Law Firm Data Breaches: Is Encryption the Only Answer?
With cyber-crime on the rise, how can you keep confidential information safe?
Massive data breaches are increasingly becoming the norm, a situation that can be painful for millions of consumers. However, what happens when the entity being attacked is a large law firm? The sheer volume of confidential information being stored is staggering, especially when you consider trade secrets, extensive financial information and potentially even military secrets. This makes it exceptionally important to assure that your law firm has taken the necessary steps to protect their digital assets. The challenges extend beyond the physical walls to strategic partners -- who also must work aggressively to secure digital assets. With all of this pressure to secure your data, is encryption the only way to ensure that your digital walled garden stays intact?
Cybercrime on the Rise
Law firms have deep access to valuable information, making them a prime target for hackers of all ilk who wish to pilfer corporate intelligence and customer information. U.S. organizations are certainly not the only ones in trouble, a recent attack on the world's fourth largest offshore law firm resulted in a leak of over 11 million files, according to CIO magazine. Straight hacks are not the only challenge that large law firms are suffering; malware such as ransomware that blocks access to company data is also a major consideration. What makes the efforts more difficult for security officers at law firms is that sometimes infiltrations are noted until days -- or even weeks -- after they occur. This makes it that much more problematic to determine exactly what information has been breached, and what may still be safe.
The ABA noted that a quarter of all law firms with more than 100 attorneys suffered a breach in 2016, as well as 14 percent of all American law firms. What's worse: 40 percent of law firms surveyed in 2016 experienced a data breach but didn't even know about it. This is perhaps the most frightening statistic of all, since firms that are unaware of the loss of data integrity are not informing clients about the situation. Even with the heightened risk, the majority of law firms are still relying on traditional consumer-focused security tools, which are woefully inadequate to provide the level of security truly needed. However, the cost of hiring cyber security professionals can be more than many firms can afford.
Attorneys hold the trust of their partners and clients sacred, but what happens when the law firm is noncompliant with their own cyber policies? Recent research of 200 law firms by LogicForce, a leading cyber security startup, found that:
- 53 percent of firms that responded did not have a plan in place for data breach incidents
- 77 percent of responding firms lacked insurance for cyber attacks
- 95 percent were noncompliant with their internal cyber security policies
- A whopping 100 percent of surveyed firms were noncompliant with client policies
These frightening statistics tell a story of law firms who are hoping for the best -- yet experiencing the worst. Nearly two-thirds of these same firms experienced a cyber attack. It's important to note that the results from LogicForce may be a bit misleading, as the sample size is relatively small and may be overly weighted with smaller firms who are less likely to have a formal action plan in place.
Costs of a Data Breach
The average cost of a single stolen record is over $140, and with 58 data records being stolen every second the cost to U.S. organizations is almost unimaginable. Cyber criminals are trafficking in intellectual property and personal data at a staggering rate while businesses and consumers pay the rising price. Just because you're not hearing about data breaches on a daily basis doesn't mean they're not happening. It's not unusual for smaller breaches to go unnoticed and unreported, even to those individuals and partners who may have suffered identity loss or other data loss in the attack.
It's the secondary costs of a data breach that are the most impactful, especially to law firms and other organizations that survive on their reputation and the trust of their clients. While the hard costs can be extensive, once word is out that your firm was unable to protect confidential information, there are often far-reaching consequences. It is not unusual for executives to lose their position, publicly-traded companies to lose significant market share and clients to make other decisions about their partnerships in the wake of a serious data breach.
Protecting Critical Data
Encryption is considered a gold standard for data protection, but is it enough? Security experts are clear on this point: encryption isn't the final answer to cyber security preparedness. The majority of breaches in a smaller organization can be prevented or the severity of the attack reduced by:
- Proactive training on robust security procedures
- Enforcement of security habits for all employees and contractors
- Applying patches to software as soon as they're available
- External account monitoring to immediately identify an attack
- Current and active disaster recovery plan, that includes cyber security procedures in the event of a data breach
Having an active insurance plan that protects your organization against data breaches is critical to helping ensure ongoing operations. The direct costs alone of a large cyber attack can bankrupt many small law firms. Having redundant backups of your data at an offsite location helps ensure that you can come back quickly from a malware attack, too.
Encryption allows data to only be viewed by someone with direct access to the decryption key or password. While not perfect, encryption is one of the most effective and most popular data protection solutions. The primary function of data encryption is to ensure data confidentiality as its stored on or shared between various computer networks. Modern algorithms allow diverse organizations and individuals to securely share data while preventing those in the path of transmission from obtaining access to the information. While effective, data encryption is still vulnerable to brute force attacks where cybercriminals attempt to guess passwords -- making it critically important to ensure that all staff members are strictly following security procedures.
One of the key benefits of data encryption is that the information on the package -- or metadata that travels with the data -- is authentic. This includes items such as the origin of the message and that the contents of the data package are the same as what was originally sent. Additionally, the data package that travels with each communication assures that the sender cannot repudiate sending the message. This is especially critical information for many law firms as the metadata are used as proof in legal cases.
Protecting data and the security of your clients is the highest priority for attorneys and security officers alike. Ultimately, how your organization reacts to a data breach is the single most important indicator of the success of your cyber security programs. The costs of a data breach are significantly lower when there's a solid incident response procedure in place. If you're unclear about the status of your data breach disaster response program, it pays to schedule a regular refresh and review program.