Law Firm Data Security: An Ultimate Guide
June 6, 2023
Law firm data security isn’t just a key priority; it’s a core tenet of the profession thanks to attorney-client privilege and the powerful, sensitive information involved in many cases. Clients trust that whatever they say to their attorney, or whichever document they share, will be entirely confidential. When firms suffer from data breaches, this confidentiality evaporates.
No matter your size, every firm is at risk of a data security breach. In 2021, 17% of solos and U.S. firms with 2-9 attorneys, and about 35% of U.S. firms with 10-49 attorneys reported some kind of cybersecurity breach, including data. Meanwhile, just over half (53%) of firms overall say their firms have a policy to manage data retention. But all firms, regardless of practice area, location, or number of clients, must have law firm data security policies in place — especially in an era when staff are working from multiple locations.
Let’s explore the impact of these breaches — and how your small firm can keep its data secure.
Why Law Firm Data Security Is More of a Concern than ever Before
Law firms are particularly vulnerable to cyberattacks. They hold confidential, highly sensitive information that would be incredibly valuable to hackers. Many firms also have access to trust accounts that hold substantial sums of money. But an alarming number of firms have subpar security protocols — only 43% use file encryption, and less than 40% rely on two-factor authentication.
In other words, hackers have plenty of incentive to target law firms. Such breaches typically hit the headlines only when they affect massive firms — such as the $42 million ransom demanded of Grubman Shire Meiselas & Sacks in 2020 — but smaller firms are not immune. And it’s a problem that could continue to balloon.
Post-pandemic, most law firms are embracing a hybrid working model, allowing attorneys to spend at least part of the week working from home. But most firms aren’t taking cybersecurity seriously. While about 65% of small firms now use cloud-based services, no more than 35% of respondents were taking any one of the specific standard cautionary cybersecurity measures listed in the ABA survey question; 18% of respondents took none of the security precautions of the types listed.
This presents a significant challenge. Firms’ office networks are likely to be far more secure than their attorneys’ home WiFi networks. And if employees use unsecured public networks (like their local coffee shop), their firm’s data is at an even higher risk.
The Impact of Data Breaches on Firms
Data breaches are catastrophic for your firm’s reputation, performance, and profitability. A single cyberattack destroys clients’ trust in your ability to protect their privacy and damages your long-term reputation among prospective clients and your peers. In the most severe cases, your firm could be sued for malpractice.
Aside from damages to your clients and firm, the time, energy, and money to recover are both an unwelcome distraction and a detriment to attorney confidence and performance.
The impacts of poor law firm data security can be broad and significant. If bad actors penetrate or circumvent your practice's data security measures, they can threaten business continuity and impede your ability to serve your clients. Some specific repercussions of a breach include:
- Compromised email accounts due to phished user login data;
- A loss of access to clients' data as a result of a ransomware attack or distributed denial of service (DDoS) attack;
- Lasting damage to your law firm's reputation;
- Concerns that you cannot protect client data;
- Lawsuits or penalties;
In addition to direct repercussions such as those outlined above, your law firm may find it difficult to gain the trust of prospective clients for months or years following the data breach. Ultimately, that erosion of client trust will hinder future expansion efforts and prevent you from realizing your growth goals.
Ethical and Legal Obligations
Be aware of your ethical and legal obligations, including ABA Ethics Opinions (like Securing Communication of Protected Client Information and Lawyers’ Obligations After an Electronic Data Breach or Cyberattack) and state data protection laws.
As an entity that collects, manages, stores, and interacts with confidential information, your law firm has a moral, ethical, and legal responsibility to its clients. Specifically, you must proactively work to maintain the security and integrity of sensitive data.
Fulfilling these obligations requires a multifaceted approach that leverages several pragmatic solutions, including implementing full disc encryption to protect files in transit and at rest.
Several state laws have recently been implemented to hold businesses accountable for mishandling data privacy matters. While the specific repercussions and penalty schedule of each law vary, they all levy strict fines against law firms that fail to implement adequate security policies.
