Security breaches are so prevalent that most enterprises believe it’s not a matter of if but when they’ll experience a breach. This is significant given that the average cost of a data breach is estimated at $3.92 million. Worst still is the fact that breaches are rarely short-lived events. The average time it takes an organization to determine that it has been breached is 197 days, and it will take, on average, another 69 days before the breach is contained.
Law firms are soft targets
Law firms are increasingly becoming a major target for cybercrime. In the American Bar Association’s 2019 Legal Technology Survey Report, 26% of respondents stated their law firms had experienced a data breach (and these are just firms that are aware they have been breached). This is a trend that is growing steadily year over year as hackers and malicious insiders seek to get hold of a treasure trove of valuable data from a multitude of clients, making “one stop shopping” too enticing to resist.
As law practices become more digital, the surface area for potential cyberattacks grow. Hackers are changing tactics from blunt force to highly targeted exploits focused on an individual user, workstation or device. Yet the legal industry has not come up to speed. It is no secret that law firms have traditionally been behind other industries when it comes to cybersecurity practices. And many firms have been slow to invest in the appropriate solutions or bring in the right people to manage cybersecurity activities. However, with companies, governments and consumers now focused firmly on information security and data privacy, legal professionals must look to set higher standards.
Interestingly, based on extensive public record requests, Law.com recently identified more than 100 law firms that have reported data breaches to authorities across 14 states since 2014. These firms notified authorities that a data breach occurred and could have exposed individuals’ personal information. The article indicated that “these reports are likely to represent a tiny fraction of the breaches since law firms, like other privately held businesses, don’t often publicize when their data is breached, and many may not report it to state officials, depending on the law.”
If your law firm hasn’t been breached already, there’s a high chance that it will be. And that comes at a high price of embarrassment, reputational risk, financial damage, and loss of client confidence and trust.
Industry-specific concerns and unique challenges
As a result of the impact of data breaches, as well as that of new, overlapping and evolving data privacy regulations, corporations and their legal teams are having a greater influence over information security decisions to protect information both inside and outside the organization. While there are obligations imposed by privacy and information security laws, lawyers are also bound by professional ethical obligations to safeguard client data from unwanted access and disclosure. Failure to live up to ethical obligations can also have dire consequences, making the problem that much more complicated and challenging to address.
What should you do?
Outside counsel must focus on taking a more proactive approach to adopting more stringent cybersecurity programs. This includes engaging in consultative, risk-based reviews of cybersecurity controls, ensuring compliance with regulatory mandates, gaining a better understanding of how data is stored and used, revising data security policies and practices, implementing layered defenses and developing response plans. Through these efforts, the right mix of technologies can be considered to address specific security concerns and protect against both insider and external cyber threats.
Learn more about how you can address the information security challenges facing law firms and corporate legal teams at Enfuse, the largest information security and digital forensics conference in 2019. On Wednesday, November 13th, I will be leading a session entitled, An Industry at Risk: Why the Legal Profession Must Rethink and Change its Approach to Data Security. We will explore how changing industry, regulatory and competitive environments are impacting approaches to data security and risk, and how OpenText products and professional services can help mitigate risks and improve security measures for the industry.
Visit our website to learn more about OpenText Legal Industry solutions.