Data Security Best Practices for Your Law Firm

Your mind is working at its best when you're being paranoid.

You explore every avenue and possibility of your situation at high speed with total clarity.

– Banksy, Banging Your Head Against a Brick Wall

You might not think an artist known for illegal graffiti would provide ideal inspiration for a law firm's data security policy. But in fact, a healthy dose of paranoia, combined with agility and transparency, is the exact right formula for securing your firm's — and even more important, your clients' — data in 2021 and beyond.

With that overarching principle in mind, let's look at some data security best practices.

1. Make Client Confidentiality Your Top Priority

This one comes straight from the ABA's Model Rules of Professional Conduct:

Rule 1.6 (c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

The key here is the phrase "reasonable efforts." You don't want to be at the mercy of a judge's interpretation of that. Besides, a basic code of ethics demands that you do everything you can to safeguard your clients' data. Easier said than done, of course — especially when hackers are unleashing new ransomware targeting law firms at an alarming rate.

So the first "reasonable effort" you need to make is to continuously monitor your firm's cybersecurity for new threats. This requires your staff to be vigilant — one-and-done training won't cut it. Be sure to:

• Actively determine everyone on your staff understands proper security protocols. You need to spell things out — not just during onboarding for new hires, but also by periodically revisiting procedures via things like quarterly lunch-and-learn sessions. Make a security mindset part of your firm's culture.
• Insist on strong passwords. Implementing an automatic quarterly reset will force hackers to try to hit a moving target. It's also another way to keep security top-of-mind among your staff.
• Encrypt emails and consider additional end-to-end encryption tools. Protocols such as "digital signatures" and public key infrastructures (PKIs) ensure that "for your eyes only" messages are indeed read only by the intended recipients.
• Use secure portals to transfer sensitive information. This takes encryption a step further by providing a method to securely exchange files and messages. Think of it as the cyber version of TSA screening — it checks bags as well as IDs.
• Conduct an independent audit of your network and systems. By asking an objective third party to identify potential vulnerabilities and blind spots in your network, you'll simultaneously increase your peace of mind and reduce your potential liability.
• Consider sharing your security policy with clients during client intake. This will not only assure them you're doing everything you can to protect their data, but could also alert you to data security inadequacies on their end. You don't want their lax security procedures to become your problem.
• Do the same for every vendor. Vet vendors to confirm their established data security procedures are up to par. No matter how appealing a particular vendor might be in other respects, if you see any evidence that their security procedures are suspect, move on.

2. Implement a Clear and Simple Incident Response Plan

Despite your most reasonable efforts, breaches can still happen. An employee can have a phone, tablet or laptop stolen, a new form of malware can appear without warning — the potential threats are endless.

With that in mind, you need a plan in case a hack or data breach occurs. Start by familiarizing yourself with breach-notification laws in your state. Figure out the steps your firm will need to take immediately, such as changing passwords, instructing staff on client communications protocols, identifying everyone who needs to be notified and enlisting PR support if needed.

Keep clients apprised of your findings — good or bad. Transparency is important not just when client data has been compromised, but also when investigation proves that it has not. You don't want clients to fear their confidential information has been exposed a minute longer than necessary.

3. Get Dedicated Cybersecurity Insurance

When cybersecurity breaches first became a threat, some law firms simply folded insurance coverage into their existing attorney-liability policies. But those broad policies might not be adequate to cover all the expenses that can go along with a breach — from the costs of notifying clients and getting PR assistance to the potentially hefty price tag of lawsuits that could result from exposing clients' data. A standalone cybersecurity insurance policy could be an invaluable investment.

If learning the terms of your insurance policies is not the best use of your time, consider outsourcing to an independent insurance specialist.

Get Started — Even if You Think You're Not Ready

You won't be able to foolproof your firm's cybersecurity apparatus all at once — if ever. But you need to start somewhere, sometime, and that's right here, right now. Don't wait for a perfect solution to materialize. Determine your firm's security "must-haves" and implement those right away. You can tackle the discretionary but advisable tools and policies as you go along.

Following the steps outlined above will greatly mitigate risk and increase clients' confidence in your firm's ability to protect their data. It will also help fulfill ethical and business obligations to staff, vendors and everyone else you come in contact with.

Sound reasonable?