The first step to ensuring compliance with these laws is to familiarize yourself with them. Additionally, you will need to understand and adhere to the American Bar Association's ethical opinions that govern security issues and client data privacy.
With that in mind, let's focus on ABA formal opinion 483 and several relevant cyber breach notification laws.
American Bar Association Formal Opinion 483
Issued in 2018, ABA Formal Opinion 483 provides clear guidelines to law firms regarding how they should respond to a security breach. Here are some key points:
- Firms have a "duty of competence" when collecting and protecting client data;
- Firms must monitor their systems to proactively identify potential threats;
- Legal services are required to respond to breaches in a timely manner;
- Attorneys must notify clients promptly if a breach is detected;
- Legal practices must implement rigorous data protection measures, such as firewalls and encryption;
Law firms must not only adhere to ABA Formal Opinion 483, but they must also ensure compliance with state or national cyber breach notification laws.
Cyber Breach Notification Laws
The legal industry is subject to stringent cyber breach notification and data security laws. Some of the most notable laws include:
- CCPA: In 2020, California introduced the California Consumer Privacy Act (CCPA), inspired by Europe’s General Data Protection Regulation (GDPR). CCPA outlines enhanced protection of California residents’ personal data.
- SHIELD: Also in 2020, New York State enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which requires businesses in possession of personal data (including law firms) to implement “reasonable” security safeguards.
- HIPAA: While HIPAA is generally viewed as a healthcare regulation, law firms and any other entity that handles protected health information (PHI) must also adhere to the requirements of this federal law. Most notably, legal industry entities must safeguard PHI against inadvertent disclosure when handling patient care records and other protected data.
- GDPR: The General Data Protection Regulation, or GDPR, is a European act that establishes several consumer rights. This sweeping piece of consumer protection legislation includes severe penalties for violators and applies to any entity that handles the data of EU citizens, regardless of whether the business operates within the European Union.
- VCDPA: The Virginia Consumer Data Protection Act went into force on January 1st, 2023. It closely mirrors its predecessor, the CCPA. Under this law, law firms, third-party vendors, and any other business that handles consumer data must make reasonable efforts to protect it.
These are just a few of the many cyber breach notifications and data security laws that have been created in recent years. You should continuously review the privacy laws in your home state so that you can adequately prepare for any legislative changes that govern how you handle clients' information.
How Law Firms Can Safeguard Their Data Security
If you want to safeguard your firm's data, fulfill your duty to your clients, and protect the brand image you have worked so hard to cultivate, here are nine steps to support your data protection initiative:
1. Create a Data Security Policy
First and foremost, you need a comprehensive but easy-to-understand data security policy. When creating your policy, make sure it addresses key data security topics such as document management, access control, and how employees are allowed to share or relay information.
Additionally, develop a plan for educating team members on best practices. Most importantly, enforce your policy. This means verifying that team members use secure messaging technology, participate in two-factor authentication processes, etc.
2. Regularly Check and Update Permissions
One of the best ways to keep your data secure is to regularly check and update permissions. Legal technology permissions govern who can access which data files. Reviewing your permissions lets you verify that everyone has the appropriate level of access.
During these reviews, you can also ensure former employees can no longer access your information systems or client files.
While regularly checking and updating permissions may seem like an obvious security measure, it is also an oft-overlooked one.
3. Maintain an Audit Trail of Data Access
Maintaining audit trails of data access is a key part of regulatory compliance processes. If your firm gets audited by a government agency or regulatory entity, the individuals conducting an audit will want to see detailed records of what data changes have been made, when they were implemented, and who made them.
More importantly, audit trails can guide your incident response efforts should a breach occur. You can use this data to trace breaches back to their source, mitigate the extent of an incident, and protect business continuity.
4. Enforce Strong Passwords
Do most of the employees at your law firm use easy-to-guess passwords like "123456" or their birthday? If so, they are exposing your firm to some serious unnecessary risk.
The good news is that this is a relatively simple problem to solve. All you need to do is implement stringent password requirements prohibiting your employees from using simple login credentials.
