Image with varying shades of blue pixels and in the middle the word "Cybersecurity" is blue and glowing with various icons surrounding the word representing issues with cybersecurity

Data Security: Protect Client Information Before a Cybersecurity Breach Happens

By: Sara Jessica Farmer
Senior Associate Editor, American Journal of Trial Advocacy

Cybersecurity breaches are a rising concern among law firms globally.  Lawyers are protectors of sensitive information for their clients.  Hackers want access to this sensitive information to sell to the market.[1]  This issue needs to be tackled by law firms and given extra care because of client confidentiality.  The ethics rules require attorneys to safeguard client information, which includes protecting this information in the current world of technology.[2] 

Law firms have been hacked at the following rates: “14% of solos, 24% of firms with 2-9 attorneys, about 24% for firms with 2-9 and 10-49, 42% with 50-99, and about 31% with 100+.”[3]  These breaches could result in numerous problems like ethical violations, firm downtime or loss of hours, and even destruction of files.[4]  The American Bar Association (“ABA”) met and adopted a cybersecurity resolution to help solve these problems and prevent future problems.[5]  The main idea is that a “security program should address people, policies and procedures, and technology.”[6] 

Cybersecurity plans and protocols should be adopted at law firms to comply with a lawyer’s duty to keep a client’s information confidential.  Technology poses a unique problem because not all lawyers are well versed in security measures and what kinds of threats are out there.[7]  Compliance with the ethics rules requires an attorney to assess the limits of his knowledge and ask for assistance to fill in the gaps.[8]  The obligations are minimum standards but can easily turn into ethical violations or even unlawful conduct if steps are not taken to protect client information in relation to technology.[9] 

The first step is to run a risk assessment and analyze how sensitive the information is and then the possibility of disclosure if security measures are not adopted.[10]  The costs of employing security measures needs to be weighed against the protection of client information.  There are simple solutions that have low costs for smaller firms such as a password keeper, antivirus software, or paying for business email.[11]  The more security measures in place the better.

A way that hackers are attacking law firms is through ransomware.[12]  Ransomware is where a hacker steals information and blackmails the law firm.[13]  The hacker blocks access to the data until the money is paid, and the hacker has the ability to delete the information forever.[14]  Additionally, law firms should be diligent about an employee’s access to information as well because a hacker could obtain an employee’s credentials and hack the system.[15]  Clients of law firms are even getting attacked with phony PDF files that lead the client to a fake website that looks like the law firm’s website.[16] 

Attorneys have many options on improving their cybersecurity and in fixing breaches when they happen.  The FBI is recommending that law firms look into security assessments.[17]  Few firms around the country provide security assessments, so developing a relationship with a cybersecurity firm before a breach occurs is important.[18]  Law firms also have the option of bringing the FBI in to host a mock exercise of going through a cyberattack and how to respond to the situation.[19] 

After a security assessment, the law firm needs to take steps to fix the holes and to improve the security of the technology in the office.  One step is to purchase cybersecurity insurance because a technology breach of client information is not included in malpractice insurance.[20]  Another step is to restrict access to computers, laptops, and accounts with passwords and restricting access based on employment status.[21] 

Another step is to employ encryption on all devices through a password, pin code, fingerprint, or even facial recognition software.[22]  Additionally, e-mail is a large component of communicating with a client, and free email services do not guarantee confidentiality.[23]  Some email services offer confidentiality and protection if you pay a small fee each month.[24] 

Law firms should look into antivirus software for a firm because the software employs a firewall, spam filter, and anti-spyware for the entire computer including the internet.[25]  Also, the Cloud provides a safer option to store information.[26]  If a laptop gets stolen, an attorney could remotely wipe the laptop and still access information through the Cloud.[27]  The Cloud is also useful if a disaster ruins the office like a fire or flood.[28] 

The largest concerns among lawyers with cybersecurity are hacked email accounts, ransomware, leaks of sensitive data, and the risk of legal malpractice allegations due to poor cybersecurity.[29]  Clients are becoming more concerned with cybersecurity as technology develops, and more lawyers are using technology to store client information.[30]  Law firms will be better off undertaking a risk assessment as soon as possible to ease clients’ concerns. 

In conclusion, cybersecurity is a growing market in the legal field.  Lawyers need help with technology and protecting information that is given to them in confidence.  There are many tools to protect client information like passwords, antivirus software, and encryption tools.  The tools are useless if lawyers do not employ them.  The question is when a data breach is going to happen, not if a data breach will happen.  


[1] See David G. Ries, 2018 Cybersecurity, ABA TECHREPORT 2018 (Jan. 28, 2019), https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cybersecurity/ (discussing how law firms are being targeted by hackers). 

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] See Julie Sobowale, Law Firms Must Manage Cybersecurity Risks, ABA J. (Mar. 1, 2017, 12:50 AM), http://www.abajournal.com/magazine/article/managing_cybersecurity_risk (stating that many law firms are “behind the curve” on cybersecurity issues).

[8] Ries, supra note 1.

[9] Id.

[10] Id.

[11] Id.

[12] See Kayla Matthews, Four Biggest Cybersecurity Risks Law Firms Are Currently Facing, Law Tech. Today (Oct. 30, 2018), https://www.lawtechnologytoday.org/2018/10/four-biggest-cybersecurity-risks-law-firms-are-currently-facing/ (discussing how ransomware is one of the biggest threats that law firms currently encounter).

[13] Id.

[14] Ries, supra note 1.

[15] Sobowale, supra note 7.

[16] Matthews, supra note 12.

[17] Sobowale, supra note 7.

[18] Id.

[19] Id.

[20] Ries, supra note 1.

[21] Id.

[22] Id.

[23] Victoria Hudgins, Outside Small Law, Google’s G Suite Struggles to Gain Legal Foothold, Law.com (June 14, 2019, 11:30 AM), https://www.law.com/legaltechnews/2019/06/14/outside-small-law-googles-g-suite-struggles-to-gain-legal-foothold/.

[24] Id.

[25] Ries, supra note 1.

[26] Sobowale, supra note 7.

[27] Ries, supra note 1.

[28] Id.

[29] Matthews, supra note 12.

[30] Sobowale, supra note 7.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s