be able to pursue the perpetrators, do not rely on law enforcement to address any issues that caused the cyberattack. The firm will have to do this on its own.
Notify clients and other affected parties
In addition to clients affected by the breach, the firm should notify other affected parties such as the firm’s bank. The bank may need to reverse or flag any large transactions resulting from the breach.
Your firm may also need help with public relations, depending on the nature of the breach and any media exposure.
Have an incident response plan in place
Ultimately, there is no completely foolproof way to avoid data breaches.
Accordingly, your firm should have an incident response plan (IRP) in place. This plan is a set of tools and procedures your firm will use to respond quickly to any external threat or cyberattack.
Your firm’s IRP should address how to identify and contain breaches, how to eliminate threats, and how to glean lessons to be learned for future attacks.
Data breaches are an unfortunate reality of today’s legal world. But if you keep these best practices in mind, a cyberattack does not have to bring your firm to its knees.
