IT Support Help Desk (602) 412-5000 | Sales (602) 412-5025

The FBI has issued multiple warnings that law firms are being targeted by hackers.

Penalties can include the loss of clients, negative publicity, and sanctions. Costs can exceed $1 million for notification, credit monitoring, fines, computer forensics, legal representation, and corrective action programs. Multiple federal and state agencies can penalize you for a single data breach. Clients can sue for malpractice if you lose their data.

Lesson 1: Your Data is Valuable to Bad People

Law firms store lots of valuable data, in many forms. It doesn’t matter if you specialize in family, corporate, real estate, or criminal law. You have something someone else wants- financial information, health records, strategic information and secrets that your client’s competition would love to see. Your data may be protected not just by attorney-client confidentiality, but also by federal and state laws.

Lesson 2: You Must Protect Data for Ethical & Legal Reasons

Cybersecurity is not optional. You have an ethical responsibility to maintain confidentiality, and a legal responsibility to secure legally protected information.

The State Bar of Arizona requires:

  • “competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence”
  • “competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.”
  • “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.” State Bar of Arizona, Opinion No. 05-04 (July 2005)

Lesson 3: You Need to Implement Technical, Physical, and Administrative Security Safeguards

Effective cybersecurity requires a belts-and-suspenders approach.

Your staff must know what to do, how to do it, and what will happen (discipline, termination, or criminal prosecution) if they break the rules.

Buying security tools and not training everyone on your staff to properly use them is a waste of money. Telling everyone what they should do and not conducting some internal audits to validate compliance is meaningless. Invest in security, make sure everyone knows how to use it, and really does.

Lesson 4: Bad Things Come From Data Breaches

Once data is breached a lot of bad things will happen. The same data can be protected by federal and state laws, requiring reporting to federal agencies, the state attorney general, and the Bar. Your clients will have to be notified, and the breach will be public information in the media and with regulatory agencies. Additionally, there have been several successful data breach lawsuits demonstrating how a firm fell below the reasonable standard of care in protecting data.

Lesson 5: Security is a Specialty, like the law, medicine, and accounting.

You need specialized skills and tools to manage your security. Security tools must be properly configured and continually monitored to ensure they are working properly and have had their definitions and patches updated. Logs must be kept to prove that data was encrypted – after the device has been lost or stolen.

A good way to make sure you have the proper security in place is to have an independent security audit. This can help you understand where your data is, how it moves within, and in and out of, your firm, and what vulnerabilities you have.

The State Bar of Arizona recognizes that attorneys may need help with cybersecurity:

It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field… As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information. State Bar of Arizona, Opinion No. 09-04 (December 2009)

Cybersecurity isn’t optional. You owe it to your clients.