Cybersecurity for Law Firms
by Stephanie Gomez | June 2019
____
Privacy rights Clearinghouse reports that between 2005 and today, there have been 8,804 reported data breaches exposing over 11 billion records. This number is on the rise. We are approaching a world where every law firm either has been hacked or will be in the future. We must “get with the times” and adapt.
Because clients entrust their lawyers with highly confidential and sensitive data, lawyers are often targets for hackers. In today’s fast-paced world with access to our e-mails at our finger tips, e-mails are often the weakest link for law firms.
Attorneys should be aware of the different types of hacking tools often employed against law firms, including phishing e-mails. Phishing is when a hacker uses fraudulent e-mails to lure you to share valuable personal information, such as account numbers, social security numbers or login IDs and passwords. Phishing e-mails almost always tell you to click on a link. Things to look for in a phishing e-mail include a generic greeting, a forged link, requests for personal information and a sense of urgency.
Hackers also use pretext e-mails, which is when the hacker uses the e-mail address of another and pretends to be that person. For example, oftentimes the treasurer of an organization receives an e-mail from what looks to be the president, asking that funds be transferred to a certain account. When I was treasurer of the Federal Bar Association International Law Section, I would often receive such e-mails, and when I did, I would immediately call the president directly to inquire about the e-mail. Another trick is to place your cursor on an e-mail address to see the true e-mail address sending the e-mail. Never blindly follow instructions from an e-mail that even looks slightly suspicious.
The ABA and Florida Bar rules now require attorneys to be diligent in taking precautionary measures. ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Similarly, the Florida Bar requires competent representation, which may include the retention of a non-lawyer advisor of established technological competence. See Comment to Fla. Bar R. of Prof. Conduct 4-1.1.
So what should law firms and attorneys do to lower their risk profile? Here are some general policies that can help:
Share this article: