The unthinkable has happened. A security breach at your law firm. Now what?
Your firm will need to take immediate, decisive action in response to the security breach. There are certain best practices to follow for those first steps. Even better, the firm can have planning in place for cybersecurity incidents. And as a law firm, you will have certain legal and ethical obligations to consider as well. We explore all of these points below.
Law firms should be aware of security risks and potential attacks
Law firms need to be prepared for security breaches because they are primary targets for cybercriminals. The legal profession is unique in handling so many valuable documents containing private client information and relating to numerous business transactions. By accessing those confidential and sensitive documents, hackers can seek to extort their law firm victims.
One common form of a security breach is a ransomware attack. Ransomware is a type of malicious file (malware) that can hijack a network or device so that the attackers can demand payment of a ransom in exchange for returning data or access to the victim. Ransomware attacks against law firms are on the rise. And more top firms have been attacked since DLA Piper was the first prominent firm to suffer a malware attack in 2017.
Another common form of cyberattack is phishing, where a hacker sends emails attempting to trick recipients into providing confidential information. A common tactic is to convince the recipient to click on an internet link to enter data, an approach closely tied to malware, since a 2017 study found that 51% of phishing attacks involve malware.
What to do in response to a security breach?
The best way to prepare for a potential security breach is to have an incident response plan (IRP) in place. An IRP details how an organization will respond to a data breach or cyberattack. By looking at the common elements of IRPs for law firms, we can see the initial steps a firm should take in response to cyberattacks.
Your IRP needs to be customized for your firm, large or small, and its unique types of data and network infrastructure. However, there are some essential elements of IRPs common to all firms.
Establish an incident response team
The incident response team (IRT) consists of the internal personnel designated to deal with the security breach and follow the IRP. All member roles and responsibilities should be spelled out and a communication plan put in place.
Identify the extent of security breach
Determine the extent of the breach by identifying the data that has been compromised or potentially compromised.
Containment and recovery
Move quickly to secure your operations and fix any vulnerabilities. Also, take immediate steps to recover any lost data, when possible.
Consult with outside counsel and experts
One of the external experts you will likely need is an outside data breach attorney, who can provide guidance to the IRT and create an attorney-client privilege for communications relating to your firm’s investigation of the breach. Another necessary expert is a digital forensics consultant, who can investigate the breach and resolve the security issue.
Notify insurance providers
After ensuring your firm has insurance coverage in place for security breaches, notify any insurance providers once the breach is discovered.
Contact law enforcement
This is an essential step for a criminal matter such as cyber hacking. Even if you’re not sure what law enforcement can do about it, as with any crime, be sure to report it.
Notification of clients and third parties
Although your firm will understandably may not want to disclose the security breach to any party it does not have to, it still has legal and ethical reporting requirements, discussed below.
Other remedial and preventive measures
A variety of other measures may need to be taken, including (1) identifying and preserving logs of information systems, intrusion detection, or data loss, (2) notifying the firm’s bank if any banking credentials have been compromised, (3) notifying firm employees, or (4) retaining a crisis communications consultant if the breach becomes public.
Ultimately, your firm should be able to retain some lessons learned from the breach and incorporate those lessons into your IRP.
Other duties unique to the legal profession
When it comes to security breaches, the most definitive statement of universal ethical duties for attorneys is set forth in ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack”, issued in 2018. Regarding safeguarding data and responding to breaches, the opinion generally provides that attorneys have duties to (1) monitor for breaches, (2) stop breaches when they occur, (3) restore systems, and (4) determine the cause of any breaches.
In California, the state bar’s Opinion No. 2020-203 provides that the firm must conduct a reasonable inquiry to determine the extent and consequences of the breach, as well as notify “any client whose interests have a reasonable possibility of being negatively impacted by the breach.” These requirements are consistent with the legal ethics rules of both the ABA and the state of Maine.
Attorneys also owe common law and contractual duties to clients regarding confidential communication and safeguarding data. Contractual duties to protect data are common in highly regulated industries, such as finance and healthcare. State and federal regulations may also require safeguards for confidential information about employees, clients, employees, and witnesses.
No matter the nature of your firm’s security breach, these are some of the immediate steps that can be taken so that you know just how to jump into action in the unfortunate event of an attack on your firm.