Cybersecurity – Is Your Law Firm At Risk?

By Ashley Peterson

In this ever-changing era of technology we live in, cybersecurity continues to be a major concern for all industries, especially lawyers.  There has been an upswing in cyberattacks against law firms over the last few years.  The FBI reported that law firms are new targets for hackers because law firm computers contain highly sensitive and confidential material such as client information, trade secrets, business plans, and personal data which can be hacked through various outlets such as e-mail, computer files, the cloud, and online accounts.  A single breach of security could put your law firm at risk for malpractice lawsuits, damage to your firm’s reputation, lost billable hours, and significant financial expenses. 

Keeping your clients’ information secure is both an ethical and legal requirement.  It is your responsibility to safeguard business financials, personal data, and sensitive information that clients entrust you with.  It is always best practice to create strong and unique passwords, keep them private and protected, and change them often, and never connect your laptop or cell phone to open public wifi networks when sending client emails or documents.  Most cell phones now provide the ability for a wifi “hotspot” which is more secure than any public open wifi network.  Another preferred security measure is to enable multi-step log in requirements and security alerts if there are any unauthorized attempts to access your accounts.  We also constantly need to be alert for email phishing and virus attempts (we’ve all received those emails from a prospective client from the middle east who wants to wire $2 million to your trust account – seemed legit to me) and all attorney communications should be double checked for encryption and recipient accuracy to avoid information being inadvertently sent to, or intercepted by, an outside party. 

As a solo attorney, I am embarrassed to admit I only recently discovered the serious lack of security protections I had in place at my firm.  I hired a professional IT guy come to my office and he informed me that I had the lowest level firewall protection for my computer, and because I was on a shared internet connection with other attorneys who lease space in the shared office environment, I was completely exposed to any hacker that wanted to access my systems or fellow attorneys on the network.  When he told me this, I was astonished.  In the practice of law, “you don’t know what you don’t know,” and it took this experience to realize I didn’t know anything about cybersecurity, firewalls, or password encryption programs.  After spending around $2,000 in IT services, I established my own virtual private network (VPN) which acts as an encrypted tunnel over the internet, installed a top of the line firewall, password protected my wifi, and created a secure network to be able to remote log-in from home to my work computer.  I also encrypted all my passwords using a free program called LastPass. Having an antivirus software program like Norton running at all times in the background is also essential to protect against spyware, malware, ransomware, and viruses. 

It is imperative that all law firms, especially solo attorneys, conduct an inventory and assessment to determine where potential threats exist so protections can be enacted.  With all the resources and vendors on the market today in this industry who can assess and enact cybersecurity protections, there is no excuse for your firm not to be protected.  Many legal malpractice carriers like Lawyers Mutual now include limited cybersecurity insurance coverage for policy holders, but several do not, or don’t cover attacks from malware or ransomware events, so you should carefully review your insurance policy to confirm the extent of coverage in the event of a cyberattack.  

Effective law firm cybersecurity is an ongoing process that needs to constantly be re-evaluated and updated over time.  The cost of a major data breach could be crippling to a small firm.  Attorneys can easily avoid the unnecessary risk of a cyberattack by assessing the problem, and establishing various protections, security programs and safeguards in their practice to provide a strong defense against cyber criminals.   I certainly rest easier at night knowing that I took these steps for my firm.