Last year, 14% of law firms experienced a security breach in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit according to the most recent ABA Legal Technology Survey Report. Earlier this year, China’s military was linked to a hacking ring that stole large amounts of information from about 141 U.S. and foreign entities including four law firms. Law firms are definitely in the cross hairs of cyber thieves and the costs can be staggering. The Ponemon Institute’s 2014 Cost of Data Breach Study found the average cost incurred to resolve a single successful attack totals $5.9 million.
The American Bar Association recognizes the seriousness of this risk. Its recently published The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals is a tool to help understand, plan for and respond to a cyber breach. It describes exposures particular to law firms and practical guidance on developing protocols to mitigate risk. (Disclaimer: I am a contributing author to this book.)
Lawyers clearly have an obligation, both legally and ethically, to protect data. Loss of client data can threaten the vital fiduciary relationship between law firms and their clients. Moreover, loss of a law firm’s client data introduces an entirely new realm of exposures beyond malpractice including the expenses the firm will have to bear in order to ascertain what happened, what data was compromised and how to rectify the situation. For instance, the firm may incur business interruption costs if its system has been brought down by a hacker and the firm can’t run conflict checks or generate proper billing times; these are expenses not contemplated in a professional liability or general liability policy.
One of the most common causes of a data breach results from a seemingly innocuous scenario, the loss or theft of a legal professional’s property, such as a smartphone, tablet or laptop. These mobile devices are immensely valuable tools – but in the wrong hands, they can create a cyber nightmare for a law firm.
It’s critical that law firms develop information security protocols and incident response plans so in an emergent situation all necessary steps are documented and contacts have been previously identified and are ready if called. Below are some tips to help guard legal professionals against data theft due to lost or stolen devices:
• Never leave electronic devices inside a car. While this may seem like basic advice, laptops, tablets and smartphones can easily be stolen from locked (and unlocked) vehicles. Take the items with you. If you must leave them behind, lock them in the trunk; don’t leave them on the back seat.
• Pay attention at airport security lanes. Try to wait for any backlog to clear at the end of the conveyor belt where people gather to collect their belongings. If the security lines are long—and most are these days—place your electronic devices together in one bin so you can monitor them carefully.
• Don’t leave unattended items in a hotel room. Smaller laptops may fit inside in-room safes, or the front desk staff can store computers or devices in the hotel safe.
• Public working areas such as coffee shops or airports can also be promising venues for thieves. If you must leave your laptop, attach it to something strong, such as a table leg or a radiator with a cable lock.
• Password protect your device and encrypt the data. Should your device be lost or stolen, it will be much more difficult for someone with malicious intent to access clients’ (and clients’ clients’) data.