Whether they’re part of a law firm or in-house counsel within a company, lawyers handle sensitive information every day.
That alone makes them prized targets for cybercriminals. The American Bar Association’s 2021 Technology Survey Report found that 25% of lawyers in the United States have experienced a data breach before. And for those lawyers working in-house, the typical business experiences an average of 42 cyber attacks annually according to Keeper Security’s 2022 US Cybersecurity Census Report.
Lawyers have ethical and legal obligations to protect client data and promptly report it to the proper authorities as well as their clients if they suffer a data breach. They also have a critical role to play in the aftermath of a breach.
In this blog, we’ll take a closer look at the cyber risk that lawyers face and how IT teams and law firms can protect their clients and their organizations.
The Cyber Threat Against Legal Teams
Lawyers understand the value of information security — it’s essential to the confidentiality that makes legal counsel and the attorney-client relationship possible.
However, with sometimes limited IT resources, their handling of sensitive information and security vulnerabilities in legal software, legal teams are prone to cyber attacks.
Depending on the practice area and setting, lawyers oversee a variety of sensitive and confidential information. Clients, employees and their companies trust it to remain secure in their hands.
- Employment lawyers may process the Personally Identifiable Information (PII) of their clients, including social security numbers, driver’s license numbers, dates of birth and medical records.
- Housing lawyers are likely to see financial records tied to any transactions.
- Corporate legal teams often have records on tax arrangements, company Intellectual Property (IP), access to commercial bank accounts and critical business records like mergers and acquisitions (M&A) plans.
Security Gaps in Legal Tech
Legal technology (or Legal Tech) aids in everything from accounting and billing to client communications and document management. With trust and confidentiality so fundamental to legal practices, having secure legal tech is critical.
Legal tech enables organizations to more quickly process data, reduce clerical errors, create transparency in billing and allow global legal teams to more effectively collaborate. The number of documents legally admissible as evidence has increased the document load on lawyers, catalyzing the adoption of Legal Tech. Electronic discovery (or eDiscovery) software helps lawyers source and sift through documents and focus on more impactful work.
Like many software vendors, however, those in the growing legal technology space have their share of vulnerabilities that put client, employee and organizational data at risk of leaking.
Solo Practitioners and Small Firms Piece Together Security
Solo practitioners and attorneys at small practices play many different roles in keeping their doors open, including at times, information technology or security analyst. Small firms are the most common practice setting for lawyers in the United States. An American Bar Association (ABA) survey in 2020 found that 26% of all attorneys in the United States are sole proprietors and that 30% work at firms with fewer than 10 attorneys.
While many small firms work with Managed Service Providers (MSPs) that help them procure and manage their legal software, the ABA’s 2021 Technology Survey found that 80% of small firms are primarily responsible for overseeing their own technology security.
Firms and In-House Teams Backed by IT Still Face Threats
For larger law firms and in-house legal teams, dedicated security professionals with resources behind them are on staff to manage information security and technology. However, having more resources doesn’t necessarily translate into fewer attacks or breaches.
With a larger attack surface — more people, more devices and a cache of data covering large global clients — large law firms and corporations are extremely vulnerable.
The ABA’s survey of lawyers in 2021 found the following incidence of breaches among law firms, by size:
- 1-9 attorneys — 17%
- 10-49 attorneys — 35%
- 50-99 attorneys — 46%
- 100+ attorneys — 35%
Time Pressure Favors Ease Over Security
No matter where or how they practice, lawyers have a duty to protect client information. However, productivity and billable hour requirements often clash with information security in ways that undermine confidentiality.
Security training can help attorneys and non-legal professional staff recognize threat vectors and instill the importance of information security in a client-centered practice. Password hygiene, for example, goes a long way to mitigating the risk and impact of cyber threats.
Unsecure Document Sharing with Clients
Legal documents and communications are full of confidential and personally identifiable information. Many lawyers share or receive sensitive documents and messages with clients over unencrypted lines like email, text messages or through a USB drive.
