Law Firm Cybersecurity Risk Management Services 

MANAGING RISK USING THE CYBERSECURITY FRAMEWORK

According to a 2015 ILTA survey, 49% of law firms have security awareness training programs (86% of firms with 350+ attorneys). Such training is essential for law firms! All firms should have a program. 

In addition, details have recently been released of the first class-action lawsuit against a law firm for inadequate security measures. A complaint filed in April, Shore v. Johnson & Bell, alleges that the law firm engaged in “systematically exposing confidential client information and storing client data without adequate security.”  There is no evidence the client’s information was actually compromised – only that it couldhave been. The Complaint alleges the law firm was negligent by using an application that the National Institute of Standard and Technology (NIST) noted as having a vulnerability, having inconsistent VPN security, and using an email system with outdated technology.

Cybersecurity challenges demand for Law Firm and Legal entities to First, put protection in place to protect critical data and citizen information, this is a requirement to protect the firm reputation and assess.  Second, even the best programs will experience failure and expose some information the firm would like to protect.  CyberSecOp  we are legal firm cyber security task force.

Law firms must make cybersecurity a priority. As I’ve written before, a robust data security program is imperative for law firms of any size. Here are some recommendations for basic things all lawyers and law firms should be doing:

  1. Assess the risks. Do an assessment of the risks. Identify the vulnerabilities and what needs to be done to better protect against them. A data inventory should be done so the firm knows the various types of data that it is maintaining.
  2. Assign responsibility. Someone at the firm should be responsible for handling privacy issues. There should be a person responsible for data security. Every collection of data should have a person responsible for it (called a “data steward”).  Everyone at the firm should know whom to call with any questions about privacy or security.
  3. Develop policies and procedures. Develop or improve policies and procedures for how various types of data are to be handled and protected. What are the policies regarding placing data on portable devices? Employee access to data? Encryption? BYOD? Social media use? How is any PHI identified and handled?
  4. Implement workforce security awareness training. Develop an annual security training program to ensure that everyone knows how to handle and protect data properly, the importance of privacy and security, and whom to call if there are any questions or concerns. “Security awareness is essential to effective security. There cannot be effective security if users are not trained or do not understand the issues and the applicable security policies.”
  5. Develop an incident response plan. Develop a plan for responding to privacy and security incidents. This plan involves how to handle the investigation, who is responsible for which tasks, what laws and regulatory requirements need to be followed, what third party vendors are best to hire to help with certain tasks (forensic investigations, breach notification, etc.). The plan should also involve how to handle PR. Time will be very scare during an incident; it is best to be ready in advance rather than scrambling frantically after a breach. There should also be a plan for how to handle clients whose data is implicated.
  6. Look into cyber insurance.  Law firms should look into insuring against the risks and understand what things are covered and what things are not covered by various policies.