It is common to see almost on a weekly basis, news and articles exposing law firms and other practices in which security breaches have occurred. As a consequence, law firms and lawyers working in different fields of practice are required to know and understand data security basics and how data breaches can affect their clients. As a matter of fact, law firms can be held liable for breaches, therefore the ignorance of the risk is no longer an option.
In the early stages of the Internet, data breaches were directed to government bodies and big corporations. But all this has changed and now law firms, government law departments and similar organizations have become prime targets. Lawyers in many arenas are limited when it comes to computer security resources. The fact that they hold sensitive information about their clients and large data sets they become easily a soft target for hackers. While big corporations use sophisticated computer security defences, their law firms defences are probably weaker.
What are the main causes of Data Breaches for Law Firms?
Over the past years, the information of millions of individuals has been compromised through data breaches. About of third of those breaches have been caused by hackers who have infiltrated information systems at vulnerable points where sensitive records were unsecured.
This is what happened at the beginning of this year when a group of hackers called Maze, have compromised the data of five US law firms and demanded 200 bitcoins valued at $933.000 to restore the access to the data and delete their copy instead of selling it.
Data breaches are not only the result of hacker attacks, but they are also caused by sloppy security practices. Almost one-third of data breaches are a result of theft or loss of laptops. Mobiles or other portable media containing unencrypted personal information. In this case, data breaches can be prevented by encrypting the data on the devices and enforcing procedures that restrict sensitive data is available on mobile devices or take the necessary measures to protect confidential information.
According to recent investigations, more than 100 law firms have reported data breaches and the number does not seem to decrease. A lot of them have reported stolen hard drives and laptops as security incidents out of their control.
Often times employees inside the firm have the motivation to steal data for financial gain or revenge for perceived wrongs committed against them. Therefore protecting organizations from outside attacks does not protect the firm from information being stolen by insiders, whether that behaviour is malicious, ignorant or accidental.
The Ponemon Institute has issued a report at the beginning of 2020 analyzing how much the number of incidents has increased and also what these incidents costs. It is interesting to see that insider threats are often underestimated but expensive when having to investigate the source of the threat.
Online postings and other disclosures
Through careless handling of personal data, private information is often exposed in postal mailing or circulate on websites that are not supposed to access it. Law firms must ensure sensitive personal records in paper and digital formats are protected.
This is the case of the Financial Conduct Authority that has admitted revealing confidential data of 1.600 consumers. The data exposed involved names, addresses, phone numbers and some complaints.
Threats Based on Accidental, Inadvertent, or Natural Events
Although it is common to focus on external threats when it comes to security issues, oftentimes lack of knowledge or understanding of basic cybersecurity principles easily lead to breaches and weaknesses in the law firm’s systems. The most common internal failures are:
- Human errors when acting in good faith
- Unpredictable accidents that affect information systems that cause physical damage to the law firm’s hardware
- Disruption of infrastructural services
- Natural Disasters
Cloud Computing and Wi-Fi Risks
With cloud services in the rise, law firms use them as a tool to process and store confidential client data, This allows law firms to increase their flexibility and efficiency. Let’s not forget that putting the administration and physical control of sensitive data to third party vendors are risks that law firms need to address before putting client data into the cloud.
When travelling lawyers tend to access public Wi-Fi from airports, hotels or coffee shops. These networks are not equipped with the necessary security features, therefore, putting at risk confidential communications.
Business Partners can be a weak link
The security of law firms is as strong as that of its weakest business partners. Law firms tend to outsource a great part of their work to third party business parties. When those outside businesses do not have security systems in place, the law firm’s confidential data is at risk.
To get a clear overview of who the victims of data breaches are, who is behind of them, what tactics are being used and which are the commonalities between them, Verizon publishes on a yearly basis a Data Breach Report. These reports map all the incidents that occur during the year and which are the patterns they have provided insights and ways to learn more about the security risks organizations can have.
Who is responsible for Data Breaches in Law Firms?
Data security must be adopted at the highest level of a law firm and then flow down toward the rest of the organization. Without action from the firm management, there will be no motivation for the rest of the members of the firm to follow good security practices. Lawyers must be informed about the risks that exposing confidential information can have and what practices they can adopt in their daily tasks to avoid such risks.