I recently participated on a webinar concerning the cyber risks directly affecting law firms (“The Year of the Law Firm Hack”). My co-presenters were industry veteran Lara Forde, Esq., Privacy/Data Security Advisor at ePlace Solutions, and the dynamic Simone McCormick, an attorney specializing in cyber risk at Murphy, Pearson in San Francisco.
We went through the specific cases of law firms in the US and Canada that have been targeted by hackers (including foreign states) and also rogue employees. Also, there’s overwhelming evidence of US law firms having their privileged emails with foreign clients monitored by Uncle Sam. There are direct challenges for law firm’s duties to their clients, and we discussed best practices for security. Looking to the regulatory environment of other sectors (e.g. NY State Dept. of Financial Services examination procedures) may be good indications of what the future holds. In addition to the usual security best practices, a unique issue for law firms would be adding cyber security to the new case/ client intake – specifically (1) does the nature of the engagement create a privacy/security risk to the law firm; and 2) has the client been targeted in the past by a cyber-attack?
The obligations on law firms vary. As Simone stated: “Attorneys and law firms have to determine what laws apply to them based on their practice areas and client base. They have to be mindful about a changing standard of care especially with regard to the use of technology as it relates to competent and confidential client representation. What is acceptable today, may not be tomorrow.”
While Lara raised the issue of proactive measures. “Your employees are your biggest asset and weakest link when it comes to cyber security. Employees regularly fall victim to increasingly-sophisticated phishing emails, clicking an enticing link that loads malware into your system. The silver lining is that you have more control over employees than the other actors in a data security event (e.g. the hackers and vendors) and can reduce these risks through ongoing training and awareness programs. “
An audio copy of the webinar and the slides are available at: