Companies trust their most critical information to their outside counsel—updates about lawsuits, potential mergers and sensitive personnel matters, among many other things.
With new security threats emerging daily, it's important to consider cybersecurity when hiring outside counsel. Most corporations vet law firms based on a variety of criteria such as practice areas, fees, clients and capabilities. However, protecting data is rarely one of those factors. Companies generally assume that law firms take their own precautions to keep data safe.
According to the American Bar Association, 80% of the top law firms have been hacked since 2011. Law firm breaches top the news, and companies are beginning to understand how vulnerable their most sensitive and important data may be. Large and respected law firms have become prime targets for malicious exploitation, and their clients pay the price in exposed cases, strategies, acquisitions, intellectual property and more.
Law firms can be vulnerable to breaches due to multiple factors. Attorneys consider client work their top priority and other activities - for example, a training session on a new IT policy - may be viewed as hindrances simply because they take attorneys away from cases. Smaller law firms may not have full-time IT staff on board to set up, monitor and repair equipment and networks. Even if they outsource IT, the scope of services often is focused more on resolving technical issues rather than implementing proactive measures.
One way to evaluate a law firm's security is to apply Critical Security Controls (CIS Top 20 Controls). These are established by the Center for Internet Security (CIS) and they offer a valuable guide used globally to prevent and respond to cyber incidents. With these controls in mind, let's examine which of the top CIS controls companies should consider when evaluating outside counsel's cybersecurity framework.
1. Inventory of authorized and unauthorized devices
In the age of the Internet of Things, an increasing number of electronics latch onto a firm's network, including smartphones, tablets, health accessories and thumb drives.
Once people with malicious intent have gained access to a law firm's network, they can access everything from emails, client files and other information. This can be a concern for law firms as attorneys gather and add information using devices not necessarily vetted by IT for data access outside of the office. Companies should specifically ask their law firms about their policies around mobile devices and the processes for off-boarding employees.
2. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers
It is important for businesses to ensure law firms encrypt confidential data. Encrypting data as it moves between users and devices can be tedious and time consuming. However, it's one of the best ways to ensure that data remains safe in-transit and at rest – especially critical legal information such as mergers, intellectual property and discovery. According to a recent survey, only 27% of firms routinely encrypt USB drives and mobile devices, and barely more than half know how to encrypt email.
Email is a great example of why encryption is so important. Corporations should ensure that law firms only allow authorized mobile devices to sync with email and line-of-business applications such as Salesforce or case management systems. Otherwise, a company's data may be vulnerable from many different access points.
3. Continuous vulnerability assessment and remediation
With the fast-paced evolution of cyberthreats, many law firms struggle to keep up. After all, new threats emerge every day in the forms of unpatched software, Trojans, phishing attacks, worms and more. Checking for updates and patches protects firms from known vulnerabilities.
Corporations should find out how often law firms conduct tech reviews and assessments. It's critical to quantify if firms have the technological capability to scan an environment for vulnerabilities in their system, so those can be patched as soon as possible.
4. Controlled use of administrative privileges
Attorneys take their obligations around client confidentiality very seriously. Yet, even though a firm is handling a case, not every lawyer or staff member should have access to all client cases. Law firms must properly review and restrict who has access to information, or it can be left vulnerable to careless or embittered employees. Administrating to this extent is time-consuming, but clients should insist on it.
5. Maintain, monitor and analyze audit logs
It's not enough to restrict information and encrypt data. Companies need to know who is accessing their files, what they are looking at and when that information has been touched. Audit logs can track all this, which can be extremely useful if there is ever a possibility that data may have been compromised.
Yet many law firms do not have this process in place. Corporations should know if their firms keep audit logs. If law firms do not, then companies need to request greater accountability from their firms.
6. Data recovery capability
According to the ABA's annual Legal Technology Survey, 47% of respondents said their firms don't have a response plan in place to address a security breach.
It only takes one ransomware attack to put a law firm and its clients out of business. Beyond deliberate attacks, law firms can also be vulnerable to data loss or disruption from power outages, weather-related disasters and a host of other problems. Even a few hours of downtime can have a significant impact when law firms are working on time-sensitive matters.
Many law firms still rely on on-site servers for their sole backup service, which means important information can be lost forever if there is a disaster at the office. Corporations need to know that their law firms have a strong recovery plan in place to protect their data.
For example, we spoke with one law firm partner whose office had recently burned down. The 10-person office was a total loss. Fortunately for the firm and all its clients, it had an off-site law firm cloud server in place. They were up and running again in less than 24 hours.
7. Data protection
Ensuring the confidentiality of client materials is the cornerstone of a law practice, yet often times it can be extremely difficult for a law firm to prevent data exfiltration. This is where encryption, dual-authentication, administrative policies, safeguards, firewalls and other protective measures should be leveraged. Companies should know what types of data protection their firms are using.
8. Secure configurations for network devices such as firewalls, routers and switches
Most lawyers want to spend their time practicing law, not overseeing IT. That is one reason that many law firms are challenged when it comes to maintaining secure configurations. Many law firms think that having a firewall means they are secure. But as sophisticated security officials know, that's not the case. The new standard is intrusion detection systems that are monitored and maintained by specially certified engineers, and businesses need to know what measures their law firms have in place.
9. Boundary defense
Navigating the exchange of information between networks can prove to be one of a law firm's most difficult tasks. In theory, it's simple enough to understand boundary defense, which involves working with individuals and organizations that companies commonly do business with to make sure emails and files are encrypted in transit. There are various encryption strengths and typically newer email servers offer the strongest encryption. If the firm and client are both using email servers with a TLS 1.2 or higher encryption strength then sending data becomes significantly safer.
10. Security skills assessment and appropriate training to fill gaps
Law firms can have the most cutting-edge technology and best-in-breed processes but if their staff is not properly trained and willing to follow security protocols, firms will still have vulnerabilities. Without a regular assessment of working habits and cybersecurity training, lawyers, paralegals and staff can compromise client data simply by going through their day-to-day routines.
Consider HIPAA as an example. Under the law, firms that deal with protected health information must give end-user security training, which specifically deals with minimizing risk for firms and clients, such as providing education about what a phishing scam looks like. Otherwise, this lack of training can put companies at risk of regulatory investigations and significant fines.
Law firms are committed to providing the best advice to clients, but that doesn't mean they understand what's required to keep data safe in today's world. Instead of assuming that security is the law firm's responsibility, security officers need to know their law firms' vulnerabilities and make sure those risks are minimized. Fortunately for law firms, third-party assistance from legal specific cloud based solutions or IT consultants can close these security gaps – meaning areas of concern discovered during the vetting process can be quickly addressed.
Joe Kelly, founder and CEO of Legal Workspace, formally launched the company in 2010.
