Data is the 21st century’s hottest commodity, indicating that data breach involving personally identifiable or confidential information is one of the worst scenarios for organisations. The legal industry is not immune to digital hijacks and cyberattacks, with the potential of leaving law firms’ sensitive client data in a vulnerable state.
The legal industry’s dependency on online tools that are not properly encrypted, such as online meeting portals born out of necessity during the pandemic, leaves a security void.
Legal tech professionals frequently tout cloud-based services as a selling factor for many of the applications hitting the market. Cloud-based services can be a cost-effective way to store and access data, and providers often package it via a subscription-based SaaS (software as a service) model.
A security breach is the last thing any lawyer wants to happen. The question that often arises is whether cloud-based legal technology is more secure than traditional data storage. However, the implication that cloud-based solutions remove cybersecurity risks is misguided. While cloud-based legal technology has many advantages over locally hosted software and data, it does not absolve law firms of their cybersecurity duties with respect to clients.
Legal tech and cyber threats
As most law firms are attorneys driven with little to no background in cybersecurity, it’s no wonder they are vulnerable to being hacked. A 2020 American Bar Association report pointed out that 29% of the law firms reported a security breach, with 36% reporting past malware infections. The 2020 ABA Legal Technology Survey Report, highlighted only “43% of respondents use file encryption, 39% use email encryption, 26% use whole/full disk encryption. Other security tools used by less than 50% of respondents are two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%)”.
While legal tech companies push cloud computing as a way to help law firms become less susceptible to security breaches, the reality is more complex. Cloud-based computing introduces a “liaison” into the data supply chain (i.e., a software or storage provider). In its report on the cyber threats that the UK legal sector faces, the UK National Cyber Security Centre (NCSC) cited supply chain compromise as one of the most significant threats that firms encounter. There are two important takeaways from this:
- Service providers are susceptible to cyberattacks, just like end-users. Supply chain compromises are skyrocketing. More than 90% of firms across the globe have experienced breaches as a result of supply chain weaknesses, according to a study by BlueVoyant. The study is based on data from 1,200 employees from large global companies and highlights a 37% increase between 2020 and 2021.
- Ultimately, cloud-based data remains the owner’s responsibility. If a law firm’s client data becomes compromised, attempts to shift the blame to the cloud supplier will probably fall flat in the eyes of regulators, law enforcement, and — most importantly — the client. A law firm’s liability may increase if it has done little to nothing to exercise oversight over the cloud suppliers with whom it has contracted for service.
The legal industry is one of the lucrative industries and financial gain is a priority for hackers, so it is not surprising that IBM has recently revealed the average cost of a breach for professional services to be around $4.65 million in 2021.
Apart from the financial burden on the law firms, the reputation and relationship with the clients are severely affected by the data breach, losing proposed clients and inducing downtime.
Surge in ransomware
Ransomware is malicious software designed to block access to a computer system until the victim pays a sum of money or unwittingly further spreads the unwanted malware to other computers. Malware often infects computers after a user accidentally visits an infected website and installs rogue software. DLA Piper malware attack in 2017 was the first major attack on a law firm that raised an eyebrow.
Ransomware looming threats can become even more concerning when they involve untraceable transactions via cryptocurrency, which is poorly regulated in most countries and hackers take advantage of the fact. On top of that, many legal professionals are not well-versed in the latest cyber threats to befall others in the industry, and they fall prey to such attacks.
The EU’s General Data Protection Regulation (GDPR), which took effect in 2018, establishes a procedural framework for guaranteeing users' personal data protection and privacy in the EU. Law firms must ensure that they implement proper levels of security to secure data against cyberattacks and manage security risks to avoid the complacency that morphs into noncompliance (and possibly costly fines or a client exodus). Best practices for GDPR compliance include scrutinising potential cloud service providers’ methods and exclusively contracting with companies that can also demonstrate compliance.
Cyber security into the future
Cyberattacks targeted at legal profession are inevitable and an upsurge in ransomware recently have the potential to expose poorly equipped law firms around the globe.
A well laid out response plan in the event of a ransomware threat should be a priority of any organisation to avoid losses especially when multiple stakeholders are involved.
Prevention is better than cure
Training personnel for probable cyberattacks is a first line of defence and updating antivirus, anti-malware or anti-phishing software are basic yet effective steps to combat threats.
Some legal technology provides incorporate security solutions with their software, further immunising systems to cyberattacks.
Additionally, there are cybersecurity specialists such as Darktrace that leverage AI for law firm protection. Darktrace has published a legal industry spotlight that urges law firms to rethink their cyber security strategies to combat the risk of data breaches and ransomware attacks.
There is much to consider for law firm practitioners, one thing is sure, cyberattack prevention will certainly be better than the cure!
Disclaimer: While every attempt has been made to ensure that the information in this article has been obtained from reliable sources, neither Novum Learning nor LPI is responsible for any errors or omissions, or for the results obtained from the use of this information, as the content published here is for information purposes only. The article does not constitute a comprehensive or complete statement of the matters discussed or the law relating thereto, and does not constitute professional and/or financial advice.