The growing wave of cybercrime targets businesses in every industry, and law firms are no exception. With many unique cybersecurity risks, law firms are more onerous to secure than other organizations. In addition to having to fend off threats from cybercriminals, they must also overcome the threat posed by hacktivists and nation-states.
Law firms are especially attractive to bad actors because attorneys need access to highly sensitive data to provide legal services. Depending on a firm's practice area, its data serves numerous purposes when in the wrong hands:
- A cybercriminal might use information regarding an upcoming merger for their own profit.
- A hacktivist might try to expose questionable employment practices or disclose environmental violations.
- A cybercriminal might use the company's data to commit some form of fraud.
A steady stream of attacks over the past few years, including recent incidents involving Seyfarth Shaw, Fragomen, Del Rey, Bernsen & Loewy, and Cadwalader, Wickersham & Taft are just a few of the high-profile examples that demonstrate the degree to which criminals view law firms as lucrative targets.
To help firms enhance their cybersecurity posture and increase awareness of the increasingly complex and evolving threat landscape, we've created a checklist designed specifically for the legal sector.
To ascertain your firm's degree of readiness, review the following checklist to answer the following questions:
- What risk factors apply to your firm?
- What sensitive data must your firm protect?
- What professional obligations does your firm have?
Three Cybersecurity Risk Factors for Law Firms
Technology Adoption: Technologies that share legal data more efficiently and improve productivity also contribute to an expanded attack surface and can expose firms to greater cybersecurity risks.
Does your firm have any of these risky technologies or policies?
- Remote Work: As more lawyers work remotely, they can access sensitive data from unsecured locations. The more remote professionals in your organization, the greater the number of endpoints for attackers to exploit.
- Bring Your Own Device (BYOD) Policies: Personal devices operate outside of your organization's IT parameters and expose your firm to risk.
- Cloud-Based Office Solutions: While tools such as Microsoft 365, Google apps, and Dropbox streamline document management and sharing, they also increase the risk of exposing confidential legal data.
Four Cybersecurity Threats
Law firms must counter a wide range of cyberattacks. Furthermore, the nature of their work puts law firms at elevated risk. Is your firm vulnerable to any of these attacks?
- Phishing Attacks: Legal partners' credentials are valuable to fraudsters. Targeted social engineering emails aim to steal the credentials of high-ranking organization members in order to gain access to a firm's IT network or third-party sites, such as bank accounts or cloud platforms.
- Insider Threats: A malicious insider could steal legal data for personal gain. Partners and associates have deep knowledge of which data is most valuable and may constitute a high-risk insider threat. Using their access and knowledge, insiders can gather the data with the greatest value to destroy it, hold it for ransom, or use it for fraudulent purposes.
- DDoS Attacks and Hacktivism: Politically motivated actors attack an organization's systems, not for material gain, but to harm a perceived enemy. Because law firms often represent controversial figures and organizations, they are at high risk for these types of attacks.
- Ransomware Attacks: Targeted employees unknowingly download malware that encrypts data on the machine, allowing attackers to demand a ransom for its return. Without access to timely backups, a firm may find itself forced to pay up.
Three Sensitive Data Risks
Law firm computer systems represent a dense concentration of high-value confidential information. Every line of practice represents a unique and tempting target for cybercriminals.
Does your firm have sensitive data in the following practice areas?
- Corporate Clients share material non-public information (MNPI) with law firms. In March 2016, the FBI warned law firms that criminal groups are known to actively seek cybercriminals to carry out MNPI theft attacks for insider trading or to demand a ransom for the return of MNPI data.
- Trust and Estate Clients share the personal information of high-net-worth individuals, including information that could be used to fraudulently access clients' personal and corporate financial accounts.
- Litigation Teams retain information, including litigation strategies, significant evidence, and smoking-gun documents that can determine the outcome of pending lawsuits. The files might also contain intellectual property that an attacker can steal and sell on the black market.
Obligation to Secure
All businesses are bound by a number of industry-agnostic regulations to secure their sensitive data. However, law firms also have unique mandates and other pressures to ensure that data is always secure.
Has your firm implemented continuous monitoring and log analysis?
- ABA Resolution 109 specifies that “continuous monitoring and log analysis are a critical part of an organization-wide risk management."
Does your firm have dedicated staff prepared to detect and respond to threats as they occur?
- Resolution 109 states that “to maintain a highly proactive security posture, potential threats must be investigated, and targeted attacks detected in advance or addressed as they occur."
Does your firm have the expertise to stay ahead of the continuing evolution of cyberthreats and changing dynamics of cybersecurity?
- Amendments to the ABA Model Rules of Professional Conduct adopted in 2012 explicitly state that "a lawyer's duty of competence includes keeping abreast of changes in relevant technology."
Can your firm comply with GDPR?
- The General Data Protection Regulation (GDPR) applies to any firm gathering, storing, or using personal data belonging to EU residents.
Achieving GDRP Compliance
- To comply with GDPR, law firms must satisfy many obligations, including:
- Using data they possess in a compliant manner
- The need to collect and record an individual's consent
- A lawful basis for processing the individual's data.
- Allowing individuals to exercise certain rights, including the right of access and "the right to be forgotten."
- Breach notification must take place within 72 hours.
Can your firm provide and demonstrate the level of security your clients require, including meeting regulatory standards for their industries, such as HIPAA, SOX, and others?
- As a law firm, the most important data you hold is client information. Existing and prospective clients will each have their own cybersecurity requirements: a combination of regulations, professional mandates, and internal policy directives.