Some leading legal industry solutions, like Smokeball, have built-in password tools that make enforcing your strong password policies even easier.
5. Use Multi-Factor Authentication
Multi-factor authentication requires your staff to provide two or more forms of identification to access your technology solutions. For instance, they may have to enter their custom password and then provide a code that is sent to their email address or mobile device.
While two-factor authentication is the most common level of multi-factor security, you can require three or more forms of identification to access some technology. For instance, if a file contains trade secrets or intellectual property, you want to put as many layers of security as possible between your data and hackers.
6. Stay Up-to-Date with Government Regulations
Federal privacy laws can be changed at just about any time. With that in mind, it is important that you stay up-to-date with the latest federal requirements that govern your practice areas. This can be tricky, as you must also be mindful of state requirements, such as the aforementioned privacy and data security laws.
Periodically review government regulations and conduct an audit of your security practices. Doing so is a great way to verify compliance and prevent your firm from incurring unexpected penalties.
7. Create a Data Breach Response Plan
A data breach response plan should outline how you plan to protect sensitive data should a breach occur. The ideal plan will include several layers of response, including:
- Assessment of scope
Creating a detailed plan will help you mitigate the business impacts of a data breach and protect confidential client data.
8. Update Your Software Regularly
Out-of-date software is a hacker's dream. Antiquated legacy systems that haven't been updated in a while will likely contain glitches, bugs, and hidden vulnerabilities that hackers can exploit to sneak past your defenses and snag your law firm data.
To ensure your software is always up-to-date, consider sunsetting your legacy solutions and replacing them with modern, cloud-based legal technology.
Developers of cloud-based tech are constantly releasing bug fixes and product improvements that can stop hackers in their tracks. These updates also enhance software performance so that you can derive better value from your technology investment.
9. Educate Your Clients
Clients can still leave your firm vulnerable to cyberattacks despite your best efforts. Therefore, it is vital that you educate your clients on the latest trends and digital threats facing the legal industry.
Notifying your clients about phishing attempts, ransomware, and other looming cyber threats can keep them from falling victim to hackers' deceptive attempts to steal their data.
While clients can be a cyber security vulnerability, they can also be a valuable asset as you strive to safeguard their data.
Smokeball takes data safety incredibly seriously. We’re a cloud-based solution, meaning we rely on Amazon Web Services (AWS) to keep our customers’ data safe. For reference, a ton of the world’s leading companies—including Capital One, JPMorgan Chase & Co. and General Electric—also trust AWS’s data security capabilities, so we’re far from alone in this.
Within the Smokeball platform itself, Communicate — our secure messaging and file-sharing platform — keeps client communication away from prying eyes. Communicate leverages the latest data security innovations, including two-factor authentication, full data encryption and Auth0 technology.
Our dedicated information security team is continuously improving our security through a range of controls, including:
- Local + network firewalls
- Web application firewalls
- Intrusion detection systems (IDS)
- Multi-vendor anti-virus
- DDoS throttling services
- Access control lists
- Security patch management
- Identity + access management
- Centralized log management
- Symmetric + asymmetric encryption systems
- Separation of duties
- Vulnerability assessment
- Anomaly detection
- Remote monitoring + alerting
To learn more about Smokeball’s approach to law firm data security, review our regularly updated security policy.
In the next installment of this five-part legal industry trends series, we’ll analyze hybrid working.
Smokeball's Data Security Capabilities
Law Firm Data Security: Final Thoughts
Smokeball's cloud-based solution leverages Amazon Web Services to protect your data and that of your clients.
We provide robust internal messaging and file-sharing tools, such as Smokeball Communicate, so that you can keep client communication away from prying eyes and fulfill your ethical obligations to those who put their trust in your firm.
Don't compromise when it comes to data security. Partner with Smokeball and let us help you elevate your cyber security stance.
Safeguard Your Firm's Data — and Grow More Productive
See how Smokeball secures each stage of your legal mattersDownload the infographic
Learn more about Smokeball
Book Your Free Demo
Ready to see how Smokeball client intake software helps you Run Your Best Firm? Schedule your free demo!