Cyber Security Best Practices for Law Firms
To hackers and cybercriminals, law firms represent high-value targets. Trade secrets, intellectual property, merger and acquisition details, personal information, and other privileged data are all examples of valuable information cybercriminals would love to get their hands on.
Consequently, data security should be a top priority for any law firm. As a legal practitioner, you’ve seen or read about the risks firsthand—Over 190 Law Firms Affected by Advanced Data Leak That Exposed Over 10,000 Legal Documents, Law Firms Targeted by ‘Hackers for Hire’, GDPR: Top UK Law Firm Falling Victim to Human Error—and understand the importance of maintaining public and client trust in your firm. But where do you start?
To help answer this question, we have compiled a list of security best practices—provided in part by a panel of experts during our latest Innovate Legal Online Meetup: The Importance of Cyber Security in our “New Normal”. We’ll also touch on your legal and ethical obligations, review the benefits of leveraging cloud-based legal technology, and provide some additional resources you can use to enhance security at your firm.
Legal and Ethical Obligations
The General Data Protection Regulation (GDPR) directly impacts your operations as a law firm. It requires you to consider the appointment of a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), and implement technical and organisational security measures. For more information on your GDPR obligations, check out the Law Society’s GDPR guide for law firms.
Ethically (and professionally), it is your duty to protect client data. Not only do your clients expect this, according to the Solicitors Regulation Authority’s Code of Conduct, legal professionals are required to:
- Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles;
- Keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;
- Have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks; and
- Protect client money and assets.
To comply with these obligations, you must make efforts to protect your law firm’s data. This could mean developing internal policies and procedures to support good governance, securing your mobile devices, improving communication practices through email, or vetting legal tech providers.
Cyber Security 101
There’s no one way to secure your law firm’s data. You should consider a defence in depth approach that employs administrative, technical, and physical safeguards, along with leveraging the latest in legal technology (more on that below).
Document policies and procedures
A surprising number of security issues begin with simple user error—not tech failures. A mature security program should be supported by policies and procedures for:
- Data protection
- Remote work
- Data governance
- Access control
- Incident response
Make policies clear and easy to follow, and train everyone at your firm. Consider how to operationalise your policies while also enforcing the principle of least privilege.
Perform regular security assessments
Implement an ongoing assessment process to help you identify, evaluate, and treat risks specific to your firm. Once you’ve identified a risk, you can choose to:
- Avoid the risk by simply not performing the activity,
- Transfer the risk to a vendor (such as a cloud-based provider like Clio) or an insurer,
- Reduce the risk through the use of controls like two-factor authentication, creating better passwords, and at rest and in-transit encryption, or
- Accept the risk.
All of these are viable options. What’s important is that this becomes a recurring process, as security isn’t a ‘set it and forget it’ exercise. It’s a constantly evolving discipline that requires you to adjust to your current circumstances.
Conduct third party due diligence
Given the reliance most firms have on third parties to support their practices, be sure to also include them in this assessment process. We recommend using Clio’s Cloud Computing Due Diligence Checklist, along with the Law Society’s Practice Note on using lawtech in your practice and the SRA’s guidance on technology and legal services to determine what questions you should be asking.
Make sure any guarantees or statements third parties make regarding security and compliance (i.e. security controls, the right to audit, breach notification, data storage, Cyber Essentials certification) form part of the contractual agreement.
Secure your devices and communications
One of the primary ways for hackers to gain access to your data is through your devices and communications. As part of your firm’s assessment process, review any vulnerabilities across your communication channels and look to mitigate them (for example, encrypt your firm’s emails). Consider client communication apps like Signal, which offer end-to-end encryption or Clio’s secure client portal which keeps client communications encrypted and secure.
With more and more legal work done remotely, there’s increasingly a need for mobile data security. Make use of secure mobile apps for lawyers and secure your phone, laptop, and other mobile devices through the use of hard disk encryption, anti-virus software, your built-in firewall, backup utilities, and enforcing strong passwords. Also consider the use of Virtual Private Networks (VPNs) to encrypt your internet traffic.
