Data security should be a top priority for any law firm, and here’s why.
It’s a fact: Clients trust you with their most confidential information. It’s also true, unfortunately, that—since clients entrust lawyers with so much of their sensitive data—law firms make prime targets for cybercrime. According to the 2017 ABA Legal Technology Survey, 22% of law firms faced a cyberattack or data breach—and you don’t want your firm to become part of that statistic.
This is why, as a legal professional, staying up to date with and understanding the latest legal technology is crucial to mitigating your firm’s risk of data breaches and keeping your clients’ data as secure as possible. But, with technology constantly evolving, where do you start?
Here, we’ll outline the fundamentals of data security for law firms in 2019. Read on for an overview of some best practices for keeping your firm’s data secure, a summary of your ethical and regulatory obligations when it comes to tech, a look at the risks and rewards of cloud-based legal software, and a few resources that can help level-up data security at your law firm.
Data security 101
When it comes to law firm data security, it’s best to start with the basics. We’ve put together the essential things you need to know about law firm data security in 2019.
What are the data security risks for lawyers?
Failing to keep data secure is more than just a huge risk for you and your firm—it can also have incredibly negative consequences for your clients.
Law firms are data hubs of great interest to hackers and criminals. Valuable information—that may include trade secrets, intellectual property, merger and acquisition details, personally identifiable information (PII), and confidential attorney-client-privileged data—will attract the ill-intentioned to your firm.
Despite these risks, law firms are obligated to protect their clients’ information. If your firm’s security is penetrated, the consequences can be extensive—ranging from minor embarrassments to serious legal issues, including:
- Compromised communications due to phished or hacked email accounts
- Inability to access firm information due to ransomware (i.e., where hackers lock-down files and demand ransom money to get them back)
- Public leaks of personal or business information (e.g., on social media)
- Loss of public and client trust in your firm
- Malpractice allegations and lawsuits
What are your ethical and regulatory obligations?
Ethically (and professionally), it’s your duty to protect client data, and to disclose your error if a breach does occur. According to the American Bar Association (ABA) Rule 1.6: Confidentiality of Information, lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
In order to comply with this professional obligation, you must make efforts to protect your law firm’s data—this could mean implementing a cybersecurity plan, securing your mobile devices, improving communication practices through email, and vetting legal tech providers.
It’s also important to keep these ethical responsibilities in mind when adding legal technology to your firm’s toolkit. In many cases, legal technology can help you meet your regulatory obligations by better protecting your data via streamlined processes (with less room for manual error), enhanced security infrastructure, and encryption.
General Data Protection Regulations in the EU
To help address global needs for enhanced data security, Europe recently implemented a unified data protection law, the General Data Protection Regulations (GDPR). GDPR—which strives to unify the regulatory environment for businesses handling personal data—requires enhanced protection of personal data belonging to EU individuals.
10 best practices for protecting your firm’s data
There’s no one way to lock down your law firm’s data. Instead, consider a multi-factor approach to data security that employs numerous checks and takes advantage of the latest legal tech. If you’re on a Mac, you can start with these security tips; then, for whatever systems you use, consider these best practices for your firm’s security.
1. Create—and follow—a strict data security policy at your firm. A surprising majority of security issues begin with simple user error—not tech failures.
- Make a clear, easy-to-follow plan for data security and share it with everyone at your firm.
- Educate employees and enforce procedures such as using two-factor authentication for logins, only using apps vetted by the firm, or following a Bring Your Own Device (BYOD) policy for employees using their own devices.
2. Continuously train staff on mitigating data risk. Don’t assume that everyone knows how to spot and avoid a phishing email—open a dialogue and continue to train employees to avoid accidental user errors.
3. Use strong passwords. Always. Is your password simple and guessable, like your daughter’s birthday or—please, no—“123456”? Do you use the same password for every login? If so, you could be setting yourself up as an easy target for hackers.
- Create better passwords: Go for something complex and long—and change your passwords regularly.
- Some legal tech software, like Clio, feature password policy settings that keep your passwords in line by requiring strong passwords and/or regular password resets.
4. Encrypt, encrypt, encrypt. Never overlook this relatively simple and highly effective measure. Encryption is a form of cryptography that uses an algorithm to scramble and unscramble data to enhance security. Basically, encryption translates your data—whether it’s stored in an email, a local hard drive, an internet browser, or a cloud application—into a secret code, which then requires a key or password to access it.
- Keep an eye out for applications that will take care of encryption for you. For example, Clio applies 256-bit encryption to all data in-transit and at-rest—so your data is secure at all times.
5. Secure your communications. One of the primary ways for hackers to intercept your data is in your communications. As part of your firm’s data security plan, review any vulnerabilities across your communication channels (for example, definitely avoid emailing your clients). You may also want to look into communication apps like Signal, which offer end-to-end encryption across multiple methods of messaging.
6. Grant permission thoughtfully. Everyone on your staff doesn’t need to know everything. Be intentional when considering who has permission to what.
7. Conduct regular audits. It’s easy to overlook weaknesses in your data security if you don’t take the time to review it. Have regular audits (you could build this schedule into your firm’s data security policy) which check for gaps in your data protection—things like ensuring former employees no longer have access to files.
8. Vet vendors carefully. While data security ultimately falls under the ethical responsibility of lawyers, legal technology can definitely help make this easier (or harder). To ensure your provider will do you more good than harm with your data, carefully vet potential vendors
9. Plan for the worst. As much as you hope to avoid (and actively mitigate risk of) data breaches, you need to know what you’ll do if it does happen—before it happens.
- Create a plan for what to do in the event of a data breach. The plan should detail what needs to be done immediately in terms of communication, changing passwords, and reporting. It should also specify your firm’s plan for what to do if a malpractice claim is filed.
- Test the plan—don’t leave it up to theoreticals in the event of an issue.
10. Bump up your law firm’s mobile security. With more and more legal work done remotely, there’s increasingly a need for mobile data security. Making use of secure mobile apps takes a lot of the heavy-lifting out of the process (for example, Clio’s mobile app for lawyers allows you to access your firm from anywhere), but your smartphone in general might also need a security makeover. Secure your phone (and other mobile devices) with steps like:
- Enable encryption: While having a lock-screen password on your mobile devices is a first (essential) security measure, it won’t protect your data if someone gets a hold of your password. Enable encryption on your mobile devices to scramble data for unauthorized users, and enhance security. Here’s how to encrypt your iPhone or your Android device.
- Set up two-factor authentication: No matter how strong your password is, it can still be hacked. Adding two-factor authentication—which requires your password (the first factor) and a temporary code sent to another device (the second factor)—makes it that much more difficult for someone to access your device.
- Backup firm data to secure servers: Whether you lose your device or you’re the target of a ransomware attack, it’s smart to regularly back up your firm data to a secure, encrypted location so you’ll still be able to access most of your data. One of the benefits to using cloud-based software is that backups are taken care of for you (more on this below).
- Keep professional and private accounts separate: You don’t want to risk mixing confidential professional communications with your personal ones. Using dedicated apps for your professional work can help you keep these two worlds apart.
- Have a plan for lost or stolen mobile devices: If you lose (or someone steals) your smartphone, what’s the first thing you’ll do? From having a way to locate a missing device (like Find My iPhone or Google’s Find My Phone), to knowing how to suspend service or disable your device remotely, it’s important to make an action plan before you need it.
Tools to make security simpler
Even if you know that data security is vitally important to your law firm, there’s still the potential for you to overlook something, especially if you handle a lot of data manually. After all, the majority of lawyers are working overtime to get everything done—according to the 2018 Legal Trends Report, 75% of lawyers report often or always working outside of regular business hours—which means important issues like data security could potentially slip through the cracks.
Luckily, in an era where some technology can instill fear, you can also use tech to combat risk and make it easier to protect your firm’s data. Here are a few tools to consider:
Signal: For safer communication
Communication is key, but sending unprotected messages can put data at risk. The Signal app—which is available for Android, iPhone, or your desktop computer—lets you send secure, high-quality, end-to-end encrypted communications (including group, text, voice, video, document, and picture messages) anywhere in the world.
For an added element of security, you can also set your messages to disappear after a specified interval of time—eliminating the risk of your messages ever being read without your consent in the future.
Another bonus? As an Open Source project, Signal is free.
Clio: For safer legal software solutions
Clio’s legal software takes protecting your clients’ information (and your firm’s data) seriously, with security measures designed to help you stay safe and compliant.
Clio’s advanced product features and controls work to secure your data, through features like:
- Role-based permissions: Visibility into sensitive case information is restricted to specific users at your firm.
- Password policies: Clio’s password policy settings allow you to enforce strong passwords and regular password resets at your firm.
- Login tracking: By logging the IP address of every login to your account, Clio helps you keep an eye out for suspicious account activity.
- Two-factor authentication: Enhance login security by verifying user identities via their mobile device.
- Login safeguards: Is someone trying to guess your login? Clio locks your account for a period of time—automatically—after too many failed login attempts.
Is the cloud secure?
With so much prominence placed on data security, cloud-based software can be a powerful means to getting your firm in order.
As a recent Gartner article on cloud security outlined, it’s predicted that, through 2020, “public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers.” In other words, cloud software is becoming increasingly more secure than the data security provided by traditional servers.
5 potential benefits of the cloud
In actuality, by moving to legal cloud computing services, it’s likely that your firm can benefit from the following:
- Improved security: When used appropriately, reputable cloud-based solutions are secure. Increasingly, using the cloud can improve your firm’s security by taking advantage of built-in security measures (like dedicated security teams, regular security tests) that providers invest in.
- Easier software updates: Instead of wasting time and money manually updating your team’s on-premise software, you can benefit from regular, automatic, and free software updates from cloud providers.
- Eliminate the need for VPN: The cloud lets you work from anywhere, with secure access to your firm’s information—without the need for a VPN.
- Enhanced compatibility: Cloud-based software companies make it simple to connect with other tools to get the most out of all of your applications. For example, the Clio App Directory features over 125 complementary software services to help you customize and streamline your workflows in Clio.
- Fewer IT requests and costs: Quality cloud-based software providers offer top-tier support—like phone support, live chat, and a knowledge center—to all users, which means less time and budget spent on resolving basic IT questions from your team. And, with cloud providers reducing the need for on-premise servers and hardware, you’ll save money on storage and hardware maintenance.
Best practices for legal cloud-based services
The key to getting the most from cloud services (while also ensuring your data stays protected) is to use a system of best practices to effectively vet providers and prevent user errors.
While the cloud offers secure, useful options to help your law firm run more efficiently, not all cloud providers are the same. When considering legal cloud-based providers for your firm, it’s important to ask, at minimum, the following questions:
- Do they have a security team? A dedicated, experienced security team indicates that cybersecurity is a priority.
- Are they compliant? Cloud providers should advertise their compliance with requirements like Payment Card Industry (PCI) legislation and GDPR.
- Do they conduct automated security scans? For example, Clio is audited and certified daily by McAfee Secure to help ensure Clio products are not affected by malware, vulnerabilities, and other online threats.
- Do they offer an uptime guarantee service level agreement (SLA)? An SLA speaks to the minimum level of service provided by a company to a customer in their contract; cloud providers should provide a percentage guarantee for uptime—or the amount of time that the cloud service provider is accessible to end users.
- Do they encrypt data both in transit and at rest? Providers should protect sensitive data both while it’s in motion and while it’s stored or archived.
- Are they recommended by bar associations and law societies? Approval and recommendations from legal associations indicates industry recognition for high security standards.
- What security-focused features do they promote? What other measures does the provider take to help ensure enhanced security with their software? For example, Clio enforces security training for employees.
What should take priority when it comes to data security for your law firm? Start analyzing and improving your data security as soon as possible. While it may take some work, it’s better to be proactive than it is to have to deal with the negative consequences of a cyber attack or data breach.
Protecting your clients’ and your firm’s data is more than just a good thing to do—it’s ethically and professionally critical to your role as a lawyer. Understanding your responsibilities and best practices can help mitigate your risk of data breaches, and some of the latest legal technology can take your security even further while also improving your firm’s overall efficiency.