24 Jan Law Firm Information Security Policy
Law firms are one of the most attractive targets for cybercriminals. They have a treasure trove of information that has value and can be sold for financial gain. There is a high need for law firm information security policies. Whether it’s corporate secrets, business strategies, intellectual property or personally identifiable and payment information, there is a market for this information that can line the pockets of criminals. The high risk should elicit a serious response from law firms, especially given the ethical obligations they have to protect clients’ confidential information. Meeting these obligations by continually ensuring that efforts to secure information are effective in an threat environment that is evolving is especially challenging.
The FBI has issued warnings to law firms of the cybersecurity threats they face on multiple occasions and as recently as last year. In 2016, the FBI alerted international law firms of insider trading schemes that rely on information from law firm breaches. In December, federal prosecutors charged three Chinese citizens for hacking into law firm computers in 2014 and 2015 to steal information about deals and trade on it to the tune of $4 million.
Other sources confirm that law firms are at risk. A Cisco 2015 Annual Security Report lists law firms as the 7th highest industry target for hackers. The likelihood that a law firm would be a victim of a malware attack rose 50% that year. A 2015 ABA survey reveals that 1 in 4 law firms with more than 100 lawyers were victims of a data breach. Overall, an estimated 15% of law firms reported incidents of unauthorized access to computer files. That number has likely grown since 2015 and may well be higher since it’s believed that law firms under-report such incidents. In fact, some estimate that 80% of law firms have been hacked and the other 20% are lying or just don’t know about it yet.
Complicating efforts to protect client data is the increased reliance on mobile devices to conduct business. Ninety-one percent of lawyers report using smartphones to access work-related documents and information. Many of these devices are not secure, and 40 percent of lawyers risk data breaches by using public Wi-Fi. Only a little more than half report using a VPN connection some of the time.
In addition to ensuring lawyers are trained and using best law firm information security practices, law firms need to ensure their defenses are strong and they have a recovery plan. These efforts are important to existing clients as well as potential clients who want to know what steps firms are taking to protect sensitive data before entrusting them with theirs.
Want to learn more about cybersecurity policy, risks, and best practices? Our Education Center is a fantastic resource! And of course, we are always willing to have a conversation.