How Law Firms Can Avoid a Costly Data Breach

A surprising two-thirds (66%) of law firms have experienced some sort of data breach, according to the Q1 2017 Law Firm Cyber Security Scorecard from technology consulting company Logicforce.

Legal firms handle a lot of valuable information including financial data, corporate strategies and trade secrets, confidential personal data, and protected health information (PHI).  

Most people have heard about the Panama Papers when 11.5 million files were stolen from one of the world’s largest offshore law firms – and these kinds of deep intrusions in a firm’s network continue to be a common risk. According to Logicforce, there are more than 10,000 intrusions per network every day.

But breach incidents also occur due to lost or stolen laptops, ransomware attacks, phishing messages (about 59% of emails sent to legal firms are phishing or spam messages) and loose confidential papers in and out of the law office.

The costs of a security breach include hefty non-compliance fines, lost revenue, and a damaged reputation. The 2016 Cost of Data Breach Study, Global Analysis by Ponemon estimates that the average cost of each compromised record is approximately $221. In 2016, the average cost per breach was $4 million.

Here are information security tips for law firms.

• Assign responsibility for handling privacy issues (appoint a Chief Information Security Officer - CISO - for example).
• Stay up-to-date about privacy laws. There are state and professional regulations governing information privacy as well as security laws that apply to the legal industry such as Sarbanes-Oxley Act and Identity Theft Penalty Enhancement Act.
• Use secure email accounts so all correspondence is encrypted. Have an email retention policy – disposing of emails reduces the risk of compromise.
• Implement a secure Virtual Private Network (VPN) provider or other encrypted connection software for partners and associates who need to remotely access the firm’s server.
• Embed security processes in the workplace – to reduce the risk of employee error and to empower employees to have good security habits. For example, a Clean Desk Policy keeps desks and the office clear of sensitive documents. A Shred-it All Policy means all documents are destroyed when no longer needed.  
• Protect all hard drives with the latest safeguards, and update and patch security software regularly.
• Use a comprehensive Document Management policy so confidential data is handled securely from creation through to destruction.
• Implement permission control allowing only those who require access to client data according to business needs.
• Have regular security risk assessments to identify security risks and solutions.
• Provide on-going security awareness training. All employees (from the C-suite down) must know how to handle and protect data in and out of the workplace. Focus on current threats and safeguarding strategies (for example, online policies, password hygiene, and mobile device security).  
• Have a detailed Data Breach Response Plan so everyone knows what to do if there is a breach. Keep it up-to-date, and schedule practice runs.
• Look into insuring against the risks. Be sure to understand what is covered and what is not by various policies.
• Partner with a knowledgeable and trustworthy document destruction company for secure hard drive and paper shredding services.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.