With more legal professionals working remotely than ever before, firms need to be aware of the various risks and security threats that can cause complications with ethical compliance. Criminals and hackers are often out to pilfer data involving intellectual property, personally identifiable information, merger and acquisition details, and other confidential attorney-client-privileged data.
According to the American Bar Association (ABA) Rule 1.6: Confidentiality of Information, lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.
In the 2020 Legal Technology Survey Report, the ABA found that of those who responded:
- Less than 50% use multi-factor authentication
- As many as 29% have experienced a security breach of some kind
- Only 43% of firms employ file encryption
- Only 29% of firms have engaged in intrusion prevention and detection
- Only 26% of firms use web filtering
- 36% of firms have experienced a malware infection
Security issues to consider (especially when working remotely)
Your clients trust you with highly confidential information, and you must be as thorough as possible in your plan to follow through on that promise. The transition to remote work also presents new challenges for law firms and data protection. Here are some ways to protect against cybersecurity threats when working remotely:
Implement two-factor authentication
Two-factor authentication is another way of validating that the person accessing your firm’s data is who they say they are. Adding an additional layer of security to your login processes will ensure that even the weakest passwords and most lax logging out practices will be a bit safer for each and every user at your firm.
Is your videoconferencing software secure?
Now that many legal teams are working remotely, videoconferencing applications like Zoom, Skype, Google Hangouts, Microsoft Teams, and Legaler are taking the place of face-to-face meetings in the conference room and even the courtroom. Whichever platform you choose to use, be sure that it supports end-to-end encryption so that strangers can’t hack into chats about confidential information or sensitive data.
Additionally, make sure you’re using the available security settings to further lock down your calls, such as waiting rooms, passwords, and requiring users to be logged in to their accounts.
Are your emails secure?
For emails connected with particularly sensitive matters, team members should use encrypted email or secure client portals. If your email system still depends on a local server, consider changing to something safe and cloud-based when employees are working remotely.
Use encrypted instant messaging
Platforms like Slack and Microsoft Teams offer cloud-based instant messaging tools that can be implemented quickly, are less disruptive than phone calls, and help keep remote team members in the loop. These tools even allow for the creation of channels devoted to specific legal matters, topics, or teams.
Back up your data
Most law firms use some type of document management system (DMS), which automatically conducts backups. But working remotely might lead to storing some documents outside the system, even temporarily. Make sure that each user understands the importance of backing these up regularly, or only using a cloud-based DMS.
Routine data security steps for legal professionals
When working remotely, legal professionals need to take the necessary measures to stay secure. Here are some basic data security steps:
- Keep up with software updates by enabling automatic updates and using browsers that update security frequently.
- Use only strong, hard-to-guess passwords and set up password managers to keep track of your unique passwords for each website.
- Always keep your devices locked, and make sure they lock immediately after they “go to sleep.”
- Create and enforce your law firm’s policy regarding where client data is kept and can be shared. A trade secret for data security is to treat all data as if it were your own.
- Only connect with secure Wi-Fi, resist the temptation to work from a coffee shop or other space using shared Wi-Fi.
- Perform frequent backups to the cloud.
- Download applications only from the official app store and look for the company name and contact information.
- Turn off Wi-Fi and Bluetooth when not in use. Cybercriminals can use these to access your data or compromise your device.
Performing a cybersecurity self-check
Law firms with staff working remotely can perform a security risk assessment by answering the following questions:
- What are the law firm’s most critical IT assets?
- What data do we collect, and how long do we keep it?
- How do we store our data, and how do we protect it?
- What type of data breach would significantly impact our client information – malware, cyberattack, or human error?
- Who has access to the data internally and externally?
- What is the likelihood of exploitation?
- What threats could potentially impact the ability of the firm to function?
- What level of risk is the firm comfortable with taking?
Data breaches can have a devastating financial and reputational impact on a law firm. Performing this self-assessment can identify potential security threats and vulnerabilities within the law firm, allow for mitigation, and potentially prevent costly security breaches from happening.
When creating your plan for fighting against cybersecurity threats, keep in mind that it’s something that everyone in the firm needs to be actively implementing. Your plan should reflect changes in the way your firm communicates both externally and internally. Your ultimate goal should be to exceed the expectations of both the regulatory bodies regarding data security as well as your clientele, current and prospective.