You’ve heard of cyberwarfare against nations, but what about cyber attacks against law firms?
It’s not as obscure as it sounds. In fact, it’s not obscure at all.
A quick poll of law firm professionals at The Standing Committee on Law and National Security sponsored-program, “Whither Cyberspace: Security, Privacy Rights, the Law and the Private Sector,” revealed 100 percent of professionals believed their firm has been, at one time, victim to a cyber attack.
Unfortunately, Stewart Baker, partner at Steptoe & Johnson and panelist at the program at the American Bar Association’s Midyear Meeting in New Orleans, said it was difficult to measure the occurrences of cyber attacks within the law industry.
Corporations generally withhold information about their computer systems when and if they have been compromised because most businesses are either embarrassed or fear other companies will have a competitive advantage, said Baker (via the ABA).
Nevertheless, “Law firms are a prime target for cyber attacks,” confirmed Baker (via the ABA).
Statistics regarding the frequency of cyber attacks may be limited, but action to prevent them should not. Law firms must take steps to protect the confidentiality of their clients and cases.
Harriet P. Pearson, vice president, security counsel and chief privacy officer at IBM Corp., suggested three starting points for your law firm (via the ABA):
- Risk Awareness: “Isolate your crown jewels or most sensitive matters and devote resources to protect them.”
- Ask yourself, “Do you have the right approach? What is your plan if your system has been compromised?”
- What is your plan of action to respond?
The last point is especially important for the modern law firm.
Ensure your IT department has a plan of action to respond to potential cyber attacks. How will you shut down the system and restart securely?
How should your associates continue to operate? How and when will you inform clients?
Law firms have an ethical (if not legal) duty to inform their clients of any potential compromise of private information. However, due to the sensitive nature of such an announcement, make a plan of action specifically for name partners.
The name partners should call each client personally. They should assure the client that all security measures have been restored successfully. Be as clear and concise about the cyber attack as possible.
Quick action will lead to the best possible outcome. As will honesty and open dialogue.
Panelists agreed that lawyers need to do all they can to help their corporate clients understand the risks (via the ABA).
Before any incident, lawyers should provide clients with tools to understand the risks of a cyber attack, including:
- The book, Sailing in Dangerous Waters
- A Study of Sony’s $1.2 billion loss and the cost of other data breaches at the Ponemon Institute
- Securities and Exchange Commission (new disclosure requirements)
Cyber attacks not only make a firm’s finances vulnerable, but their reputation as well. Although costly, finances can be recuperated via increased casework, time, or insurance. Howeer, reputation is harder—if not impossible—to completely renew.