Mitigating cyber risks for law firms

Law firms are natural targets for cyber crimes. A 2012 cybersecurity report estimated that 80 percent of the 100 largest American law firms had suffered “some malicious computer breach” in 2011. Cisco Systems also noted in their 2015 Annual Security Report that law firms were the seventh most-vulnerable industry to “malware encounters.”

This is hardly surprising. Law firms have access to a wealth of privileged and sensitive client data, including information on M&A deals, patent applications, corporate strategies, intellectual property, and personally identifiable information (PII). They are also widely perceived as less technologically savvy than many of the industries they represent. FBI officials warned in 2012 that hackers view law firms as a back door to their more lucrative corporate targets. Firms with high-profile corporate or government clients are particularly vulnerable, as they have the potential to draw unwanted interest from nation-state actors. According to Shane Sims, a security practice director at PwC, “…we’ve seen targeted attacks against law firms…because hackers, including state sponsors, are realizing there’s economic intelligence in those networks especially related to business deals, mergers, and acquisitions.”

For law firms, the ramifications of data breaches go beyond the reputational or financial consequences normally suffered by private firms. Attorneys are subject to stringent ethical requirements to maintain client confidentiality and must undertake all reasonable efforts to protect privileged data. Securing this data has become all the more critical in an age when most of the information may now be stored, accessed, and exchanged online. Failure to implement adequate information security measures could expose a law firm to charges of malpractice or ethics violations. Acknowledging these changing realities, the American Bar Association and several state bars have highlighted the onus on law firms to be alert to ongoing cyber threats and implement the appropriate safeguards to protect against them.

A robust information security posture addresses not only a firm’s technical vulnerabilities, but also the human factors, insider threats, and operational gaps that pervade firms of every size. This is particularly true in the case of law firms, where everyone from senior partners and executives to summer interns and administrative staff may have access to client data. The most common cause of data breaches—accounting for 91 percent of initial hacking attempts—is phishing. Phishing is a form of social engineering that leads unsuspecting victims to supply access credentials or inadvertently infect their systems with malware. Poor access controls, unsecured public WiFi networks, and weak “Bring Your Own Device” policies are other common practices that could quickly become vulnerabilities. Many of these risks can largely be mitigated through greater company-wide awareness and personnel training.

Recently, there has also been movement towards more industry-wide collaboration, both between firms and with client industries. In February, some of the nation’s largest law firms announced their plans to form an alliance that would work in tandem with Wall Street’s Financial Services Information Sharing and Analysis Center to promote greater information sharing on cyber threats. Such initiatives not only generate efficiencies in efforts to keep up with the latest threats and trends, but also help to combat the perception of law firms as back doors to their clients’ security systems.