Plan for the worst
Develop response plans for your firm before something actually happens. The last thing you want to do is try to develop one in real time. Make sure you:
- Define roles and responsibilities and document procedures. Your plan should detail how you will identify incidents, what needs to be done, how communications will be handled, and any notification requirements. It should also clearly articulate who is responsible for what tasks.
- Incorporate guidance. The Law Society provides guidance on how to identify a cyber attack and what to do after a cyber attack.
- Test it. This reduces guesswork and ensures you are back up and running as quickly as possible.
You should also consider what you will do if your firm experiences a disaster, and have a plan in place to ensure it can continue to operate effectively.
- Your disaster-recovery/business-continuity plan should consider items such as defining critical systems and equipment, identifying appropriate tools/procedures (i.e. backups, remote sites, cloud providers, etc.), and developing communication plans.
- Make sure to test it—find out what works (and what doesn’t)!
Train your staff
User awareness is a critical cybersecurity concern for any law firm. You can have the best technology in the business, but if it isn’t backed up by good governance, it could be all for naught.
Open a dialogue and train employees to promote security best practices. Require training to be taken upon hire and annually thereafter to make sure learnings remain current.
Consider building your training program off of or leveraging the training offered by the National Cyber Security Centre.
Train your clients
Communicate with your clients about your firm’s data security practices. Different clients may be vulnerable in different ways. A client should, as part of retention, know:
- Who from your firm might contact them
- What methods of communication will be used
- What steps clients are expected to take to help preserve confidentiality
- How to report anything that deviates from the agreed-upon process
Set your clients up to be secure from the start.
Is the Cloud Secure?
With so much prominence placed on data security, cloud-based software can be a powerful way to support your firm’s data security program.
As a recent Gartner article on cloud security outlined, it’s predicted that, through 2020, “public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers.” In other words, cloud software is becoming increasingly more secure than the data security provided by traditional on-premises solutions.
Benefits of the cloud
Security, by design: Improve your firm’s security by taking advantage of the security measures (like daily malware scans, at rest and in-transit encryption, and automated backups) and dedicated security teams many cloud-based providers employ.
Automatic software updates and maintenance: Don’t waste time and money manually updating your on-premise software. Leverage regular, automatic software updates and hardware and device maintenance by your cloud provider.
Enhanced compatibility: Cloud-based solutions make it simple to connect with other tools to get the most out of all of your applications. For example, the Clio App Directory features over 50 complementary software services to help you customise and streamline your workflows and provide added security (such as CloudMask).
Scalability: Cloud-based solutions allow you to scale up (or down) as needed. As your firm’s needs evolve over time, so does your technology stack. Avoid falling victim to the sunk cost fallacy and remain beholden to legacy systems that don’t offer the same level of security.
Clio: Secure legal software solutions
Clio’s advanced product features and controls work to secure your data, through features like:
- Role-based permissions: Visibility into sensitive case information is restricted to specific users at your firm.
- Password policies: Enforce strong passwords and regular password resets at your firm.
- Session/activity tracking: By logging the IP address of every login to your account, Clio helps you keep an eye out for suspicious account activity.
- Two-factor authentication: Enhance login security by verifying user identities via their mobile device.
- Login safeguards: Is someone trying to guess your login? Clio locks your account—automatically—after too many failed login attempts.
Learn more about Clio’s industry-leading security.
Conclusion:
Protecting your clients’ and your firm’s data is more than just a good thing to do—it’s ethically and professionally required in your capacity as a lawyer. Understanding your responsibilities and best practices can help mitigate your cybersecurity risk, while leveraging the latest in legal technology can take your security even further while also improving your firm’s overall efficiency.
Recommended Security Resources for UK Law Firms
- National Cyber Security Centre (NCSC) ncsc.gov.uk
- Information Commissioner’s Officer (ICO) ico.org.uk
- The Law Society lawsociety.org.uk
- Solicitors Regulation Authority (SRA) sra.org.uk
- IASME (for Cyber Essentials) iasme.co.uk
We published this blog post in July 2020. Last updated: February 26, 2021.
Categorized in: Clio, Technology