The legal industry is transforming before our eyes. New technologies and workplace models are reshaping small law firms’ operations. In this five-part series, we’ll analyze the top 5 trends affecting the legal industry in 2022. This week: data security.
Law firm data security isn’t just a key priority; it’s a core tenet of the profession thanks to attorney-client privilege and the powerful, sensitive information involved in many cases. Clients trust that whatever they say to their attorney, or whichever document they share, will be entirely confidential. When firms suffer from data breaches, this confidentiality evaporates.
No matter your size, every firm is at risk of a data security breach. In 2021, 17% of solos and U.S. firms with 2-9 attorneys, and about 35% of U.S. firms with 10-49 attorneys reported some kind of cybersecurity breach, including data. Meanwhile, just over half (53%) of firms overall say their firms have a policy to manage data retention. But all firms, regardless of practice area, location or number of clients, must have law firm data security policies in place — especially in an era when staff are working from multiple locations.
Let’s explore the impact of these breaches — and how your small firm can keep its data secure.
Why law firm data security is more of a concern than ever before
Law firms are particularly vulnerable to cyberattacks. They hold confidential, highly sensitive information that would be incredibly valuable to hackers. Many firms also have access to trust accounts that hold substantial sums of money. But an alarming number of firms have subpar security protocols — only 43% use file encryption, and less than 40% rely on two-factor authentication.
In other words, hackers have plenty of incentive to target law firms. Such breaches typically hit the headlines only when they affect massive firms — such as the $42 million ransom demanded of Grubman Shire Meiselas & Sacks in 2020 — but smaller firms are not immune. And it’s a problem that could continue to balloon.
Post-pandemic, most law firms are embracing a hybrid working model, allowing attorneys to spend at least part of the week working from home. But most firms aren’t taking cybersecurity seriously. While about 65% of small firms now use cloud-based services, no more than 35% of respondents were taking any one of the specific standard cautionary cybersecurity measures listed in the ABA survey question; 18% of respondents took none of the security precautions of the types listed.
This presents a significant challenge. Firms’ office networks are likely to be far more secure than their attorneys’ home WiFi networks. And if employees use unsecured public networks (like their local coffee shop), their firm’s data is at an even higher risk.
The impact of data breaches on firms
Data breaches are catastrophic for your firm’s reputation, performance and profitability. A single cyberattack destroys clients’ trust in your ability to protect their privacy, and damages your long-term reputation among prospective clients and your peers. In the most severe cases, your firm could be sued for malpractice.
Aside from damages to your clients and firm, the time, energy and money to recover are both an unwelcome distraction and a detriment to attorney confidence and performance.
Be aware of your ethical and legal obligations, including ABA Ethics Opinions (like Securing Communication of Protected Client Information and Lawyers Obligations After an Electronic Data Breach or Cyberattack) and state data protection laws:
How firms can safeguard their data security
Law firms must proactively build a data-security plan, implement the most up-to-date data security tools and readily embrace common cybersecurity best practices. Identify an internal data-security champion to own your data security plan and processes, such as ensuring your ingress, egress, operating systems and firewalls adequately protect clients’ confidential information.
Your firm must also actively educate attorneys and staff on keeping their data secure. IBM research found 95% of all data breaches are due to human error. There’s little point in firms safeguarding their own systems if attorneys unintentionally undo all this hard work — especially when they’re outside their office’s firewall.
It’s important to note that firms must also be highly selective when partnering with technology vendors, only implementing tools with built-in data security.
Smokeball’s data security capabilities
Smokeball takes data safety incredibly seriously. We’re a cloud-based solution, meaning we rely on Amazon Web Services (AWS) to keep our customers’ data safe. For reference, a ton of the world’s leading companies—including Capital One, JPMorgan Chase & Co. and General Electric—also trust AWS’s data security capabilities, so we’re far from alone in this.
Within the Smokeball platform itself, Communicate — our secure messaging and file-sharing platform — keeps client communication away from prying eyes. Communicate leverages the latest data security innovations, including two-factor authentication, full data encryption and Auth0 technology.
Our dedicated information security team is continuously improving our security through a range of controls, including:
- Local + network firewalls
- Web application firewalls
- Intrusion detection systems (IDS)
- Multi-vendor anti-virus
- DDoS throttling services
- Access control lists
- Security patch management
- Identity + access management
- Centralized log management
- Symmetric + asymmetric encryption systems
- Separation of duties
- Vulnerability assessment
- Anomaly detection
- Remote monitoring + alerting
To learn more about Smokeball’s approach to law firm data security, review our regularly updated security policy.
In the next installment of this five-part legal industry trends series, we’ll analyze hybrid working.