In the digital age, cybersecurity is no longer a luxury, it’s a necessity. This sentiment doubles for law firms, which are being bombarded by ransomware attacks, data breaches, and a litany of other data-related issues daily.
As cyber threats continue to get more sophisticated, the methods firms need to take to protect themselves grow more complex, time-intensive, and expensive. As if running a practice and protecting themselves on the digital front weren’t enough, lawyers nowadays must go through technology training simply to stay current with data security practices.
If that all sounds like a lot, it’s because it is, which begs the question: is cybersecurity limiting the modern law firm? This article will explain the host of obstacles with which modern law firms grapple to cover their digital bases, what security capabilities law firms should look for in third-party vendors, and how third-party providers such as Rapid Legal are stepping up to give them peace of mind.
The Complexity of Cybersecurity:
Cost
One of the biggest challenges law firms face when implementing robust cybersecurity measures is the cost. Cybersecurity solutions can be expensive, especially for smaller firms with limited budgets. A survey from the International Legal Technology Association found that firms were increasing their spending on cybersecurity and security assessment software by 40% and 44%, respectively.
This increase in spending is substantial for big law firms that have the millions of dollars and resources to afford cutting-edge cybersecurity, but smaller firms with limited funds can easily find themselves shelling out more significant portions of their budgets if they’re to have top-of-the-line cybersecurity. This reason is why small firms are the most vulnerable to cyberattacks.
The cost of implementing and maintaining these solutions, as well as training staff on how to use them effectively, can add up quickly. Moreover, these costs can limit the ability of law firms to invest in other areas of their business, such as hiring additional staff or upgrading their technology.
Training
Employing cybersecurity measures, including training, is neither a simple nor an easy task. It requires technical expertise and knowledge that oftentimes requires law firms to get from an outside consultant. Law firms need to work with cybersecurity professionals to develop a plan that meets their unique needs and requirements, while small firms must sacrifice precious resources to protect themselves.
Regardless of the scope of the law firm’s needs, these security plans almost always require some sort of training for the legal staff. While this training is important to the overall data hygiene of the law firm, this process can be a time-consuming and complicated process that limits the productivity of legal professionals.
Technology training has become so commonplace in the legal industry that 75% of respondents in the 2022 Survey from the ABA reported having technology training at their firms. According to the survey, 100% of the firms with over 100 attorneys that responded to the survey had technology training available for their attorneys.
Interested in cybersecurity and other technology-related matters?
Check out this thought-provoking article:
Technology By Itself Does Not Make a 21st Century Law Firm
User Error
One of the most critical weak points of any enterprise’s cybersecurity is user error. Even with strong cybersecurity measures in place, law firms are still vulnerable to data breaches and cyberattacks due to user error. Human error may seem like an anticlimactic or even silly source of error, but studies have shown it can be difficult to remedy as scams and phishing emails have become increasingly sophisticated.
These errors can include everything from employees falling for phishing scams to leaving their devices unlocked and unattended. While it is becoming an industry standard to train legal professionals to spot scams, human error will be a constant weak point so long as humans are using their devices.
While there are many different types of breaches and cybersecurity threats to be aware of, phishing is the most common. The 2021 Verizon Data Breach Investigation report found that phishing was present in 36% of all breaches.
Even more daunting, the Cybersecurity & Infrastructure Security Agency (CISA,) found that 90% of all cyberattacks begin with phishing, Intel’s International Security Quiz found that a staggering 97% of email users cannot identify a phishing email.
Compliance and Regulations
Law firms also face other obstacles when implementing cybersecurity procedures, such as compliance requirements, regulatory changes, and evolving cybersecurity threats. Compliance requirements can be complex and time-consuming to follow, and failure to comply can result in costly fines and legal action.
Cybersecurity has also affected the California state’s legislation. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are two of the most notable pieces of legislation affecting law firms.
The CCPA applies mostly to mid to large-sized firms as it applies to companies and for-profit firms that gross over $25 million, firms that sell the personal information of 100,000 or more California residents, or firms that derive 50% or more of their revenue from selling consumers’ personal data.
To be compliant with the CCPA, a law firm must implement certain measures, such as ensuring transparency in their data collection practices and providing customers with the right to access, delete, and opt out their personal information.
These businesses and law firms must also have clear privacy policies that outline their precise use of the customer’s data, as well as train employees to understand CCPA requirements and undergo regular audits and assessments.
The CPRA builds off the CCPA and imposes additional obligations to protect the privacy of personal information. Sometimes referred to as “CCPA 2.0,” CPRA shares the same revenue criteria as CCPA, although it is far stricter and more thorough in its auditing of a firm’s data collection, processing, and storage practices. Failure to comply with either act will result in costly penalties for the firms.
Regulatory changes can also impact the way law firms handle client data and require them to update their cybersecurity policies and procedures accordingly. Cybersecurity threats are constantly evolving, which requires legal professionals to stay up to date on the latest trends and best practices.
