Is Your Data Secure?
About one in four law firms with over 100 attorneys have experienced a data breach, according to a 2015 American Bar Association survey. Looking at law firms overall, the survey results show that 15 percent of firms have had a data breach. And because law firms are entrusted with a large amount of sensitive client information, clients are increasingly taking the lead and conducting security audits of the firms that represent them.
The risk is real, yet almost half of the lawyers responding to the ABA survey said their firms had no plan for responding to a data breach. And more than half said that their firms did not have a person in charge of data security.
Ensuring your firm’s data security can be a complex endeavor. As a first step, firms must install and maintain security measures like firewalls, malware and anti-virus software. But these relatively simple steps may not be enough to truly ensure data security. Unless your firm is large enough to have an IT staff experienced in data security issues, many experts recommend outsourcing security needs rather than attempting to configure a solution yourself.
Experts also recommend that law firms use encryption technology on servers, laptops, desktops and mobile devices. They advise firms to encrypt all client correspondence, and say that lawyers should refrain from using Gmail or other email programs from companies that admit to using personal information from emails.
Personal information such as social security numbers and credit card numbers is especially vulnerable to cyber attack because the perpetrators can use it to engage in identity theft. To guard against this, avoid collecting personal information such as social security numbers if it is not essential, and develop a document retention policy that destroys this type of information when it’s no longer needed.
The ABA recommends that law firms designate a chief security officer to oversee these efforts. Law firm employees should be trained on good data security procedures and on how to recognize and avoid emails that may contain security threats.
Law firms should also recognize that security threats can come from within the firm, not just from outsiders. Computers that contain personal client data should be locked down and secured with passwords that are changed frequently, since law firm personnel may also change. Educate employees in proper internet usage, and restrict access to sensitive files to only trusted people who need to see them.
And all firms should have a data breach preparedness plan that will enable them to respond quickly if a breach does occur. This may help limit the size of the breach and minimize the harm to employees and clients, as well as any negative publicity.
Finally, consider purchasing cyberliability and data security insurance. These policies cover the costs of a data breach when personal information such as Social Security numbers and credit card numbers are stolen. They may cover such things as credit monitoring, notification costs, claims by state regulators, and losses resulting from the identity theft.