Your mind is working at its best when you're being paranoid.
You explore every avenue and possibility of your situation at high speed with total clarity.
– Banksy, Banging Your Head Against a Brick Wall
You might not think an artist known for illegal graffiti would provide ideal inspiration for a law firm's data security policy. But in fact, a healthy dose of paranoia, combined with agility and transparency, is the exact right formula for securing your firm's — and even more important, your clients' — data in 2021 and beyond.
With that overarching principle in mind, let's look at some data security best practices.
This one comes straight from the ABA's Model Rules of Professional Conduct:
Rule 1.6 (c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
The key here is the phrase "reasonable efforts." You don't want to be at the mercy of a judge's interpretation of that. Besides, a basic code of ethics demands that you do everything you can to safeguard your clients' data. Easier said than done, of course — especially when hackers are unleashing new ransomware targeting law firms at an alarming rate.
So the first "reasonable effort" you need to make is to continuously monitor your firm's cybersecurity for new threats. This requires your staff to be vigilant — one-and-done training won't cut it. Be sure to:
Despite your most reasonable efforts, breaches can still happen. An employee can have a phone, tablet or laptop stolen, a new form of malware can appear without warning — the potential threats are endless.
With that in mind, you need a plan in case a hack or data breach occurs. Start by familiarizing yourself with breach-notification laws in your state. Figure out the steps your firm will need to take immediately, such as changing passwords, instructing staff on client communications protocols, identifying everyone who needs to be notified and enlisting PR support if needed.
Keep clients apprised of your findings — good or bad. Transparency is important not just when client data has been compromised, but also when investigation proves that it has not. You don't want clients to fear their confidential information has been exposed a minute longer than necessary.
When cybersecurity breaches first became a threat, some law firms simply folded insurance coverage into their existing attorney-liability policies. But those broad policies might not be adequate to cover all the expenses that can go along with a breach — from the costs of notifying clients and getting PR assistance to the potentially hefty price tag of lawsuits that could result from exposing clients' data. A standalone cybersecurity insurance policy could be an invaluable investment.
If learning the terms of your insurance policies is not the best use of your time, consider outsourcing to an independent insurance specialist.
Get Started — Even if You Think You're Not Ready
You won't be able to foolproof your firm's cybersecurity apparatus all at once — if ever. But you need to start somewhere, sometime, and that's right here, right now. Don't wait for a perfect solution to materialize. Determine your firm's security "must-haves" and implement those right away. You can tackle the discretionary but advisable tools and policies as you go along.
Following the steps outlined above will greatly mitigate risk and increase clients' confidence in your firm's ability to protect their data. It will also help fulfill ethical and business obligations to staff, vendors and everyone else you come in contact with.