25% of Law Firms Have Been Breached, Only 36% of Firms Have an Incident Response Plan
The Bencher—July/August 2022
By Sharon D. Nelson, Esquire, and John W. Simek
Law Firms Are Not Moving Quickly Enough to Secure Their Data
You just can’t quarrel with the data, which comes from the American Bar Association’s 2021 Legal Technology Survey Report. The true number of breached firms is likely significantly higher. Very often lawyers whose firms have suffered a breach, especially in large firms, are unaware of the breach unless it becomes public.
For more than 25 years we have been asking ourselves why more law firms don’t have an incident response plan (IRP). We regularly ask law firm partners why they don’t have an IRP. The most common answers are:
- “We’re too small to be a target.” (untrue)
- “Developing an IRP takes too much time and money.” (Do these folks have any idea how much a data breach will likely cost in time, money, and reputational damage?)
The Grim Reality of Today’s World
Educating lawyers about how vulnerable they are is a long process. In April 2022, Law.com posted an article precisely on this topic. As the article points out, cybercriminals don’t care much about a law firm’s size—they are more interested in the clients the law firm represents and the likelihood that smaller firms are easier to breach.
In today’s world, most law firms, even the small ones, have cybersecurity insurance. Most folks are amazed to hear that insurance companies are a prime target for attackers. If they get into the networks of insurance companies, they not only know who they insure, but how much insurance they have. That makes it much simpler, for instance, to know how to price a ransom demand.
Practical Steps to Take to Protect Your Firm
First, enable multifactor authentication anywhere you can. It is generally free and will prevent more than 90% of account takeovers. Have adequate security in place to protect your data—if you hire a small cybersecurity firm whose employees have strong certifications in cybersecurity to do a security assessment, you will have a smaller price tag than if you engage one of the big players.
Generally, the smaller cybersecurity firms will give you a flat fee price, and they can often do the assessment remotely, which cuts back on the price, working hand-in-hand with your IT people (or person!). As part of the fee, they usually provide a report detailing critical vulnerabilities that exist—these are your first problems to fix, and the company will likely provide an estimate/proposal—and then describe lesser vulnerabilities that you may have time to budget and plan for. This is money well spent. We do a lot of law firm security assessments, and only once did we find a firm with no critical vulnerabilities. Understand that an assessment is only a point in time. Vulnerabilities are constantly being discovered, which means you need to reassess periodically.
So What Does an Incident Plan Do for You?
Benjamin Franklin once said, “If you fail to plan, you plan to fail.” Truer words were never spoken. On a regular basis, we are called by panic-stricken lawyers because their networks were compromised. Why are they panic-stricken? Because they don’t have a plan. We call this the “headless chicken response.” It is neither pretty, nor effective.
Here are key elements of the IRP:
- Who will manage the breach? Someone with a calm demeanor is preferred.
- Who will you call first? Our answer is your data breach lawyer, who knows volumes about data breaches that you don’t and can guide you wisely.
- Who do you report the breach to? This answer has changed from calling the regional FBI office to contacting the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security. CISA can be reached to report anomalous cyberactivity and/or cyber incidents 24/7 at firstname.lastname@example.org or (888) 282-0870.
- Identify a digital forensics company that you can call to investigate and remediate the problems.
- Notify your cyberinsurance company (have a paper copy of that policy and the state data breach notification laws and state privacy laws that you are subject to). Remember that you must also file a claim.
- Call your bank to place it on alert in case a suspicious transaction should arise.
There is much more to do, but if you roll up your sleeves and get to work, this will be a good start!
Sharon D. Nelson, Esquire, is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the American Bar Association. She can be reached at email@example.com.
John W. Simek is vice president of Sensei Enterprises Inc. He is a certified information systems security professional, certified ethical hacker, and a nationally known expert in the area of digital forensics. He and Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia, firm. He can be reached at firstname.lastname@example.org.