Despite the legal industry's heightened focus on cybersecurity, data breaches remain a significant threat for law firms. That was one takeaway from the American Bar Association's 2019 Legal Tech Report, released October 23. According to the ABA's annual survey exploring tech use in the legal industry, 26% of law firms experienced a security breach of some kind, up from 23% in 2017. Even more (36%) have had malware or other virus infected on their computers.
Fortunately, the damage is usually limited. Security breaches mostly resulted in repair and consulting costs, in addition to lost productivity, if there was any impact at all. However, of those who reported security breaches, 9% had to contact clients and law enforcement, while 3% said sensitive client information was compromised.
Mid-size firms are the most vulnerable. Of respondents in firms with 10-49 attorneys, 42% suffered a security breach.
The results reinforce that law firms pose a tempting target for nefarious online actors, and for more reasons than obtaining sensitive client information such as Social Security numbers. In 2016, for example, several international law firms were hacked in an insider trading scheme involving planned mergers. In 2018, ABA Formal Opinion 483 warned that “the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be."
While law firms have generally increased cybersecurity measures in recent years, there are still steps firms can take that can reduce the risk of a security breach. Some are simple, common sense measures, such as physical locks on laptops. Only one in four law firms report using physical locks.
Other steps include:
If in doubt, law firms can invest in a risk and security assessment by a third party. According to the 2019 Legal Tech Report, approximately one in three law firms have already done so.
As law firms continue to experience cyberattacks at an alarming rate, attorney obligations regarding data protection, privacy and cybersecurity have increased correspondingly. Simply put, cybersecurity is now a part of the practice of law.