The practice of law is steeped in a rich history of security and privacy expectations - both legally and by clients. With the necessary and broadening use of technology by law firms and lawyers, however, concerns over data and information protection have steadily increased - and with good reason.
Data breaches are becoming more common across companies in all different areas. Stories like the Equifax breach, where more than 140 million consumers saw their private data leaked, or the Marriott breach that exposed driver’s licenses and passports of more than 300 million Americans, seem to be continuously flooding the news. The field of law is, unfortunately, not excluded. According to a Law.Com investigation, they “identified more than 100 law firms that have reported data breaches to authorities across 14 states since 2014, notifying authorities that a data breach affecting the firm could have exposed individuals’ personal information.”
As vital as data security is within the legal field, it’s no surprise that lawyers and law firms are skeptical of technology use; However, with businesses expecting the companies they hire to maintain technological competence, it’s unavoidable. This leaves the question of what steps law firms can take to prevent data breaches and promote effective safety practices. While there are compliance and regulation requirements for lawyers in regards to data, there are not currently ones specifically for tech use. This leaves law firms and lawyers to enact safety practices themselves in an attempt to remain compliant with data,
Below, we’ll take a look at ABA and professional cybersecurity recommendations that can help law firms maintain compliance and prevent data breaches.
By adding encryption to devices and hard drives, an extra layer of security above passwords is enacted. When data is encrypted, it essentially converts it to code that cannot be accessed unless by authorized users. This ensures that even if data is breached with the use of stolen passwords, it still cannot be used or viewed; Encryption acts as peace of mind.
Hire IT Professionals
The management of technology within companies and law firms has effectively turned into a full-time job. By creating an in-house dedicated IT department or hiring outside IT assistance, law firms can maintain regular monitoring of tech used and ensure quick resolution should a problem arise. IT professionals can perform updates, patches, and changes on an as-needed basis and help keep law firms data protected and compliant.
Depending on the size of the law firm, there can be a lot of computers and devices in use at any given time by employees. Because all firm tech use must be adequately protected and monitored, regular inventory must be kept. Tech inventory should include all computers, company phones, laptops, tablets, software, servers, and cloud services used by lawyers and employees. When inventory is appropriately maintained and kept up to date, it’s easier to approach problem resolutions when needed and ensure that all devices remain compliant and secure.
Restrict Use of Portable Media
USB keys, CDs and DVDs, and flash memory cards are all considered portable media. While these devices can undoubtedly hold value in the convenience of data transfer and storage, their use should be limited within the legal realm. The use of portable media enhances the possibility of data loss and theft; Other portable data solutions should instead be considered, such as secure cloud data storage services that can easily be accessed by employees as needed from wherever they are.
Use Secure Cloud Services
The use of cloud services offers convenience and versatility to businesses and law firms that they didn’t previously have. While useful, law firms must investigate the reliability of the cloud services, they wish to use to ensure steps are being taken to maintain security. Firms should take into consideration the security history of the service they intend to use, as well as ensuring the cloud service provider prioritizes security. Unfortunately, if a data breach is experienced, the cloud service provider holds no obligation to their users.
Understand Client Data Needs
Data security and privacy expectations will differ from client to client. A law firm must familiarize themselves with the security needs of each client and ensure that those needs and requirements are regularly met. When this isn’t prioritized, it opens up clients to potential security and regulation problems within their field. By utilizing Customer Relationship Management (CRM) software, law firms can track and record expectations of their clients and make this process easy to maintain.
Create Security Policies
Because data protection and security are vital within a law firm, policies and procedures should be established and maintained company-wide to ensure compliance by all employees. Unless all employees are abiding by a law firm’s security expectations, security cannot be guaranteed or upheld. Security policies should be written into company handbooks and standard operating procedures (SOPs); This makes training and enforcement easier and more streamlined.
Use Passwords and Multi-Factor Authentication
While passwords are essential to the protection of data, they must be changed regularly and meet the requirements set forth by the law firm. Common or easy passwords should be avoided, and rules should be implemented for what’s required of a password, i.e., capital letters, numbers, special characters, etc. Additionally, multi-factor authentication should be executed when possible; This is the process of a second step, such as a one-use code being used in addition to a password.
Create Records Policies
The maintenance and security of record-keeping within a law firm is crucial; Because of this, policies and guidelines must be established within a law firm for how records should be kept and subsequently destroyed as needed. Access to records should be limited within a law firm, and old files should be disposed of securely and regularly within compliance regulations.
Loss of data, through human error or ransomware, can be just as detrimental to a law firm as theft of data. When vital data is lost, this can cripple or delay the normal functionality of a law firm for months or even years. To avoid this problem, law firms should have clearly defined back up systems that identify how often and by what means data should be backed up; Doing this helps to ensure law firms and their clients can carry on in the case of data loss.
Utilize Antivirus Protection
Antivirus software should be used on all laptops and computers within a law firm. By doing this, an extra layer of protection against malware, viruses, and ransomware is added and can help avoid detrimental problems. The companies that design and maintain antivirus software continuously monitor for new threats to cybersecurity and make every effort to ensure you’re devices are protected.
Train Employees to Spot Phishing Attempts
The practice of phishing to steal data is being used more and more, unfortunately. Phishing is the act of attempting to obtain data, passwords, payment information, and other private details by pretending to be a company or service. When employees aren’t familiar with phishing tactics, this opens them and the law firm up to having vital data and information stolen by fraudulent hackers. Law firms should address the practice of phishing with employees and ensure they are trained to identify possible phishing attempts. Key identifiers such as forged links, unusual urgency, unusual personal information requests, and generic greetings or misspellings are examples of situations that employees should question.
Purchase Cyber Insurance
Insurance, in general, is something important for businesses to carry to protect when disaster strikes. That being said, cyber insurance is something that should be considered. Cyber insurance can help with loss of revenue and disruption in the case of security breaches and prove useful for both law firms and their clients.
Maintain Website Security
A law firm’s website must be securely maintained. Security licenses, patches, and other elements should always be kept up to date; This is especially important when forms are used on the site to collect data from clients and contacts.
Use a VPN
A virtual private network (VPN) is a service that establishes a secure and encrypted data connection from one user to another. This can be important regarding the transfer of data between employees or to clients. VPN services are offered by a number of IT companies and can typically be obtained at a relatively low cost.
Clarify Company Mobile Device Expectations
With the increasing use of mobile devices, especially for lawyers, there should be pre-set and clearly defined expectations for the use of mobile devices. Things like encryption requirements, password expectations, multi-layer security use, or even remote data wipes should be made clear and maintained within company handbooks to help ensure compliance.
While tech security can seem daunting to lawyers and law firms who prioritize the protection and safety of records and data if steps are taken (like the ones mentioned above) to prevent data theft and loss, clients and law firms can rest easier.