Law firms owe their clients several types of duties, such as the duty of care, duty to provide competent representation, as well as other ethical responsibilities. Their duties even extend to former clients and must be upheld long after they no longer have a formal attorney-client relationship. More specifically, lawyers have a duty to not disclose any information about a client or prospective client, unless that individual consents, or an exception is dictated by law. Providing protection of this sensitive client information is becoming more challenging as cyber threats continue to grow.
The Cybersecurity and Infrastructure Security Agency (CISA) states that cybersecurity is the art of protecting networks, devices, and data from unlawful access or criminal use and the practice of guaranteeing confidentiality, integrity, and availability (CIA) of information. The relationship between a law firm and their clients is built on trust, and the potential for repeat business is only possible when the client trusts the firm to competently resolve their legal matter. So how do law firms maintain a trustworthy reputation when conducting most of their work digitally where there’s the risk of cyber attacks that result in data breaches? They utilize strategies and security tools that prioritize the confidentiality, integrity and availability of client information.
Given the wealth of information, and the awareness surrounding the importance of cybersecurity programs for the legal industry, firms of any size should prioritize the CIA of client data. Several recent examples further drive this point home. Earlier this year, a security incident resulted in the loss of access to email and remote work systems for one law firm. After a 2021 security incident, an investigation of this mid-size law firm revealed that a cyber attack may have resulted in unauthorized access to some of their files containing personal information.
Many law firms face challenges in developing a mature cybersecurity program due to smaller security teams and budgets. Challenges include investing in the appropriate security tools, maintaining a team with the appropriate expertise to not only assess risk, but to identify the right security controls that will mitigate such risks, and implementing a cybersecurity awareness and training program for lawyers and legal staff. As a result, many law firms don’t have a robust strategy for safeguarding client data, knowledge of existing security tools, or an incident response plan that is consistent with the latest law firm cybersecurity best practices in the event that there is a security incident.
In addition to a law firm's ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients, there are contractual and regulatory duties to protect confidential information. A mature cybersecurity program will have a data inventory that includes the types of data processed and a mapping to regulatory compliance obligations. This ensures that sensitive data is not improperly disclosed and that the firm is in compliance with the data privacy, information security and breach notification requirements of local and national laws, as well as international laws.
Law firms can strengthen their cybersecurity program through awareness and training for lawyers and legal staff, by creating and maintaining a complete inventory of all data assets, and by investing in technology that will help automate the most critical security controls, such as identity and access management (IAM), threat detection, and monitoring and alerting.
Many law firms retain client information primarily in electronic case files. It is not humanly possible to review each file to determine the integrity of the file and its contents on a daily basis. Yet, there are scenarios in which it may be necessary to figure out whether a client’s file has been opened, changed, deleted, or shared in real-time. This type of review, e.g., a review for file access, modification or deletion, and the insights derived is critical for firms that need to understand what may have happened to a file, who may have accessed the file, and whether there was an exfiltration of data. This type of information may signal the occurrence of a cyber attack. File Integrity Monitoring (FIM) and Security Configuration Management (SCM) is technology that monitors and detects changes on your network that may indicate a cyber attack. FIM and SCM not only detects changes, but they also help security operations teams remediate unauthorized changes, reduce risk and maximize uptime.
A reputation of honesty and integrity is crucial for a law firm’s potential to receive future business. Law firms must align the broader duty of confidentiality with the requirement to use reasonable measures to protect client information during a time where the modern threat landscape is ever changing and evolving, and threat actors continue to use more sophisticated and far-reaching attacks to gain unauthorized access to sensitive data.
The risk of reputational and brand damage, as well as regulatory fees necessitates strong cyber hygiene and a mature cybersecurity program - one that not only covers the basic tenets of information security, but also regularly evaluates whether effective tools are in place to provide insights and actionable intelligence. Given the well-established duty of confidentiality in the profession, all law firms - regardless of size - can improve their cybersecurity programs by using integrity monitoring software, not only to identify unauthorized activity, but to also comply with regulations that require monitoring and reporting of certain activities.
To learn more about Tripwire’s FIM and SCM solution, click here.
About the Author: Ambler Jackson is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora about today's most important cybersecurity and regulatory compliance issues.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.