Skip to main content
Web Content Viewer (JSR 286)
CNA Blog — From the Experts
From insurance trends to risk control to corporate social responsibility, CNA’s leaders know their business and are proud to use their expertise to help organizations succeed.

CNA Blog — From the Experts

Published Thursday, January 19, 2017

8 Tips for Cyber Security Practices in Law Firms

Due to the sensitive client information law firms possess, lawyers are a primary target of hackers. Your firm may already employ common data security tools such as spam filters, anti-spyware, software-based firewalls and virus scanning. These are indeed essential risk management tools, but you should not assume that installing these security features results in comprehensive protection.
In a recently published article authored by Lisa Jaffee, she identified the following eight tips to help you take the necessary steps to shrink security gaps:

  1. Encrypt, Encrypt, Encrypt

    According to a 2013 American Bar Association survey, all forms of encryption – including file encryption, e-mail encryption and full-disk encryption – are the security features used least often by law firms1. Furthermore, lost or stolen laptops and devices are a top cause of law firm data breaches. If a computer or device is encrypted, even if the laptop or device is lost or stolen, the information will not be accessible.
  2. Use Caution in the Cloud

    Reportedly, the cloud is used by 64 percent of lawyers in their practices2. When you store firm and client information in the cloud, it is essentially stored off site, possibly in another country, where it may be subject to international search and seizure laws.

    Most bar associations that have published opinions on the ethics of cloud computing found that working in the cloud is ethical if appropriate precautions are taken3. At a minimum, you must use due diligence in selecting a cloud provider by asking the right questions. Does the cloud provider employ adequate security to protect the data? Will the data be stored internationally? If so, will it be subject to search and seizure? You also should know what data you’re placing in the cloud, and whether that data is subject to state or federal privacy laws. Have the clients provided their written consent to place information in the cloud? Will the information in the cloud be encrypted?
  3. Beware of BYOD

    Bring Your Own Device (BYOD) policies are risky if appropriate security measures are not taken. Firms should have a specific BYOD policy in place regulating how those devices are to be used, giving the firm ultimate control over the devices. Company data on the devices should be both encrypted and password protected. Law firms also should install mobile device management (MDM) software that can remotely wipe the device if you leave the company or lose your device. Law firms may consider installing a remote location-tracking app on the device if the device does not already have such software installed.
  4. Vet Your Vendors

    Many lawyers frequently outsource work such as e-discovery, legal research, copying, IT and other non-legal services to third-party vendors. As recent data breaches have demonstrated, third-party vendors are becoming a vulnerable point of attack at which hackers can strike.

    Lawyers have specific ethical duties under ABA Model Rules of Professional Conduct 5.1 and 5.3 to ensure that vendors’ conduct is compatible with professional obligations, including the duty of confidentiality under Rule 1.6. According to ABA Formal Opinion 08-451, an outsourcing lawyer must “act competently to safeguard information relating to client representation against inadvertent or unauthorized disclosure” by the individuals to whom the lawyer has outsourced the work. Therefore, you must assess whether your vendors are storing, transporting or analyzing confidential data. If so, written and signed contracts should address the various relevant security issues, including ensuring that the information is properly stored and secured to prevent unauthorized access. Finally, law firms should carefully and thoroughly review the vendor’s contract for indemnification clauses, limitations on liability and guidance as to the party who will be expected to pay in the event of a data breach.
  5. Staff Training is Key

    Educating all firm staff on confidentiality issues and avoiding a data breach can greatly reduce the risk of a data breach in your firm. They should receive instruction on the policies and practices the law firm expects them to follow, including email, Internet and social media policies. Regular training for employees can help avoid a large number of potential data breaches within your firm.
  6. Be Wireless Savvy

    Secure your own wireless network to help prevent unauthorized guests from accessing firm data. Also, you and your employees must exercise caution when working via unsecured networks. Free networks, including those found in airports, hotels and coffee shops, are frequently unsecured. A virtual private network (“VPN”) will encrypt any data sent or received, and make it more difficult to intercept. Another alternative involves purchase of a mobile Wi-Fi hotspot, which is a small, transportable Wi-Fi router that provides a personal and private Wi-Fi cloud to which you can securely connect your device.
  7. Have a Password Policy

    Enforcing a uniform password policy for all lawyers in the firm is one of the most effective – and inexpensive – programs a law firm can pursue to protect its sensitive data. The password should be a minimum of 12 characters, and contain upper- and lower-case letters and numbers. Passwords should be changed regularly and never repeated. Password managers can help attorneys create, track and store secure passwords.
  8. If All Else Fails, Be Prepared

    Even law firms with the best security protection available remain at risk of a data breach or another disaster. Therefore, prepare for the possibility of a disaster by having a business recovery plan in place, and test it at least annually. In addition, routinely back up your data and maintain a copy at an off-site, secure location. Finally, cyber liability coverage can help cover the costs related to a data breach, including privacy breach notification expenses, litigation, loss of income, regulatory fines and other expenses.

Implementing the above tips and cyber security practices in your practice and firm is the first step in lessening your risk of being hacked or facing a claim. But because there’s no surefire way to prevent a data breach, it’s equally important to have cyber liability coverage to help lessen your financial losses should the worst occur.  

1 Joshua Poje, “Security Snapshot: Threats and Opportunities,” ABA TechReport 2014, Legal Technology Resource Center. 
2 Alan Cohen, “Survey: Data Security is Tech Chiefs’ Top Worry,” The American Lawyer, (Oct. 29, 2014).
3 See, e.g., Oregon Bar Ethics Opinion 2011-188 (November 2011); Pennsylvania Formal Opinion 2011-200; North Carolina 2011 Formal Opinion 6 (January 27, 2012); New York State Bar Ethics Opinion 842 (Sept. 10, 2010 ); Alabama Ethics Opinion 2010-02; Washington State Bar Advisory Opinion 2215 (2012).

One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
/web/guest/cna/from-the-experts/authorbio/blogdetails 8 Tips for Cyber Security Practices in Law Firms Z6_40KKTL4U2REB90AH8FND8R00T6 /CNA /ListofAuthors /AuthorDetails /IndividualBlogDetails