Why Should Law Firms Care About Cybersecurity?
Law firms may substitute cybersecurity measures for a number of different subjects. These include client development, accounts receivable, or being up to date on the latest legal issues. Your firm has access to a number of your clients’ most sensitive documents: social security numbers, bank accounts, corporate strategy, and other privileged communications. Aside from these items, there is assuredly electronic information that in your control that you do not want in the hands of the wrong person or the public domain. Ignoring a potential problem may be an easy strategy, but it will not go away.
Fortunately, 79% of Marsh 2014 Global Law Firm Cyber Survey respondents viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy. Unfortunately, however, 72% of these same respondents said their firm has not assessed and scaled the cost of a data breach based on the information it retains. Further, 51% of respondents said that their law firms have not insured their cyber risk (41%). 10% do not know if their firm has.
Simply put, cyber threats are no longer an “if,” but have transformed into a “when” this will happen statement. You can’t wait to create a plan at the last minute. During an incident, the decision-makers of an organization typically feel as though they are in the fog of war; nobody knows what is really going on at the live moments of the crisis.
“For example, suppose the leader during time of crisis wants to know all the information before he or she makes a decision. The result is that the leader will ultimately never make a decision because he or she will become stymied by the unknown. The second way this manifests is with well-intended individuals who begin to speculate and even panic because there is no knowledge at present of what’s going on in this crisis, what’s causing it, or how it spreads. Lacking a good plan and a disciplined, practiced response, leaders risk watching as their organization spirals out of control; when ignorance pervades and speculation is undisciplined, they will seriously detract from the organization’s ability to respond.”
Surely you wouldn’t advise a young associate to stroll into their first deposition without taking the necessary preparatory steps. So, why would a law firm wait until a security event occurs to create a cybersecurity plan?
A cyber security plan is also known as an Incident Response (IR) plan. IR plans are an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. IR Plans include a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs.
Preparing an IR Plan is not a simple task because it takes considerable amounts of time and management buy-in. There are, however, third-party advisors and literature, which are able to assist in this management step. This topic may be the subject of a future short informational post.
As cyber attacks continue to evolve, companies without IR plans will suffer. Each successive breach gets hours of national media time and is dissected in great detail. Law firms with IR plans are able to prepare and automate their responses to these security incidents; this allows the attorneys to do their work.
Written by General Counsel, Ross Meyer
More Cyber Preparedness Needed According to 2014 Law Firm Cyber Survey, Marsh, available at https://www.marsh.com/us/insights/more-cyber-preparedness-needed-2014-law-firm-cyber-survey.html.
David Mandell & Karla Schaffer, The New Law Firm Challenge: Confronting the Rise of Cyber Attacks and Preventing Enhanced Liability, American Bar Association Law Practice Today, March, 2012, available at http://www.americanbar.org/content/dam/aba/publications/law_practice_today/the-new-law-firm-challenge-confronting-the-rise-of-cyber-attacks-and-preventing-enhanced-liability.authcheckdam.pdf.
N.K. McCarthy et al., The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk [Kindle, 928] (1st ed, 2012).
N.K. McCarthy et al., The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk [Kindle, 928-935] (1st ed, 2012).