Legal Tech June 2024

Law Firms in the Crosshairs

Preparing for and responding to cybersecurity incidents.

Written by Candace McCaddon

Cyberattacks targeting law firms are skyrocketing, with three of the top firms—Kirkland & Ellis, K&L Gates, and Proskauer Rose—falling victim just this year.1 And it’s not just large firms falling victim. According to the American Bar Association’s 2022 Cybersecurity TechReport, 27% of law firms reported having experienced a security breach at some point.2

Law firms hold a treasure trove of financial information, intellectual property, and other confidential and personal data of their clients. Coupled with the fact that they commonly lack dedicated cybersecurity resources, it is easy to see why law firms are a prime target for hackers.

The consequences of an incident can be severe. The global average cost of a data breach is now $4.45 million, with professional services firms bearing an even higher average cost of $4.47 million according to IBM.3 In addition to the direct costs of responding to and recovering from an incident, firms face potentially significant third-party liability. Increasingly, this third-party liability includes class-action lawsuits contending that the firm had failed to adequately secure its network and to protect sensitive client data.

Cybercriminals can target a law firm’s IT infrastructure in many ways, including exploiting vulnerabilities associated with email and email servers, phishing scams, Wi-Fi network access point attacks, and breaches that deploy ransomware on computers and data servers, for example. Personal devices, including mobile phones, desktops, laptops, and other devices, are just some examples of potential attack vectors. Law firms can no longer ignore the growing cybersecurity threat. The goal of this article is to share how firms can prepare for, respond to, and mitigate the impact of cyber incidents.

KEY STEPS TO REDUCE THE RISK AND POTENTIAL IMPACT OF A CYBER INCIDENT
No law firm can protect itself completely from the possibility of falling victim to a cyberattack. However, strategic investments of its time and money can greatly reduce the potential impact of an inevitable breach. The most notable mitigants include procuring cybersecurity insurance, implementing and maintaining good security tools and practices, and preparing and practicing an incident response plan.

Cybersecurity insurance provides critical financial resources, and potentially support services, when a firm is attacked. Legal professional liability coverage (i.e., malpractice insurance) does not offer the same coverage as cyber insurance and relying solely upon malpractice insurance can leave a firm exposed. Cyber policies may cover costs associated with liability to third parties or direct expenses, such as:

  • ransom payments necessary to restore access to data or to prevent hackers from releasing stolen confidential information;

  • costs to restore data from back-ups should the law firm choose not to pay ransom;

  • costs to hire experts, including computer forensics, to uncover the source and extent of an attack;

  • notification costs;

  • loss of income due to business interruption;

  • costs associated with remediating and restoring a law firm’s network;

  • costs associated with losses due to theft; and

  • costs for regulatory fines.

The underwriting process for cyber insurance typically requires proof that a law firm currently implements and maintains adequate security controls. If a law firm has not thoroughly addressed information security, or if it lacks critical security controls, it may affect the cost of, or the ability to acquire, cyber insurance. Regardless of the size of a law firm, there are basic security practices it can implement, which are critical to protecting its data.

Fundamental security controls include:

  • creating and implementing a data security policy;

  • training all law firm employees on best data security practices on a regular basis;

  • using complex passwords that are at least 12-14 characters long and changing them regularly;

  • using multifactor authentication;

  • encrypting sensitive data at rest and in transit;

  • implementing access control to allow individuals access only to that information which they need to know;

  • using only secure mobile applications;

  • evaluating the security practices of its vendors;

  • creating and testing an incident response plan (including a communications plan); and

  • backing up the law firm’s data to secure servers and including data recovery in its incident response plan.

Small- and medium-sized law firms typically do not have dedicated IT staff, let alone cybersecurity professionals. There are many managed security services providers that can fill the gap by offering a suite of services and tools to bring a law firm’s cybersecurity hygiene up to par at affordable rates.

The importance of developing and practicing an incident response plan, or IRP, cannot be overstated. An IRP should include assigning roles and responsibilities to certain individuals, along with their up-to-date contact information (including information on how to contact them after hours). Technical protocols and escalation points should be outlined, and the IRP should include a plan for resource gathering and documentation.

A communications plan is a critical part of an IRP, especially as it pertains to communicating to a law firm’s partners, employees, and clients during a crisis. It is prudent to prepare out-of-band methods of communication in the event a law firm’s entire network must be taken offline or the security of existing methods of communication is called into question otherwise.

