The legal profession has access to a great deal of data and are trusted daily with very sensitive client information, communication between other attorneys, and even settlement financial data, information on client’s “trade secrets” and intellectual property. With this wealth of information comes considerable exposures to cyber risks. Though law firms have become increasingly targets of cyber crimes, it seems as though the legal profession, as a whole, has somewhat lagged behind in terms of security and mitigation of those exposures.
Let’s discuss some ideas on how to properly mitigate that risk exposure and help keep yours and your client’s information safe and secure.
1. It’s not just your IT Guy’s Problem: We love the IT guy and I know he does a great job but he/she may only work eight to nine hours a day. Hackers are attacking 24/7. Therefore, it’s important for each person in the organization to take ownership of their own cyber hygiene. Create a culture of awareness about potential threats and how to avoid them. It’s a good idea for each member of your organization to undergo training on how to avoid becoming a victim of a hack or other cyber intrusions.
2. Divide and Conquer: Keep back-ups of your most sensitive information and/or client files on a separate server. This will make it more difficult for hackers to get access to information and also save you the expense of trying to recreate lost data in the event of a breach. Furthermore, you could even avoid the ransom in of that data and possible interruption of your business operations, which can be a costly event.
3. Attorney-Client Privilege: This one may seem obvious but good cyber policies and hygiene will help you maintain that most sacred of relationships. Additionally, being able to show your clients that you have excellent procedures and protocols in place may make them even more comfortable sharing sensitive information with you.
4. Assess Your Firm’s Situation: It’s a good idea to get some outside perspective of your firm’s unique situation as it pertains to your possible risks and protocols. Hiring a third-party cyber consultant is a good way to audit your current state of cyber security. They can also help you figure out if any technologies need to be enacted to address Intrusion Detection, Breach Monitoring, Encryption and Intrusion Protection.
5. Don’t Go Cheap on Hardware and Software: Spending a little more now may save you substantial time, money and reputation damage later. Don’t take the cheap route when it comes to things like firewalls, intrusion Detection systems, virtual private networks (VPN’s), data encryption software and backup storage devices.
6. Know the Laws: There is some debate on whether Law Firms are subject to the same statutes, that require notification of clients in the event of a breach. But, either way it’s a good idea to see how your state governs your duties in the event of a breach. Also if you have clients in other states it’s important to know about their state’s regulations as well, and how that could effect your firm.
7. Policies are a Good Policy: Make sure you have a company wide data and internet policy that each of your employees follow. There are several resources, online to find examples of great policies but I highly recommend the resources available from StaySafeOnline which is powered by the National Cyber Security Alliance. Having a comprehensive policy in place that addresses mobile and desktop device usage, classification of data and password safety and management, can go a long way in educating your employees and creating a culture of accountability within the firm.
8. Cyber and Data Privacy Insurance: This is a huge one since data breach events are not a matter of “if” but “when”. You need to have a very frank conversation with your agent or broker about what types of coverages and limits are appropriate for your firm. It’s also very important that you select an agent or broker and carrier that understands Cyber Risks and has access to insurance policies that address your specific needs. Remember, there is very little standardization within the cyber and data breach insurance marketplace so it is essential that both you and your agent do your due diligence when selecting a policy. Often times an ‘off-the-rack’ policy or coverage extensions will not properly address your needs and could leave you in an under-insurance situation. Therefore, it is vital you get someone who really displays expertise and is qualified to evaluate your risks.
Bonus!: Here are a couple of great tools that can help you out along your path to great cyber hygiene and practices
NetDiligence® Data Breach Cost Calculator: A great tool to see just how costly a data breach incident could be for your firm
HowSecureIsMyPassword.net: Let’s you see if the passwords you typically use are strong enough to survive hacking algorithms and approximately how long it would take to hack your passwords….FYI, if you use “password1” you’ll can be figured out almost instantly.
HaveIBeenPwned?: Simply type in your email address and instantly see if your information (related to that email address) has ever been exposed in a data breach
As always, it’s a great idea to talk to your current agent about your cyber security or just reach out to Drew Gunn, cyRM, and Producer for Thompson Insurance, if you have any questions, comments or just need some advice.
Author: Drew Gunn is a Certified Cyber Risk Manager (cyRM) at Thompson Insurance and works out of both the Montgomery and Birmingham offices and has clients all over the state of Alabama. As a cyRM he has attained this designation through on-going education and testing regarding Cyber Risk Management and Data/ Privacy Liability issues. Feel free to email Drew at [email protected].
Interested in Thompson Insurance?
Please provide your details and we will contact you shortly.