Every day brings new stories of companies or governments being hacked and private data being leaked. In the first three quarters of 2020 alone, there were 2,935 publicly disclosed breaches, amounting to the disclosure of 36 billion records.1

When one thinks of such occurrences, large scale breaches suffered by Target or Experian spring to mind. However, law firms are not immune, and bad actors are increasingly targeting law firms for the wealth of sensitive information under their control. In 2017, DLA Piper, one of the largest law firms in the world, suffered a complete worldwide outage of its email system for an entire week due to a ransomware attack originating from its Ukraine office.2

The 2016 “Panama Papers” leak also originated from a law firm, Mossack Fonseca, in which 11.5 million documents totaling 2.6 terabytes were released.3 A law firm that suffers a data breach risks more than the loss of clients or standing in the community. A law firm could be subject to damages should its clients be adversely affected, and attorneys may face potential violations of the Michigan Rules of Professional Conduct.4 Data security is especially important in the era of COVID and remote work. Because so many law firms have enacted remote work policies, the amount of digital information needed to sustain this practice has increased accordingly. Therefore, it is paramount that law firms have robust systems in place to prevent the devastating occurrence of a data breach.

    1. Home network security. Even if your law firm has a secure office network, employees working on unencrypted home networks can compromise the firm’s office network because data on an unsecured network is freely accessible to third parties. Firms should ensure that their remote employees do not have unsecured Wi-Fi networks while at home.
    2. Traveling network security. For employees on the go, it may be tempting to use public Wi-Fi networks offered by restaurants and airports. However, just like an unsecured home network, public access points can compromise the firm’s office network security. Traveling employees who use public access points should use either their smartphone hotspot function or utilize a Virtual Private Network (VPN) service so that data between the employee and the law firm is encrypted.
    3. Anti-phishing training for employees. The best security solutions can be defeated by a simple phishing attack. Phishing is defined as “a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.”5 For example, assume an employee receives an email purporting to be from Microsoft informing the employee that Outlook needs to be updated via the link in the email. The employee clicks the link, which then downloads malware directly onto the employee’s computer that quickly spreads to the firm’s network. This is an all-too-common occurrence and is how DLA Piper was compromised. Employees should be trained to recognize phishing emails.
    4. Adequate data backups. If your firm’s network is compromised, it is vital that your data is backed up so that it may be retrieved securely in the event of a ransomware attack.6 This would include firewalls, so that backups are not compromised, and off-site storage to protect against physical damage by fire or flood.
    5. Vendor data security. Most law firms will not have a dedicated IT department and so will rely on third-party vendors to provide IT services. Ensure that the vendor has a good reputation in the community and is familiar with the unique challenges that law firms face compared to other industries. Vendor security also arises in the cloud computing context. Your firm’s sensitive data could be leaked if hackers target the cloud computing vendor without targeting your firm itself. Firms utilizing cloud services should consider using a hybrid system wherein the most sensitive data is stored locally and less sensitive data is stored on the cloud service. Data stored in the cloud should also be encrypted to prevent unauthorized access should the cloud provider be hacked.
    6. Passwords. Along with phishing attacks, weak passwords are the low hanging fruit for bad actors. Passwords should never contain easily guessable information such as birthdays or the names of loved ones. Consider using password management tools so that unique, strong passwords can be used for each specific site or service without the need to write passwords down on paper. Multifactor authentication can also prevent attacks.

Notes

  1. https://www.securitymagazine.com/articles/94076- the-top-10-data-breaches-of-2020.
  2. https://www.biggerlawfirm.com/do-not-fall-downthe-rabbit-hole-of-a-law-firm-data-breach/.
  3. https://en.wikipedia.org/wiki/Panama_Papers.
  4. The comment to MRPC 1.1 states that “[t]o maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including the knowledge and skills regarding existing and developing technology that are reasonably necessary to provide competent representation for the client in a particular matter.” Ethics Opinion RI-381 further opines that technology competence includes cybersecurity and the ongoing confidentiality of clients’ Electronically Stored Information (ESI) pursuant to MRCP 1.6.
    https://www.michbar.org/opinions/ethics/numbered_opinions?OpinionID=1251&Type=6&Index=C
  5. https://www.merriam-webster.com/dictionary/phishing.
  6. “Ransomware” is defined as “malware that requires the victim to pay a ransom to access encrypted files.” https://www.merriam-webster.com/dictionary/ransomware.