Law firms are the new targets of cybercriminals. “Lawyers of every stripe and specialty tend…
Taking some simple proactive steps to protect confidential information and to be prepared to respond quickly to data breaches can give and your firm a fighting chance to survive a cyber attack.
No business or industry is immune to a cyber-attack or data breach. Ninety-five percent of the Fortune 500 companies in America—as well as numerous government agencies such as the Internal Revenue Service, the Central Intelligence Agency, the Defense Department, and even the White House—have been hacked or had data compromised.
Businesses of all sizes have fallen prey to cyber criminals, and the legal profession is no exception. Attorneys are required to comply with state and federal data security laws, regulations, and standards that describe the ways in which data must be protected and define what constitutes a “data breach.”
For example, in Texas, a data breach encompasses any way that information is lost, stolen, or inadvertently disclosed. This means your computer systems do not have to be “hacked” to have a data breach. This includes things like laptop theft, lost USB memory sticks or portable drives, a lost mobile phone containing confidential client data, and an email containing confidential information that is inadvertently sent to the wrong person—as well as the theft or improper disposal of paper documents.
Take the First Step
Given the many ways in which business data can be compromised, protecting it can be a challenge. The first step is to acknowledge that your business is at risk. Your clients and business partners—and state and federal regulators—all expect you to be able to safeguard confidential and private information.
Also, lawyers are held to a higher level of ethics and standards which hold them responsible for ensuring the confidence of all information gained in the professional relationship with a client.
Information security risks should be addressed in the same way that you address other business risks. Your business property is insured against damage, fire, and theft. Your confidential information should be similarly protected.
Have a Risk Assessment and Compliance Audit
Having an independent, third-party risk assessment can help you identify potential threats; see where you are out of compliance with federal, state, and industry requirements for information security; and identify areas where you are most vulnerable. In addition, a third-party report can enable you to demonstrate to clients that you are taking steps to protect their data and defend your business against potential litigation or possible future regulatory fines and penalties.
Establish a Solid Cyber Security Foundation
Although a Risk Assessment and Compliance Audit may bring to light several areas that need improvement, addressing some cyber and data security basics can increase security immediately.
- Encrypt emails. At a minimum, emails containing sensitive or confidential information should be encrypted using your email provider’s encryption service.
- Never use public wi-fi. Use a virtual private network (VPN) app on both your phone and your laptop when using wi-fi to prevent criminals and hackers from watching what you are doing and stealing your data or passwords.
- Don’t click on suspicious emails. Email is the number-one way that spyware and malware are deployed. Never click on the links in, or the attachments, to emails.
- Back up your data. In case your systems become infected or are held hostage, back up your files to the cloud.
- Change your passwords. Stolen or weak passwords allow cyber criminals direct access to your computer and online accounts. Having complex, unique passwords for each application improves online security.
Evaluate Cyber and Data Breach Liability Insurance
Cyber insurance will not protect you against a cyber-attack or data breach, but a good policy will enable you to survive one.
Look for insurance that provides coverage for both cyber breaches and data breaches as well as broad coverage for first-party expenses, such as breach response, credit notifications, forensic analysis, public relations consultants, cyber extortion payments, business-interruption costs for loss of income, and restoration costs. In addition, the policy should also cover third-party expenses for violation of privacy laws, multimedia liability, regulatory fines, compensatory payments, and legal defense costs, as well as the costs of potential future lawsuits and settlements.
Also be sure to find an insurance carrier that provides access to a Breach Response Call Center, or other telephone support, that is staffed twenty-four hours a day, seven days a week, throughout the entire year and is available even if a breach is only suspected. This call center should provide you with access to breach response team(s) and legal counsel, as well as to other resources to develop a response plan and help you begin response and recovery activities.
Insurance cannot eliminate a data breach or be a replacement for data security; but it can provide a backstop of financial relief and access to support tools like the breach response call center. Having a separate insurance plan in place, specific to this exposure, is a critical component of your overall data breach preparedness.
The response costs associated with minimizing the damage of a data breach or cyber attack can be extensive and can even put a company out of business. Cyber and data breach liability insurance is affordable and helps mitigate the financial hardship of a cyber attack and data breach by offering coverage to help you pay for the costs of an event.
Ready to take the necessary steps to protect your firm from cyber attacks? Visit our Cyber Security page to get started.
About the Author
Scott Reid is the Director of Association Cyber Insurance Programs for Gallagher Affinity, is the Executive Director of the Cyber and Data Security Association and is an early leader in the emerging field of cyber and data breach preparedness and prevention. Reid works with many leading trade groups and business coalitions—as well as with federal agencies such as the Department of Homeland Security, the Federal Bureau of Investigation, the Federal Trade Commission, and the Small Business Administration—to address cyber security as a national security issue.