·  Legal News, Analysis, & Commentary


How to Prevent Cybersecurity Risks at Law Firms in 2019

— June 14, 2019

Law firms depend on today’s technology to help them serve their clients better and faster. Cybercriminals are targeting law firms hoping to gain access to client data. Good cybersecurity measures are a must in this ongoing fight.

There has been an alarming rise in cyber-attacks against law firms in the past few years. The attacks, while fewer at first, are only going to increase in the future.The methods used by cybercriminals have become more complex. At the same time, law firms have also started to take positive steps towards ensuring data security. The battlefield is a digital one and it is getting intense. This is why cybersecurity measures are so crucial.

Because of technology, protection against cyber-attacks is not just a one-time job. It is a never-ending battle, where only constant alertness can ensure that law firms do not fall short on their promise of “attorney-client privilege”.

Cyber Attacks against Law Firms are Real

We’re in 2019, and stating this fact might not be surprising. But for those who are still in doubt, let us focus on the question: Why are hackers focused on attacking law firms?

First of all, law firms hold the promise of “attorney-client privilege” as the foundation for their services.This means that whatever information the client provides about their case will be kept confidential and not be disclosed to anyone. With such a sensitive database of information, hackers can gain access to client data, and use it for criminal activity. However, the upside to it is that law firms, as a whole, have efficient cybersecurity systems in place. 

Secondly, the information stored about the client in the database of a law firm is very specific. It then becomes logical that hackers only want to gain access to that kind of information.

Man in a dark room wearing a skull half-mask and glasses, data from a computer screen reflected in his glasses; image by Nahel Abdul Hadi, via
Man in a dark room wearing a skull half-mask and glasses, data from a computer screen reflected in his glasses; image by Nahel Abdul Hadi, via

How Have Cyber Breaches Affected Law Firms?

Lawyers specialize in different disciplines, and many of them are not famous for being sophisticated about technology. That alone makes it easy for hackers to gain information regarding clients. 

In the past few years, there have been several attacks on law firms. Let us look at some examples of those attacks: 

  • In March of 2016, the FBI issued a statement warning that hackers were stealing client information from international law firms for the purposes of insider trading. 
  • In the 2017 ABA Legal Technological Survey, the American Bar Association found that 22 percent of more than 4,000 respondents said that their firm experienced a data breach in 2017. Twenty-five  percent of those respondents stated that there was an absence of security measures within the company. 
  • In The National Law Journal, a law firm based in Washington, DC found that the number of daily cyber attacks increased by 500 percent in the last two years.
  • Law360 reported that 1500 of their U.S.-based insurance policies were compromised because of an attack on an “unnamed” specialist law firm. 

These statistics showcase the impact cybercriminals can have on a law firm’s data, if given the opportunity. 

Protection against Cybersecurity Threats

If cybersecurity threats are so dangerous, what steps can law firms take to protect themselves from such threats? There are several, and the following list will go through them:

1. Inventory Assessment 

Firms need to understand where they stand with respect to their technology. Law firms must take initiatives to have a detailed inventory of all the technological products within the firm’s use. The technology includes hardware, software, and data.

With hardware, the firm should actively maintain a list of all the printers, laptops, smart devices, computers, and servers at their disposal. 

Software inventory should include all the software products, their licenses, keys, passwords, update schedules, and versions. 

Data should be constantly monitored and maintained by a database administrator. The firm can also take note if the data is subject to legal restrictions, such as HIPAA. 

2. Evaluate a Firm’s Cybersecurity Systems

In her article titled “Cybersecurity for Midsize and Smaller Law Firms: 10 Tips to Take Action Now”, Stephanie W. Yeung recommends asking five questions:

  1. Is system access controlled on a need-to-know basis?
  2. Is access to smart devices and computers encrypted?
  3. Are password records stored in a secure file?
  4. Have you employed a two-factor authentication process for enterprise network systems?
  5. Are your anti-virus software and firewalls in place? 

3. Using Basic Security Tools against Law Firm Cyberattacks

The firm can use spam filters as the most basic security tool. In order to prevent a law firm cyber-attack, your firm should also employ anti-spyware, software-based firewalls, antivirus programs, email encryption service, network security protocols, and intrusion detection systems, etc. 

4. Vendor Security Evaluation 

If you have a vendor, make sure you review the vendor’s security certificate to ensure that they employ similar, if not better, security protocols. The primary focus should be on protecting the client’s data. This includes defending your own systems as well as ensuring that any affiliate organization is just as invested in data security as your firm. 

5. Security Standards Consideration

Several law firms are shifting towards the ISO (International Standards Organization), NIST (National Institutes of Standards and Technology), and CIS (Center for Internet Security) certifications. As a firm, you can use the policies of all or just part of the guidelines. 

6. Use Secure Methods to Handle Your Data

The files should be protected while both in storage as well as in transmission. It is suggested that firms employ an email encryption service or file sharing service in order to exchange information. If you cannot use such a service, then you can simply zip your files and password protect them. 

7. Using a Reliable Backup System

A backup system is highly recommended regardless of a cybersecurity attack. A good backup system proves invaluable when faced with physical catastrophes such as bad weather or fire incidents. They prove to be extremely useful in the case of ransomwares or cyber attacks. 

It is important to have a plan in place in the case of a cybersecurity breach. You do not want your data to be compromised because of poor planning. In the digital age, data security is important to ensure that your firm does not lose face in the wake of a cybersecurity attack. It is better for an attorney to share a piece of unhappy news to the world, instead of the client stumbling upon it in the morning paper. 

Join the conversation!