Law Firms Grapple With Cybersecurity Issues and Regulatory Risks

Yet, cybersecurity should always be top-of-mind for lawyers. Reported cases of ransomware locking attorneys out of their files in return for payment continue to rise. Hackers have bypassed heavily fortified corporations to focus on their oftentimes more vulnerable outside counsel in order to get valuable information on suits and competitive intelligence. Further, small incidents can lead to larger disasters. If an attorney loses his or her smart phone that is not password protected or encrypted, it's an open book for anyone to access that client information.

To compound the cybersecurity challenges, tech-savvy clients can demand that their law firms use the latest technologies for communications. These clients could be concerned if their attorneys send unencrypted e-mails that contain sensitive information such as Social Security numbers or case details. If “protected health information” (PHI), such as medical records or social security numbers, is left vulnerable, regulators may also become involved.

As findings from a recent Legal Workspace survey show, many attorneys put their sensitive data at risk every day without realizing it.'Lawyers need to understand their obligations in an ever-changing world and should know where their risks lie and what steps need to be taken to minimize these risks.

Where Technology and the Law Intersect ' Or Fail To

While lawyers are certainly smart enough to figure out many aspects of security systems, there are reasons that they do not become deeply involved in that particular aspect of law firm management. Some attorneys simply are not interested, while others lack the time to dive deeply into technical aspects. They may also be reluctant to embrace new security developments if their old systems have worked well in the past. On top of the aforementioned factors, technology changes quickly. What might be true this month can drastically change in 30 days.

Even when law firms have the time, resources and knowledge to determine the type of technology they need, introducing new tools is often complicated and expensive. Law firms need to integrate new systems with their existing ones and thoroughly train all staff and attorneys. Security technology brings an extra level of importance. When law firms encounter problems rolling out a new document management system, it is distracting enough. However, issues with security software can be far more devastating and can leave a firm's most valuable data at risk.

Costs are a consideration with any new technology, and security software is no different. When lawyers bill by the hour, every hour spent on learning new technology takes away from the bottom line. Additionally, user adoption rates for new technology is often lower for attorneys in fast-paced legal environments.

Risks Law Firms Face

When law firms are deliberately hacked or accidently lose control of their data, they may need to inform clients, judges and bar authorities. This can lead to legal sanctions, negative publicity and lost clients. Increasingly, law firms may also need to answer to federal regulators when it comes to cybersecurity events.

For example, lawyers who work with any PHI for covered entities qualify as business associates and fall under HIPAA regulations. PHI can encompass information such as laboratory results, insurance information and medical history or records, laboratory results and insurance information.

As business associates, law firms can face substantial penalties for violating any of HIPAA's strict requirements to maintain control of ' and strictly limit ' who can view HIPAA protected data. Under HIPAA regulations, the subcontractors of business associates also need to comply with the federal statutes. That means law firms must be sure that their vendors, such as software and cloud providers, abide by all the same strict regulations.

Exclusive Survey Reveals Law Firm Vulnerabilities

While many lawyers suspect their cybersecurity measures have holes, they may not know how to measure their IT weaknesses. the Legal Workspace survey demonstrates just how weak many law firm defenses are.

The poll, conducted from November 2015 through January 2016, showed that only 13% of the 240 law firms surveyed had key technology and processes in place to support HIPAA compliance and provide secure environments. These technologies and processes include items such as executed business associate agreements, e-mail encryption, keeping and reviewing access logs and intrusion detection systems.

The poll targeted attorneys in law firms with practices including healthcare, elder law, insurance defense, insurance coverage, medical malpractice, personal injury and products liability. These law firms oversee data that could qualify as PHI, which could also be attractive to hackers and others with nefarious purposes.

Fewer than half of the surveyed law firms have adopted key technologies that support advanced levels of cybersecurity. Only 45% said that they have set up encryption systems for all the law firm's e-mail, including the server, and 55% said that they have not implemented encryption or do not know if they have implemented it. In another sign of vulnerability, more than half of respondents did not indicate that they have implemented a two-factor authentication system, while 45% use intrusion detection systems.

As the survey found, law firms also struggle with the regulatory requirements for reviewing, maintaining and controlling PHI. Slightly less than half of survey respondents (48%) said that they keep and review logs of everyone who accesses PHI. Even fewer (46%) reported maintaining and reviewing logs of PHI on mobile devices that the law firms use. That includes erasing or destroying the devices when they become obsolete or unnecessary.

Fortunately, law firms do somewhat better when it comes to working with their vendors to maintain HIPAA compliance. A majority of survey respondents said that they had basic security processes in place with vendors to support HIPAA compliance. Sixty percent reported that they had executed business associate agreements with all vendors that have access to their systems. Slightly fewer (58%) said that providers that offer off-site backup services follow HIPAA guidelines. That includes developing secure processes and technology for training, documentation and access to PHI.

Shoring up Weaknesses

When conducting cybersecurity reviews, law firms should carefully explore several areas that are particularly risky. These areas include:

Use software that encrypts e-mail. E-mails and e-mail servers can be extremely vulnerable to hackers and cybersecurity breaches. Many attorneys do not consider this when they want to respond as quickly as possible to a client and decide to shoot off a quick e-mail. In order to keep emails safe, whether they are on servers or are in transit, law firms should use e-mail encryption. Many providers may not necessarily offer encryption, so law firms need to specifically ask about it.

Protect data from external threats. Law firms accumulate valuable data and can represent ripe targets for hackers. In order to fend off potential threats, law firms need to implement thorough systems that can prevent and detect unusual activity on servers. Law firms should also require that staff and attorneys use a two-factor authentication. With a two-step process, law firms can dramatically minimize the chances that a person or computer program can hack into the system by generating random passwords and sending them to a pre-approved device for login confirmation. Law firms may also have firewalls in place to protect against outside threats, but standard firewalls may not be sufficient. Rather than standard firewalls, law firms should consider firewalls that contain an intrusion detection and protection system or use cloud technology service providers that have these security systems in place.

Take a fresh look at backup systems. Based on security, business continuity and compliance reasons, law firms should have comprehensive backup systems in place. Ideally, backups should be done automatically and offsite. Law firms should ensure that redundancies exist in case their primary systems fail or if the main backup location is damaged by fire or natural disaster.

Think like a hacker. Hackers are constantly looking for new hardware and software to overcome defenses that law firms install. Attorneys should take a proactive approach to testing their systems to stay one step ahead. At the very least, HIPAA requires that firms conduct annual external security scans.

Question providers. Since law firms have duties to maintain confidentiality, ensure privilege and abide by all regulations, they must have confidence in their providers. But they must also understand the technologies and protocols their partners use. When working with cloud-based technologies in particular, law firms need to ask specific questions of their providers about whether their environments have been thoroughly vetted and abide by government security standards, as well as industry-best practices.

Conclusion

Maintaining security policies and staying in compliance with federal regulations can be expensive and time-consuming for law firms. However, the failure to comply can be even more costly regarding sanctions, fines and reputational damage. Lawyers need to educate themselves about the risks they face and the technology they need to combat these risks. In many cases, it may make sense to work with providers that have a specific expertise in cybersecurity and regulatory compliance. This allows lawyers to focus on practicing law, not overseeing IT.

Joe Kelly, founder and CEO of Legal Workspace, formally launched the company in 2010. In 2006, he first saw the potential for the Legal Workspace solution because of his broad exposure to how law firms operate.