Are you meeting your legal obligations to provide data security?
Data security is a requirement – not just best-practice – for every law firm. Ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6 and Comments).
According to the ABA Techreport for 2018, 23% of respondents reported that their law firm had some sort of data breach. Although law firms used to think of getting hacked as something that might happen, it’s becoming less about IF it will happen and more about preparing for WHEN it does. It’s common for those who haven't been affected to put data security on the backburner… thinking a breach won’t happen to them.
But that approach is risky.
Lawyers are bound by law to protect client information, and there are other regulatory obligations that apply to sensitive data like health and financial information. You’re probably thinking that you didn’t become a lawyer to deal with data security, but it is essential to practicing law in this day and age. Luckily, you don’t have to do it alone.
Compliance simply requires lawyers to understand the gaps in their knowledge about security and obtain sufficient information to protect client information, get qualified assistance, and, if necessary, both.
In this post, you’ll be presented with some questions to ask yourself about your law firm. These questions will help you identify your knowledge gap so you can get the necessary tech support to protect your clients and your firm.
1.) Where is your data stored, how is it accessed, and who can access it?
The first step in making sure you’re meeting your legal obligation to provide data security is to take inventory of the data you have and where it’s stored. Are you storing your data on a server in your office?
That may be a bigger risk than you think.
When you have the physical equipment that non-cloud software requires like a large server, the responsibility is on you to secure it, insure it, and back it up. This opens you and your law firm up to unnecessary risks.
What if something happens and your equipment gets damaged? What if someone forgets to update the operating system and an attacker hacks into your server and installs ransomware?
Securing, insuring, and backing up your physical equipment is going to require someone to take time away from their billable work to tackle tasks that don’t ultimately increase billable hours or improve your practice. In short, it’s a waste of time.
In the past, IT has required law firms to engage in a lot of non-productive tasks to keep systems up-to-date. Many of these disappear when you move to cloud services. Why would you continue doing unnecessary tasks when there is a better, safer, more effective way that allows you to get back to what you do best?
When you evaluate how your data is accessed, consider whether or not you have the ability to revoke that access. If, for example, one of your lawyers takes his laptop home and it gets stolen, what does your tech allow you to do about it? Do you have any third-party providers that have access to your data? Do you know how they are storing and securing it, and have you required them to take any specific steps?
There are many different ways an attacker could obtain access to your data, so it’s critical to keep track of who has access and what they have access to. Ideally, going through a data inventory process at least once per year to determine who has access to what data will help you identify any risks you have.
2.) Do you have data that is subject to additional security and privacy requirements?
Certain types of data are subject to additional security and privacy requirements under law. For example, health-related data is protected by HIPAA and must be stored in compliance with HIPPA laws. This is important to identify for both security and compliance needs. Compliance and security are not the same thing, so securing your data doesn’t necessarily mean that you’re in compliance with various information-specific regulations.
HIPAA requires you to perform additional compliance tasks, including analyzing your risk, determining the location and transmission procedures for all e-PHI (electronically protected health information) and providing administrative safeguards such as identifying a “security official” at your firm, and performing employee training on how to properly handle e-PHI.
A good, if somewhat dense, overview of the requirements is on the US Department of Health and Human Services site here. You’ll want to make sure you can tick all the boxes.
3. Do you have a written security program?
Some states require lawyers to have a Written Information Security Plan (or WISP) but even if your state doesn’t require it, we recommend creating one for your law firm. Hopefully, you’ll never need to use your WISP, but it’s better to be prepared and know how to take action if something happens than be totally caught off guard.
Your WISP should contain a data breach response policy that spells out, in detail, how the firm will respond to a breach, leak, or other data threat that compromises confidential information. This should include exactly what the firm will do and who is responsible for each step.
If you ever have a breach, you’ll be glad you have everything planned out, instead of having to make it all up on the fly while tensions and emotions are running high.
Your firm should also have a computer-use policy. This policy describes the rights and responsibilities of the firm’s computer (desktop or mobile) users…and any other computers used to access or store the firm’s confidential information.
4.) Are you educating your staff?
Many lawyers believe that cyber breaches happen as a result of hackers working hard to break their way into your law firm’s systems. This is untrue.
Why? Because usually, the hackers don’t have to work hard at all.
91% of all successful data breaches begin with a phishing attack, which means that someone on your team is tricked into handing the attacker the keys to the castle so they don’t need to break in.
We partner with KnowBe4 to provide lawyers the cybersecurity awareness training required to prevent a phishing attack. KnowBe4 enables your team to make smarter security decisions by training them to understand the mechanisms of spam, phishing, spear phishing, malware, ransomware, and social engineering. Then, your team is taught how to apply this knowledge in their day-to-day job. Simply put, KnowBe4 helps you build a human firewall as your last (and best) line of defense.
Weak or multi-use passwords are also a huge issue.
Every person who has login credentials of any kind within your law firm needs to use strong, secure passwords. The problem is, many lawyers are still using passwords that are too easy to guess, like (spoiler alert!) “password”.
Even if lawyers use secure passwords, there is still the risk of those passwords being exposed if they use the same password for multiple websites. Let’s say, for example, Target has a breach and your employee has been using the same password they use for their work logins as they do at Target.
That password is no longer secure because it has been exposed. An attacker who gains access to that data can try out those login credentials on your other systems – like your email.. If your employee uses the same password for Target as they do their firm’s email account, all of your data has potentially been exposed to risk by that Target breach.
User education and a formal password policy is your best defense against insecure passwords. If you don’t already have a password policy for your law firm, create one that requires employees to use a unique password that they will not use anywhere else.
Security Is A Process
Security is an ongoing process because as law firms get more secure, attackers find new ways to get access to the data you’re trying to protect. It’s easy to get carried away with cybersecurity measures and lock things down so tight that no one can get any work done.
FeatherShark can help you find the right balance between productivity and security.
We take a leaner, lighter, simpler strategy to cybersecurity that sets you up with a solid defense to the most common threats. That’s not to say that something will never happen and that’s exactly why it’s so crucial to have a good backup that is quick and easy to restore.
Will Your Team Take The Bait?
While you’re assessing the risks that exist in your law firm, why not put your team to the test to see how they’ll do in a real-world phishing test? We’ve partnered with KnowBe4 to offer law firms a free phishing security test. Click here to learn more and see how your team performs!
What Our Clients Have Said About Their Transitions to the Cloud with FeatherShark’s Help
“I know a lot of law firms have had problems letting go of tangible tech like servers. But Feathershark has this motto to spend less money on hardware and invest in cloud options. And it’s absolutely worth doing…
I mean, everything that we have is now on the cloud. Having that is great because we can access our office anywhere on the planet. And Feathershark made that happen for us.
“Rather than making us spend more money on high-end items we didn’t need like our last IT firm, FeatherShark has better solutions…
Their idea is to simplify things and spend less money on hardware and instead invest in Cloud options.”
“It’s not unrealistic to say FeatherShark has had an impact in everything we do at our practice because they’ve helped up standardize our tech systems for email, calendars, data storage, management, and software by putting it into the Cloud…
Thanks to them, we’ve been able to run our firm 10X more efficiently.”
“Thanks to FeatherShark, I’d say we’re better technology-suited than a lot of other competitors our size because of the tech systems in the Cloud they’ve set up for us…”
Think a transition to cloud technology might be right for your law firm?
Then get started by scheduling a complimentary “fast track your law firm’s tech to the future” strategy session so we can discuss where you are at now with your tech and explore opportunities to upgrade your firm to the Cloud. You can schedule your strategy session here.