Equally as important is including potential notification triggers and regulatory requirements, so a firm minimizes the amount of time it spends scrambling mid-incident. Last, but not least, a law firm should establish an IRP review and testing schedule so the IRP is kept up to date and rehearsed.

Keep in mind that a cyber insurer may have specific requirements to support a claim. A policy may contain claim notification clauses with strict timeframes to report incidents—often 48 to 72 hours. An insurer may mandate certain response activities or the use of specific vendors, too. Insurers will require detailed accounting of the response and recovery expenses and labor costs. A law firm will need to keep thorough records. Records of lost billings, contractual fines, consulting fees, and other breach-related costs all need to be captured.

With these foundational elements in place, firms can minimize damage and have faster recovery time if and when a cybersecurity breach does occur.

TIME IS MONEY: EXECUTING THE INCIDENT RESPONSE PLAN
“Time is the new currency in cybersecurity, both for the defenders and the attackers . . . early detection and fast response can significantly reduce the impact of a breach.”—Chris McCurdy, GM Worldwide IBM Security Services

One of the hardest parts of incident response is detecting if an incident occurred in the first place. Often, the first indication may be a frozen device with a message from an attacker or other notification directly from an attacker alerting the user to an incident (imagine receiving an email from an anonymous source with evidence showing that the person has access to confidential client information).

If a cyberattack is detected, activating the incident response team quickly per established protocols is key. Immediate containment and isolation are critical, as is notifying a law firm’s key internal contacts and insurers.

The next priority is to determine the source and scope of the impact. A forensic investigation can reveal how and which systems and data have been compromised. Regardless of whether a law firm has internal forensics experts, it may be prudent to hire an independent third-party company specializing in cybersecurity incident response to conduct the forensic investigation to best position the law firm to defend itself against any subsequent third-party claims and liability.

If a law firm is experiencing a ransomware attack, it may be wise to engage an outfit specializing in ransomware gang negotiations if for no other purpose than to buy time to recover its data from backups.

Next, the law firm needs to think about mandatory notification and reporting obligations. Is the law firm subject to any mandatory reporting obligations under any regulatory regimes, breach notification laws, contracts, or otherwise?

Controlling the narrative during incident response is of paramount importance, too. Strategic communications are key. A law firm will want to notify its partners, employees, and clients as soon as practicably possible. The last thing a law firm wants is for its employees and clients to learn about the breach from the media or from third parties. Careful communications that avoid conclusory or premature statements, but that strike a balance with transparency, are key in this regard.

And how will the law firm’s attorneys continue to communicate and work? If the incident response team switched to out-of-band communications due to network outages or other impacts of the incident, it must ensure its attorneys are not using unsanctioned personal email. And, if a law firm decides to let employees use personal accounts or out-of-band communications, it must be sure to establish clear, easy to follow rules and to communicate to clients ahead of time how it is maintaining the security and confidentiality of clients’ information.

While attacks can and will happen to law firms of all sizes and levels of sophistication, preparation and planning equip law firms to respond quickly to minimize damages by leveraging every resource available to respond as quickly and seamlessly as possible.

This article, which was originally published in Circuits, has been edited and reprinted with permission.

Notes
1. Staci Zaretsky, Top Biglaw Firms Targeted In Global Cyber Attack, Above the Law (July 6, 2023), https://abovethelaw.com/2023/07/top-biglaw-firmstargeted- in-global-cyberattack/.
2. 2022 ABA Legal Technology Survey Report, American Bar Association (Nov. 29, 2022), https://www.americanbar.org/groups/law_practice/ resources/tech-report/2022/cybersecurity/.
3. Cost of a Data Breach Report 2023, IBM Security (Jul. 2023), https://www.ibm.com/downloads/cas/E3G5JMBP.


Headshot of Candace McCaddonCANDACE McCADDON is has over 15 years’ experience helping clients with technology transactions, as well as information security, intellectual property, and privacy matters. After spending a decade in-house at various Fortune 100 companies in the energy, chemical, and engineering and construction industries, she launched her own practice in 2023. McCaddon’s clients include some of the largest global engineering and construction companies in the world, as well as small and mid-sized managed cybersecurity services providers.

We use cookies to analyze our traffic and enhance functionality. More Information agree