Cybersecurity for Law Firms: Navigating the New Risk Reality

Cybersecurity for law firms is generally improving. According to the American Bar Association (ABA) 2022 Techreport on Cybersecurity, 89% of law firms now have one or more policies governing technology use, and 46% say they have cyber liability insurance.

Data breaches, however, remain an ongoing challenge. Consider that 27% of firms said they experienced a breach in 2022, and 25% said they didn’t know if their systems had been compromised. According to the Oregon Department of Justice breach list, multiple law firms were compromised in the last two years, some as recently as January 2023.

These breaches often stem from the rapid shift to digital services as law firms looked to streamline processes and improve client services. Navigating this new risk reality requires both awareness of new threat vectors coupled with targeted action to address emerging issues.

Not sure where new technology poses new risks? We’ve got you covered with a look at some of the top industry challenges.

Wondering how to get started with an effective security program? Aldrich Technology can help you set up a program that meets the best practices outlined in the ABA’s Cybersecurity Handbook.

The shift to digital and virtual services represents law firms’ most significant security shift. The ABA highlights the importance of data protection in its Formal Opinion 498, which states, “at all times, but especially when practicing virtually, lawyers must fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information.”

But what does this mean in practice? For many firms, new risks are inherently tied to the intersection of human/device interaction. Top challenges include:

Connected Devices

Connected devices such as smart speakers have become commonplace in homes and offices. And while these devices offer convenience, they also come with risks. New research found that even if users aren’t directly interacting with smart speakers, they may still be recording conversations to help better understand user needs.

For lawyers, smart speakers pose a significant risk during virtual and physical consultations and should always be muted or unplugged.

Cloud Services

As noted by the ABA 2022 Techrport on Cloud Computing, 70% of respondents said they used web-based software or services, but just 27% evaluated vendor companies before using these tools, and only 8% negotiated confidentiality agreements with providers.

The result is a significant risk if cloud services collect, store, or use client data without clients’ express permission or if these vendors suffer a data breach.

Client Concerns

Clients themselves are also a concern. For example, if clients record virtual meetings or have smart speakers in their homes that are potentially capturing data, firms may run afoul of regulatory expectations which require due diligence in the protection of digital data.

This creates a situation where lawyers and clients must be mindful of risks related to smart devices—even if they’re simply sitting in the background.

Risk programs provide a single source of truth for security practices. They rely on administrative policies, technical controls, and physical safeguards.

Administrative policies refer to company-wide expectations around how staff interacts with data, from collection to use to storage. Technical controls may be software tools or applications that verify user information and detect potential threats. Physical safeguards include on-site devices such as locks or cameras.

Comprehensive programs provide a way to address security challenges at scale and create specific policies around client interactions, cloud adoption, and connected device usage. Consistency is critical regardless of firms’ route to build these programs—in-house or with the support of managed security service providers (MSSPs).

Three components are key to effective program creation:

Identification

Before firms can build programs, they need to identify potential vulnerabilities and prioritize the specific risk reduction. Put simply, complete protection is impossible given the increasing scope of digital attack surfaces. Instead, firms need to target their biggest risks.

Implementation

Implementation includes clear communication about the rollout of new programs and cybersecurity awareness training to help staff get up to speed.

Evaluation   

Security programs aren’t static. As a result, firms need to regularly evaluate program efficacy and make adjustments as needed.

Ultimately, new technologies create new challenges for law firms. By combining awareness of potential compromise paths with targeted action, organizations can build better security programs to reduce total risk. If you have questions about how to improve your firm’s cybersecurity, let’s talk.

Get the ABA Cybersecurity Handbook here.