Cybersecurity: getting proactive about data vulnerability.

• Author: Thompson, Renee E.
• Position: Special Issue: Technology & the Practice of Law

Lawyers, as custodians of information, are entrusted with personal and highly confidential information in their daily practice. Unfortunately, in today's digital age, this information is vulnerable to unauthorized disclosure without definitive standards and practices in place for security control. Lawyers and their law firms may not even be the primary target of a cyber-attack, but rather a secondary access point to information within their control. With confidentiality a foremost concern, all lawyers must fully understand the risks and implications of failing to adequately protect confidential and personal data.

As a result, cyber-risk evaluation and risk management have become urgent needs for lawyers and their law firms. Underscoring the importance of this matter, recent data indicates that 80 of the 100 biggest law firms, by revenue, in the U.S. were hacked since 2011. (1) Therefore, it appears that despite their relative size and considerable economic power, even the largest and most sophisticated law firms are vulnerable to risk.

In attempting to safeguard against the risk of a cyberattack, identification of what confidential data exists within a firm, and where it is located, is the first step to any cyber-risk evaluation and resulting plan. Constant monitoring of this information and access points to this data, either remotely or by third-party vendors, is also essential to the continuing success of any cyber-risk plan.

Employees are typically where most data breaches begin. In the security world, a firm is only as strong as its weakest link, which is usually an employee who inadvertently opens malware or a suspicious attachment; statistically, 60 percent of security events are caused by such an inside attack. (2) Illustrating the susceptibility of firms to inside attacks of this nature, recent data reflects that a surprising 61 percent of users with access to a company computer use the same login credentials on other noncompany social media websites, such as Facebook, Twitter, and Linkedin, which makes hacking of such identification credentials much easier to accomplish. (3) Additionally, many firm employees will utilize public wi-fi signals when transmitting information electronically, unaware of the risk of third-party monitoring via public Internet connections. Thus, to ensure data confidentiality, many employees will require relevant training and continuing education regarding proper protection of personal identification...