I spoke of heightened needs to protect your smart phone, tablets or laptops from loss, due to fines and penalties for loss of privacy data of clients. I am not talking unhappy clients but regulatory penalties. Lawyers are easy targets for professional hackers, and I do not mean the goofy teenager down the street or the unhappy ex-employee. Foreign hackers, some even legitimately alleged to be Chinese Army hackers, are known as advanced persistent threats and are after your client’s business data regularly. Really, I am not overstating. Organized crime, foreign government backed groups, or political hactivists choose the easy to get information on businesses and individuals through their lawyers, a much easier quarry. Think: high value information well organized, but weak security and you would have the routine law office. As the Twitter joke goes:@ChineseArmy is now following you (everywhere).
In 2011, the ABA Survey indicated 21% of large firms reported a security breach and 15% of all firms (including small firms) reported a breach. The 2012 Corporate Compliance Group reported it at 60% had breaches for companies generally. Let me grab your attention: The Ponemon Institute cost of data breach survey found that the average time to resolve a cyber-attack is 18 days and the median cost was $5.9 million.
Well that applies to the big boys and not us. What if your client is doing business in some area that others could gain advantage? How hard would it be for someone to get their contracts out of your firm? A computer security expert from the Federal Bureau of Investigation pulled no punches at LegalTech New York recently. Said Mary Galligan, FBI Special Agent in charge of cyber and special operations: "We have hundreds of law firms that we see increasingly being targeted by hackers. The FBI puts great importance on this issue." She added: "The more mobility you have, the more documents you're sending through the internet, the more likely you are to be the victim of a cyber attack, and that's what we're seeing at law firms... The cyber threat is too big for any of us to fight alone."
It appears most professional liability policies are silent on covering such risks and damages. If couched (much later) as a malpractice claim, then perhaps you will be covered, but most of us have big deductibles. Other than business interruption coverage under a comprehensive general liability policy, it is not clear about coverage for such risks. So, firms are entering the wild west of insurance coverage dealing with something called cyber coverage. As a newer line, care needs to be used to make sure the exclusions do not swallow the coverage to get you to get the protection you need.
So, I am promoting a healthy level of paranoia in your firm. We need to be able to practice law using the technology clients now expect. Today that is wherever you are. We in the loss prevention side of the practice recommend a good balance of seamless knowledge access, with the very real risks of internal information loss risk being considered.
Encrypt firm stored data on your laptops and thumb drives. Employ mobile device management on phones and devices that are not, or cannot be, encrypted. Use the existing tested methods of strong passwords, firewalls, updated security patches and protection of high value data limited to those who need to know. One practical way is to limit access to documents by practice area. Intrusion detection and oversight by trained IT professionals with security expertise is good money spent. Be careful out there.