Client data is unarguably the most vital asset that a law firm has, making the protection of said data one of the most essential tasks a lawyer has. Unfortunately, incident breaches resulting in the loss, theft, or disclosure of data happen; When this occurs, law firms are required to act immediately to identify, notify, and resolve the issue. You learn more about what to do in the case of a data breach incident here.
Information on over 100 filed law firm incident breach reports from 2019 was gathered recently by Law.Com. While this is already a substantial number, it’s reported that experts in cybersecurity indicate the number is much higher than that.
We’ve listed the incident breaches in accordance with the category below for reference.
- Inadvertent Disclosure (e.g., accidental sharing of information by an employee or service): 26
- Loss or Theft of Device or Media (e.g.computer, laptop, external hard drive, thumb drive, CD, tape): 30
- Insider Wrong-Doing (e.g., purposeful misconduct of an employee): 3
- External Systems Breach (e.g., hacking): 62
- Other: 7
The numbers above reveal an unsettling bit of information - external systems breaches, like hacking or ransomware, are responsible for the majority of incident breaches. While all businesses are open to cybersecurity problems, law firms are viewed by security experts as being especially open to hacking and theft; This is due to the substantial amount of sensitive data law firms have on clients at any given time. When data breaches occur, they expose not only the law firm but the law firm’s clients, which can open the door to a variety of issues depending on the severity and nature of the incident.
According to ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack”:
“Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers. In one highly publicized incident, hackers infiltrated the computer networks at some of the country’s most well-known law firms, likely looking for confidential information to exploit through insider trading schemes. Indeed, the data security threat is so high that law enforcement officials regular regularly divide business entities into two categories: those that have been hacked and those that will be.”
While the breach incident numbers are indicative of a problem, they provide a reasonable basis for lawyers and law firms to maintain high-security standards and practices to protect them and their clients. When lawyers and law firms take proactive steps to prevent data theft and loss, it dramatically reduces their chances of becoming victims of cybersecurity. Some standard security practices all firms should consider are:
- Developing a comprehensive security plan for the prevention and handling of cybersecurity.
- Establishing clear security expectations of employees.
- Creating an inventory list, including serial numbers, of all software and hardware used by employees.
- Maintaining antivirus software on all company computers and devices.
- Hiring an IT company or IT professional to ensure the most up-to-date security measures are taken.