Long ago, it was up to the IT department to protect a company’s data from cyber thieves and internal security breaches. Today, effective cyber security has to be a group effort that involves not only the technical aspect of protecting data, but a rigorous process of risk management employed by everyone on the team from the ground up. Sensitive data is regularly accessed by people on the team, and even the simple act of accessing data is risking that data being captured by unauthorized persons.
Why law firms are a target for hackers
Shady organizations and individuals are always looking for sensitive information on corporate mergers, patent and trade secrets, litigation plans, and other information they can use for their own purposes. Whether it’s to get ahead of the competition or get information to take down someone they consider an enemy, they’re going to do anything they can to get it – a law firm is the first logical place they’ll look.
Hackers don’t just attack high profile firms, though. All law firms, especially those handling personal injury cases, are potential targets for hackers. These hackers don’t just steal data – sometimes they destroy it. Or, they use ransomware to encrypt and hold it for ransom.
In particular, law firms that collect and store data for medical malpractice and wrongful death suits, which can settle for millions of dollars, need to maintain data security. This way, there’s no possibility that the other side can employ unsavory tactics to get information to exploit or destroy the case.
Enterprise level cyber security is vital for law firms
Enterprise level cyber security means involving everyone in the security process, regardless of whether they’re part of the IT team or not. The IT team can only do so much to protect the data as it sits on various hard drives, and it’s up to the people who access and manipulate that data to protect it on other levels.
Recall the 2013 data breach suffered by Target where 42 million people had their credit card information stolen and 61 million people had their personal information stolen. The subsequent class action lawsuit was settled for $10 million and each hacking victim was awarded up to $10,000. This security breach wasn’t small by any means, but the personal data stolen was limited to names, email addresses, phone numbers, and credit cards that could easily be canceled and reissued.
While the incident with Target was a great example of how far-reaching the damage of a data breach can be, there are far more serious consequences that can come from a data breach with a law firm. The personal information that can be accessed by hacking a law firm’s data could literally destroy someone (or a company).
No client wants to hear that their data has been hacked, but it happens all too frequently. In January of 2015, hackers attacked the law firm of Ziprick and Cramer with a Cryptolocker, which is a type of ransomware that encrypted their files, making them unreadable to the law firm. The hackers demanded money in order to restore the data.
The firm had to inform all of their clients that their data had been compromised, and although they were transparent about what happened, their clients weren’t happy. They did, however, sympathize with the situation.
Since 2009, the FBI and the Secret Service have been warning large law firms that their computers are targets for both cyber spies and thieves from other countries as well as inside the U.S.
Start securing your data immediately
If you’re looking for a way to start securing your law firm’s data, here’s an excellent guide on security for law firms. Some of these tips include:
- Set the tone from the top down and issue policies that determine how to handle the privacy and security of the data. This includes limiting remote access and accessing firm data while on public or unsecured Wi-Fi.
- Assign ownership of areas of risk so that client data is compartmentalized and highly sensitive data that carries the highest risk is only accessed by certain people through certain devices.
- Regularly conduct third party vulnerability scans and tests to uncover malware and any potential attacks.
- Review software code for web applications to uncover potential vulnerabilities.
Although cyber security will never be an absolute guarantee, it’s vital to stay on top of the aspects that can be controlled and monitored by your whole team. Think of maintaining data security as part of protecting client-attorney privilege. The more you can protect your client’s data, the better. It’s more important than ever to start the process now before it’s too late.