While these methods may seem convenient, using them exposes an organization to a higher risk of a breach — particularly if lawyers are conducting business on unauthorized personal devices.
High (and Low) Profile Attacks Against Lawyers
A couple of the most common threats against lawyers are phishing and social engineering attacks. A cybercriminal may impersonate a client or known contact, requesting the recipient share information or click on a link.
In recent years, high-profile cyber attacks against large law firms have highlighted the pervasive threat against lawyers and sensitive data. The Panama Papers and Paradise Papers, two disclosures that revealed offshore investments and tax protections, originated with the breach of law firms’ client data.
The firm breached as part of the Panama Papers leaks shut down in the months following, noting the reputational damage it sustained. Closure is a fate shared by 60% of small-to-midsized businesses (SMBs) within 6 months of a breach.
Large law firms have also suffered notable cyber attacks in recent years. In one such case, cybercriminals breached a firm to steal a client’s business plans and make financial trades on pre-public information. Before their arrest, the cybercriminals made $4 million in illegal profits.
Legal Aid in Compliance and Audits
Beyond the personal management of confidential data in their own roles, lawyers are critical partners in overseeing the organizational data environment — and especially so when it requires regulatory compliance. Many lawyers in heavily regulated industries like healthcare and financial services partner with their Governance, Risk and Compliance (GRC) departments.
Although compliance isn’t strictly an external cyber threat, non-compliance carries a significant risk of costly litigation or business disruption. Compliance with Sarbanes-Oxley and HIPAA, for example, require access-control monitoring and event auditing for all critical software. The compliance and audit process — which is already complex and time-consuming — becomes even more time-consuming when legal and GRC teams lack on-demand visibility into user activity and events in software,
How IT Can Help Legal Teams with Keeper
Among other security best practices that lawyers can take up quickly, the management of sensitive data by legal teams necessitates the use of strong, complex and rotated passwords.
Legal technology, CRM software and general productivity tools like email and Slack, process sensitive and confidential data. They are also connected to many accounts that host valuable data.
Without enterprise password management, lawyers and organizations are at a higher risk of a breach with a significant impact, including
- Fines for violating regulations, leaking client or employee information
- Litigation for not taking proper measures to protect client and employee data
- Lost productivity from disabled systems, including bringing business to a standstill for days at a time
-
Ransomware attacks
- Reputational damage and loss of business
Legal Teams Can Protect Clients and Productivity with Keeper
Keeper Password Manager helps legal teams, the judiciary and law firms of all sizes defend against cyber threats and protect client information — without compromising productivity.
- Keeper enables lawyers moonlighting as IT administrators, as well as professional IT administrators and Managed Service Providers (MSPs) to enforce strong passwords, protecting critical legal technology and project management software.
-
Keeper SSO Connect® allows legal teams to integrate their existing SSO solution — enhancing and extending it with zero-knowledge password management and encryption. That way, they can securely and automatically sign into their systems.
-
KeeperFill® autofills login credentials in the web browser, extending the seamless productivity of Keeper online.
-
One-Time Share provides an especially popular tool among legal teams to encrypt record sharing in a time-sensitive manner. It doesn’t require that recipients have Keeper, meaning legal teams can securely share sensitive documents, files and login credentials with any client or third party.
-
Secure File Storage uses zero-knowledge encryption methods to ensure only the user can access and decrypt storage files. Lawyers can use this capability to protect and store client records, tax paperwork, insurance documents, business licenses, deeds and titles, bank account statements or any other type of sensitive or confidential document.
-
Compliance Reports streamlines compliance reporting with HIPAA, Sarbanes-Oxley (SOX) and other regulations that require access-control monitoring and event auditing. It diminishes the risk of fines, penalties or potential litigation resulting from non-compliance.
Whether IT teams are looking to protect the security of their legal departments or law firms, they need to secure client and organizational information. Keeper has product offerings to protect passwords, credentials and sensitive information.
To protect your critical legal software and client data, try Keeper for free for 14 days or request a quote below.