It’s Time To Get Serious About Law Firm Cybersecurity

Editor’s Note: This article is written by the head of innovation at law firm Stoel Rives who leads teams charged with project management, staffing and pricing alternatives and knowledge management.

By Ryan Schlunz, Chief Innovation Officer, Stoel Rives

Imagine if there were only two types of law firms in the United States today: those who have experienced a data breach and those who don’t yet know they have experienced a data breach. This scenario is actually not far from reality, and for most AmLaw 200 firms it is likely already accurate. However, many law firms don’t yet appear to appreciate the scale of the threat. For example, in a recent online Bloomberg BNA poll, respondents ranked “hackers and data breaches” as only the fourth of five enumerated “biggest threats” to law firms, with a mere 11% of the vote.

Too many firms remain asleep at the wheel on this issue, a fact underlined by Cisco Systems Inc.’s decision to rank law firms as the seventh most-vulnerable industry in its 2015 “Annual Security Report.” Indeed, late last month, The New York Times reported on an internal Citigroup cyber intelligence center report that predicted that law firms would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

Patent and insider deal information are not the only types of information at risk of cyber-attack. Stolen healthcare data sells for as much as $10 per medical record on the black market, and has fast become more valuable than credit card information. Even those firms who do not store healthcare and financial data, or data related to mergers & acquisitions or patents, are at risk of hackers coming after client information that could help them hack into client systems.

It’s time for law firms to wake up and make cybersecurity a top priority at all firms. Here are some steps to get ahead of the issue:

• Make cybersecurity a top priority of firm leadership (Managing Partner, Executive Committee, Board, etc.). Brief your entire partnership about cybersecurity risks; provide them with an overview of your firm risk profile along with specific threats, and what you are doing about it. Make this a quarterly briefing and make sure attorneys and staff understand their role in risk mitigation.

• Ask the person in charge of technology security at your firm if your systems were breached the previous night. Then ask them to prove it to you. Do this daily until you get better answers.

• Write your data breach incident response and communications plan now, so you are prepared when you find out that you have been breached.

• Share information and procedures with your clients, and advise them to take similar measures.

How law firms ensure the security of data is already a critical issue for all clients. Having data security procedures in place - such as regular client audits that prove that data is secured properly - is quickly becoming an industry standard. Regulatory requirements are likely not far behind. It’s time for all law firms to get serious about cybersecurity.