Best Security Practices for Law Firms

Law firms, which have traditionally shied away from being at the forefront of utilizing technology to alter their business and legal processes, are being forced to adapt. The legal industry is facing an uphill battle amid a fluctuating economy, savvier clients, tougher competition, and security threats. More importantly, navigating the market in a world where data has become the most valuable commodity, knowing how to manage and protect that data can mean the difference between failure or success.

Law firms have many hurdles concerning data that technology solutions can help them overcome -- the most important being the security of their clients’ private, personal data. Attorneys, as custodians of information, are entrusted with personal and highly confidential information in their daily practice. In this age of voluminous amounts of data, the efforts to manipulate, steal and exploit private and sensitive data are growing at an alarming and dangerous rate. One study estimates that more than 80 of the 100 highest grossing law firms in the United States have been hacked since 2011[1]. According to a 2020 survey conducted by the American Bar Association (ABA), 29 percent of law firms reported a security breach and 36 percent reported past malware infections in their systems.[2]

If a firm falls victim to the ever-growing amount of data breaches, it faces heavy financial losses due to downtime, loss of billable hours, destruction or theft of files, the time and cost in repairing all of the damage that resulted from the attack, and possible ransomware payments. Average ransomware payouts exceed $1 million, according to a recent report from the security company, CrowdStrike.[3] Furthermore, the toll the firm’s reputation will take will be an even bigger blow.

In addition to financial and reputational consequences, law firms have ethical and legal duties to protect their sensitive data. A lawyer’s duty of competence includes a duty to be competent not only in the law and its practice but also in technology. In fact, the majority of states haves rules in place that can hold firms liable for not taking reasonable steps to protect client data if it was impacted by a data breach. In Florida, for example, Florida Rule Civil Procedure 501.171(2), explains that a business, including a law firm, must take “reasonable measures to protect and secure data in electronic form containing person information,” and 501.171(9) adds that failing to protect and secure electronic, personal information shall be treated as an unfair or deceptive trade practice.[4]

As a result, cyber-risk evaluation and risk management have become urgent needs for law firms. The good news is that an improved cyber security plan can help to ensure that a firm’s clients’ information is secure, only available to designated persons, and protected on all devices. Here are some of the best security practices for law firms:

Immutable Backups

- Proper data backups are key, but they must be immutable, meaning they cannot be modified or deleted, only be aged out by a preset schedule or super admin.

- The platform used for immutable backups must be hardened, meaning the attack surface must be minimized by only allowing the individuals that need access.

Disaster Recovery Plan

- A disaster recovery plan must be in place.

- You must be able to answer the following questions:

(1) What happens to my data in the event of a disaster? (2) Where will the

data live? (3) How will employees access the data? (4) How can the company

continue to be productive with minimal downtime? (5) How long can the firm

sustain itself in a non-operational status? (RTO) (6) How much data can the

business afford to lose? (RPO)

- A comprehensive DR plan must be in place and executed at least once a year.

Offsite Backups

- Offsite backups are key in avoiding a Single Point of Failure

- Backup data must be stored offsite or at least replicated offsite.

- Explore options for offsite replication including companies such as Iron Mountain or cloud providers such as Amazon, Azure, and Google.

Hourly Snapshot Backups

- The proper technology must be in place to allow for easy snapshot backups.

- Snapshot backups allow for a Point in Time backup that can be easily recovered.

- Hourly snapshot backups can reduce your RPO from 24 hours to 1 hour.

Patch Management

- A comprehensive practice must be in place to ensure everything, including platform used for backups, are properly patched throughout the environment

- If servers and appliances are not patched, cyber criminals have a better attack surface to work with.

Encryption at Rest

- Encryption at rest means data sitting on storage systems or servers must be encrypted to protects the physical aspect of the storage systems and servers by making the data unreadable to anyone who tries to physically access it.

Encryption in Flight

- Encryption in flight (end-to-end encryption) is the practice of encrypting data as it is being accessed, which will make it unreadable if accessed by a middleman.

- An example is wireless communication, which should not be transmitted in Clear Text because it allows a middleman to easily listen in and gather all the data.

Basic Internal

Security Practices

- Become educated about where cyber security threats come from.

- Put policies in place that will force passwords to be changed on a regular basis, enforce hard-to-guess passwords, and remind users to use different login credentials for the firm than they do for personal accounts.

- Remind employees not to utilize public wi-fi signals when transmitting data.

- Administrators must practice having separate administrator accounts only for their administrative tasks.

- Administrative accounts must be disabled when not required.

- Require relevant training and education on basic security practices.

- Make sure the firm’s insurance policy includes cyber security liability insurance.

These best practices will help firms prevent security breaches as much as possible. However, law firms must make the decision to invest their time, effort and capital into cyber-security software, consultants and/or services that can help them implement and execute these practices. Constant monitoring and management of the firm’s sensitive data and access points to this data is essential to the continuing success of any cyber-risk plan. If you would like to turn on a trusted advisor to help you navigate through this complex world of cyber-security, feel free to reach out to Pro Logic Systems at info@prologicsystems.com to speak with our engineers and industry experts.

[1] https://www.americanbar.org/groups/law_practice/publications/techreport/2016/security/ [2]https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/ [3]https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/?sh=5cdd6794a13e [4] http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html

Authors:

Yohan Gomez & Allen Rodriguez

Pro Logic Systems