Cybersecurity for Law Firms

by Stephanie Gomez | June 2019

Privacy rights Clearinghouse reports that between 2005 and today, there have been 8,804 reported data breaches exposing over 11 billion records. This number is on the rise. We are approaching a world where every law firm either has been hacked or will be in the future. We must “get with the times” and adapt.

Because clients entrust their lawyers with highly confidential and sensitive data, lawyers are often targets for hackers. In today’s fast-paced world with access to our e-mails at our finger tips, e-mails are often the weakest link for law firms.

Attorneys should be aware of the different types of hacking tools often employed against law firms, including phishing e-mails. Phishing is when a hacker uses fraudulent e-mails to lure you to share valuable personal information, such as account numbers, social security numbers or login IDs and passwords. Phishing e-mails almost always tell you to click on a link. Things to look for in a phishing e-mail include a generic greeting, a forged link, requests for personal information and a sense of urgency.

Hackers also use pretext e-mails, which is when the hacker uses the e-mail address of another and pretends to be that person. For example, oftentimes the treasurer of an organization receives an e-mail from what looks to be the president, asking that funds be transferred to a certain account. When I was treasurer of the Federal Bar Association International Law Section, I would often receive such e-mails, and when I did, I would immediately call the president directly to inquire about the e-mail. Another trick is to place your cursor on an e-mail address to see the true e-mail address sending the e-mail. Never blindly follow instructions from an e-mail that even looks slightly suspicious.

The ABA and Florida Bar rules now require attorneys to be diligent in taking precautionary measures. ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Similarly, the Florida Bar requires competent representation, which may include the retention of a non-lawyer advisor of established technological competence. See Comment to Fla. Bar R. of Prof. Conduct 4-1.1.

So what should law firms and attorneys do to lower their risk profile? Here are some general policies that can help:

  • Increase and improve employee training – law firm staff should be trained of the firm’s policies and procedures on preventing cyber-attacks;
  • Implement data backup and disaster avoidance measures;
  • Install an active anti-virus agent on all endpoints, including workstations and servers;
  • Keep backups disconnected from the network and the internet; and
  • Update software, especially when it is no longer supported; and
  • change passwords regularly.
  • Share this article: