Protecting Client Data: Shoring Up Information Security at Law Firms
According to Marsh’s 2014 Global Law Firm Cyber Survey published early this year, nearly 80 percent of law firms consider cyber security and privacy to be one of their firm’s top 10 risks, but 51 percent said they have not taken measures to reduce cyber risk.
As I wrote about previously, law firms handle a lot of different types of private information, including:
- Employee payroll, retirement plan and health benefits information
- Personal information of vendors, clients, client adversaries and other parties
- Financial, medical and privileged communication data related to an investigation or case
- Intellectual property and trade secrets
Law firms also provide personal information to technology vendors, making their vendors a potential target of malicious hackers as well.
Who's Legislating Legal?
The lack of federal information security standards and legislation for law firms may have them skirting the issue, which is problematic for client data privacy. General state laws on securing personal information may apply - some require encryption and other security requirements, according to the AmericanBar.org.
Law firms may be subject to other laws that affect their clients and cases. Those include HIPAA for healthcare, PCI DSS for retail, FFIEC guidelines for the financial/banking industry and more. Breach notification laws also vary by state, while a few states don’t have any security breach law - including Alabama, New Mexico and South Dakota.
But naturally, it’s not just the hand of law that should dictate the need for security - keeping your clients’ data secure is a smart business move and reputation-saver. According to the Ponemon Institute’s most recent report, 2015 Cost of Data Breach Study, the average total cost of a data breach has risen 23 percent since 2013 to $3.8 million.
And despite breach notification costs decreasing slightly, the costs associated with lost business due to a data breach are also increasing. Those costs include customer turnover, increased customer acquisition activities, reputation losses and diminished goodwill. The costs have risen from $1.23 to $1.57 million in 2015, representing a 27.6 percent change, despite notification costs decreasing almost 11 percent.
To stay competitive (and not to mention the ethics around keeping client data confidential), law firms need to put a security strategy in place that can effectively keep attackers out without frustrating or slowing down their lawyers’ daily workflow.
Examples of Law Firm Data Breaches
While law firm data breaches aren’t easy to report on as they rarely make the news circuit, AmericanLawyer.com cited one example of a breach back in February 2014.
The Washington, DC-based international law firm McKenna Long & Aldridge notified current and former employees of unauthorized access to a server that belonged to one of the law firm’s vendors. On that server, there were hundreds of records of stored personal data including names, addresses, wages, taxes, SSNs, birthdates and ages.
A malicious hacker accessed all of that personal data simply by using a username and password of an account administrator - on three separate occasions, according to their breach notification letter (PDF).
More recently in March, Bloomberg.com reported on a small Redlands-based law firm Ziprick & Cramer that was attacked with the ransomware variant, Cryptolocker. Ransomware refers to malware used to encrypt the victim’s files, with decryption available only if the victim pays the malicious hackers.
According to the breach notification letter (PDF), one of the law firm’s workstations was infected, then the virus spread to data stored in an in-house server. While there’s no word on how the workstation was infected, malware can often find its way into organizations via attachments in document files sent as a phishing email.
Two-Factor Authentication for Law Firms
The 2015 Verizon Data Breach Investigations Report (DBIR) revealed that certain departments were more likely than others to fall victim to phishing attacks - they found that Communications, Legal and Customer Service were the top contenders.
Phishing emails and stolen credentials are some of the easiest low-tech ways that criminals go after law firms and their vendors. In the case of McKenna Long & Aldridge, their servers containing SSNs were protected only by a username and password. Yet, best security practices dictate that privileged administrator accounts should be protected with two-factor authentication, an additional layer of security that requires the verification of your admin’s identity via their mobile device.
But having to complete two factor everytime you log into an application might be annoying for regular users that don’t have privileged access to these servers - they may just need to check their email. Some two-factor solutions allow you to create custom controls that require only a small subset of users to complete two factor to access servers (like admins), while letting others using trusted devices and networks complete two factor only once every 30 days.
That cuts down on the disruption to your end users that don’t have privileged access, while allowing you to have more control over those that do.
Other examples of authentication policies and controls:
- Block access if the user is logging in from countries you don’t do business in - like China or Russia
- Block login attempts to any application when coming from anonymous networks like Tor
- Require two-factor authentication for all contractors accessing certain applications, like Salesforce and Office 365
- Only allow a small group of privileged users to access sensitive applications or servers, and require that they use Duo Push authentication
Learn more about Duo Access, an easy way to get advanced two-factor authentication for your law firm.