Last time I established some key elements that law firms should keep in mind about cybersecurity for their businesses. Law firms are big targets of cyber-attacks and law firms have been targets in many famous cases of data leaks, such as the Panama Papers. Cybersecurity isn’t a one-and-done, it’s something that needs to be reevaluated regularly as cybercriminals are always coming up with new ways to attack you.
Law firms need to be assessing, mitigating, and updating their cybersecurity plan and procedures. Regularly assessing your cybersecurity is a lot of work. So, should law firms hire a chief information security officer (CISO)? If you’re a large law firm and you don’t have a CISO, you’re probably negligent. Smaller firms however cannot realistically hire a CISO and should instead outsource their cybersecurity needs, as many do for their IT issues.
But even that can get expensive. Some may think it would be best to do nothing, then claim ignorance if trouble does befall them and they end up in court. If you didn’t look into your cybersecurity, then you wouldn’t know that vulnerabilities existed, and if you didn’t know what was going on, then couldn’t that be a credible claim in court?
Well, I’m here to say that’s a terrible idea. It looks much worse to the public when you claim ignorance in court rather than owning up to your mistake and giving a truthful reason such as “it was too expensive to fix everything”.
You must choose which risks you will mitigate based on the number of resources that you have. If you can’t afford to fix all the issues with your cybersecurity, I recommend conducting a cyber risk assessment with a cyber-risk specialist as well as outside cybersecurity counsel. Working on your cybersecurity with an attorney gives you the benefit of attorney-client privilege if you are ever brought to court for a data breach.
The details of your assessment and risks will be protected from being used as evidence against you. You can slowly work your way up to mitigating most of your risks that way, with the benefit of not being seen as negligent.
In the end, you cannot claim ignorance regarding your cybersecurity problems. You don’t need to take all cybersecurity steps possible. Rather, take reasonable steps and you are more likely to be spared from charges.
Law firms are required to have adequate security measures in place to protect their clients. Just start, doing what you can, and gradually work from that.
If you want more information, you can contact my good friend Jake Bernstein at the law firm Newman Du Words here in Seattle at jake@focallaw.com or read some of my other articles and blog posts here at cyberriskopportunities.com.
And finally, remember that cybersecurity isn’t something you buy, it’s something you do. I’ll see you next time.