Court Rulings and Liability
Recent court rulings are making companies and law firms more liable for data security practices. In September 2022, the United States Third Circuit Court of Appeals remanded a putative class-action lawsuit against ExecuPharm, a pharmaceutical company that suffered a data leak due to a phishing scam.
What’s notable about this ruling is that the District Court had previously dismissed the case due to its speculative nature since the lead plaintiff’s information had not suffered any identity theft. Upon review of the case, the Appellate Court ruled that the plaintiff still had a substantial risk of imminent injury due to the intentional nature of the cyber-attack.
The case, which was sued under the Class Action Fairness Act for negligence, breach of contract, breach of fiduciary duty, and breach of confidence, also determined that intangible injuries such as having your data stolen and the emotional distress of having your data leaked are sufficient to file suit against a corporation. Now more than ever, companies and law firms are liable for the security of their client’s data.
Third-Party Risks
Law firms often work with third-party vendors, such as eFiling service providers, court reporting services, and e-discovery providers, that may have access to sensitive data. If these providers have access to your firm’s system, their vulnerabilities can become yours.
Ensuring your third-party vendor has up-to-date security and is compliant is critical when choosing providers. For DLA Piper, who suffered a massive ransomware attack in 2017, their leak was caused by a compromised supplier.
Key considerations to verify when working with third-party vendors include:
- Data Encryption: Does the vendor encrypt data both in transit and at rest? Encryption ensures that if data is intercepted, it is unreadable.
- Compliance with Industry Standards: Does the vendor comply with all rules and regulations about data privacy and personally identifiable information (PII), cardholder data, and more?
- Regular Security Audits: Does the vendor conduct regular security audits to identify and mitigate potential security risks?
- Disaster Recovery and Business Continuity Plans: Does the vendor have disaster recovery and business continuity plans? These plans ensure that if there is a security breach or other disaster, your data is safe, and your business can continue operating.
- Access Controls: Does the vendor use strict access controls? This ensures that only authorized users have access to sensitive data.
- Redundancy: Does the vendor store their data in multiple data centers? Having their data stored in multiple data centers will ensure your data will be available and secure in the event one of those data centers is compromised.
How Bad Are Data Breaches, Really?
The recent high-profile data breaches have underscored the need for robust cybersecurity measures in the legal industry. For example, in 2016, a Panama-based law firm, Mossack Fonseca, suffered a significant data breach, which led to the leak of 11.5 million confidential documents. The Panama Papers leak exposed the financial dealings of some of the world’s most powerful individuals and companies, resulting in significant reputational damage to the law firm.
Similarly, in 2017, DLA Piper, one of the largest law firms in the world, suffered a significant ransomware attack that affected their systems in the United States, Europe, and Asia. This cyber-attack was so severe that it required the firm to shut down its systems entirely.
Aside from the massive reputational blow data breaches deal, there’s also a crippling cost element that comes with a major data breach. A 2022 report by IBM and the Ponemon Institute calculated the average cost of a data breach to a US company to be a staggering $9.44 million. Suddenly the exorbitant cost of cybersecurity doesn’t seem so steep.
When it comes down to brass tacks, cybersecurity is indubitably a critical part of any law firm’s digital infrastructure. While staying current with cybersecurity regulations and technology is difficult and time-intensive, practicing good digital hygiene can save your law firm from a catastrophic data breach or malware attack.
Rapid Legal’s Portal Delivers Professional-Grade Security and Compliance
As a certified eFiling service provider with 35+ courts in California, including the largest court system in the nation, Los Angeles Superior Court, Rapid Legal’s litigation support service portal is used daily by thousands of legal professionals to file and serve their legal documents. That’s why it’s built with security in mind. We follow industry best practices to ensure the privacy and security of our client’s data.
Professional Grade Security and Compliance
- Advanced Firewalls – military-grade data encryption
- Rigorous registration and authorization protocols
- Certified Electronic Filing Service Provider (EFSP)
- PCI Compliant
Industry-Leading Technology Integrity
- Amazon Web Services enabled
- Highly automated, redundant, and scalable
- On-Demand availability 24/7
Ultimately, cybersecurity is both a nuisance and a salvation for the modern law firm. One cannot overstate its importance to the security of a firm’s and its client’s data, however, the growing complexity of these practices, training employees, and staying current with industry-standard practices and compliances is a massive undertaking.
Perhaps the more critical issue is how sophisticated scams are becoming. It almost seems that the moment a breakthrough security innovation happens, a new malware or hacking program cancels it out. Thankfully, with blockchain technology, AI, and even quantum computing (which is on the far horizon,) law firms and their IT partners will be able to combat these malicious issues and hopefully solve them once and for all.
Do You Care About Cybersecurity? So Do We.
If you’re interested in a vendor that offers secure, reliable eFiling, court filing, or process serving, schedule a call or book a demo with a Rapid Legal team member today!
We also have an extensive resource library where you can find guides, checklists and other resources to help you eFile documents according to the local court rules in each county as well as what qualities to look for when selecting an eFiling service provider or process serving vendor.
Get Started Today
Spend more time on billable client hours and less time tracking down conformed copies and proofs of service.