Find news, events, articles, videos, and more that answer your questions and keep you up-to-date.
Visit Resource Center
Stay informed on compliance updates
Earlier this year, a Russian hacker, using the name “Oleras”, extracted the confidential details of clients from 50 law firms that had been targeted throughout the United States. The hacker’s plans were to discern which companies were to be merged in the future, then use this information to conduct insider trading. The same hacker also singled out eight lawyers for phishing attacks. Pretending to be an assistant at a trade journal, the hacker emailed each lawyer under the pretense of conducting research for an upcoming article featuring excellence in M&A. This is just one of a number of instances of hackers targeting law firms.
Law firms are becoming increasingly conscious of potential security breaches by criminal hackers who seek to gain financially by stealing sensitive client information. Firms are an attractive target because of the large repository of confidential information they hold. Providing a strong defense against these cyber-criminals is now considered a requisite duty for law firms large and small. When hiring cybersecurity vendors to safeguard client information — a necessity for law firms with insufficient cybersecurity staff — firms must conduct due diligence to prevent opening themselves up to liability.
A successful cyber attack can lead not only to significant revenue loss, including the result of malpractice suits but also the loss of reputation and business. The average cost of a data breach per organization is now at an all-time high of $7.01 million. Such an amount is troublesome for larger firms, but could spell bankruptcy for many smaller law practices.
The costs incurred after a security breach can include the following:
Many firms have discovered that their professional liability insurance, general liability insurance, and property insurance do not cover all of the costs caused by cyber-attacks.
Attorneys have a common law duty to protect their client’s confidential information. The Rules of Professional Conduct, and federal and state laws, also impose on attorneys the duty to protect client data. Additionally, most states have enacted laws requiring notification to individuals whose personal information has been accessed by an unauthorized person as a result of a data breach.
Law firms exist and thrive on a foundation of trust that they have built with their clients. They must maintain this trust or risk losing those relationships. Clients entrust confidential information to law firms and expect firms to take proper and adequate steps to safeguard it. News of a security breach at a law firm will cause current and potential clients to lose confidence in the breached firm.
Law firms must be proactive in protecting the storage of the vast amounts of client data they possess and are entrusted to safeguard. The Federal Trade Commission (FTC), Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) have all published helpful tips that law firms can take into consideration when reviewing their cybersecurity process.
To help mitigate risk of security breaches, law firms may wish to:
One important step firms can take to protect themselves against a data breach is to engage outside security partners. Firms must practice due diligence when engaging a cybersecurity firm; otherwise, they may become liable in the event of a future security breach. Trying to save money by employing less expensive — and probably less experienced — consultants and managed security service providers (MSSPs) could cost law firms greatly in the long run.
Due diligence requires formulating a thorough discovery process for potential consultants or providers. There are a number of questions a firm should pose to potential security vendors prior to engaging their services. These include:
In cybersecurity as in law, reputation is everything. Checking references provided by the consulting firms is essential. Be sure to ask direct questions of these references, as your objective is to determine which consultants will be best suited for a long-term relationship with your law firm.
By training employees, creating cybersecurity plans and conducting due diligence prior to hiring cybersecurity vendors, law firms can take a giant leap towards protecting the sensitive data of their clients and preserving their trustworthy reputation.
To learn more about how CT can help you with your due diligence requirements, contact your CT representative or call 844-409-1386 (toll-free U.S.).
More in Due Diligence Services
More in Staying Compliant