Law Firm Information Security Policies Explained
By Morgan Martinez
Lawyers do a lot to protect their clients’ rights and information, from conducting conflict checks to locking filing cabinets. But as attorneys increasingly store files online and collaborate remotely, they face more challenges in protecting sensitive data against digital threats.
Below, we’ll examine what modern-day lawyers need to know about law firm cybersecurity risks and policies. We’ll also answer the following questions:
- What cybersecurity issues present the greatest risks to lawyers?
- Why should every practice establish a law firm information security policy?
- How can attorneys create a cybersecurity policy (even if they’re not tech-savvy)?
- Where can lawyers find a sample cybersecurity policy?
- What tools can help law firms protect data more easily and effectively?
What is a Law Firm Information Security Policy?
A law firm information security policy (also known as a law firm cybersecurity policy) is a set of rules and guidelines that govern how your employees and technologies manage, protect, and distribute information. This encompasses a wide range of elements, including:
- Determining an overall approach to organizational security
- Protecting clients’ data from malicious or inadvertent disclosure
- Mitigating the risk of data breaches and establishing plans for responding if one occurs
- Setting and managing passwords
- Managing access to information based on need and job role (such as partner, associate, case manager, paralegal, legal assistant, legal secretary, or accountant)
- Backing up data
- Complying with requirements set by regulatory bodies, such as state bar associations, the Health Insurance Portability and Accountability Act (HIPAA), and the European Union’s General Data Protection Regulation (GDPR)
See a sample cybersecurity policy here.
Why is Law Firm Cybersecurity Important?
Lawyers have ethical and legal duties to protect client information. Yet, many understandably struggle to fulfill this duty in the face of malicious hackers and human error.
In the American Bar Association’s (ABA’s) 2021 Legal Technology Survey Report, roughly 25% of all lawyer respondents claimed that their firms suffered from a security breach at some point. The rate of data breaches varied by firm size.
- Solo practitioners and firms with two to nine lawyers: 17% of attorneys said their firms experienced a security breach
- Firms with 10 – 49 lawyers: 35% experienced a security breach
- Firms with 50 – 99 lawyers: 46% experienced a security breach
- Firms with 100+ lawyers: 35% experienced a security breach
The frequency of data breaches from the report suggests that many attorneys don’t have enough law firm cybersecurity practice. This isn’t very surprising, considering most lawyers don’t—and shouldn’t be expected to have—a technology background.
Unfortunately, lax security can result in a number of consequences, including:
- Sensitive information or intellectual property falling into the wrong hands, which puts your clients and firm at risk
- A damaged firm reputation, which leads to less business and lower profitability
- Noncompliance with state bar and other regulations
- Downtime and loss of billable hours
Establishing your law firm information security policy can protect against these risks and help safeguard your work.
What Cybersecurity Risks Do Law Firms Face?
In today’s internet-centric world, there’s no shortage of cybersecurity challenges for lawyers.
1. Stolen Email Accounts
One of the easiest ways for hackers to infiltrate your firm is via email accounts. For example, if a disgruntled former employee retains access to their inbox, they could steal intellectual property, send damaging emails, or change passwords to the firm’s systems. Therefore, all attorneys should develop a law firm cybersecurity practice focused on controlling employee access to data.
Unauthorized access may also come from outside the firm. For example, phishing attacks are fraudulent communications made to appear like they’re from a reputable sender. These email cyberattacks were also the most frequent cybercrime in 2020, according to the Federal Bureau of Investigation.
Phishing attacks can prompt you to reveal sensitive information, such as bank account logins, email passwords, or credit card numbers. They may also install malware on your computer that can steal further information and damage company-wide systems.
2. Information Ransom
A ransomware attack involves a hacker holding data hostage in exchange for money. If the hacker doesn’t receive what they want, they may keep the data, destroy the files, or share or sell the information. There are many ways to fall victim to a ransomware attack:
- Responding to a phishing email, such as clicking a link or downloading an infected attachment
- Visiting infected websites that automatically download malicious software onto your systems
- Leaving vulnerabilities in your firm’s servers that hackers can exploit
- Failing to vet vendors and third-party software that have access to your data
3. Sensitive Data Leaked to the Public
Think of all the data stored within your firm’s servers—client information, details of their lives and/or businesses, communications, case details and strategies, and financial statements. If this sensitive data were to become public, it would present a massive risk to you and your clients.
For instance, if you practice personal injury law, your clients’ medical records would be open for the world to see. If you’re a family law attorney that handles particularly complex divorces, a data breach could reveal your client’s address to their stalker ex-spouse.
4. Malpractice Allegations
As a lawyer, you have an obligation to protect your clients’ data and disclose any cybersecurity breaches. ABA Rule 1.6: Confidentiality of Information states that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
If your firm doesn’t abide by these regulations, as well as those established for your state bar association, you could be subject to allegations of malpractice.
How to Create Your Law Firm’s Information Security Policy
1. Establish Password Standards
Strong passwords are the foundation of strong law firm cybersecurity. In fact, passwords containing 18 characters and a mix of numbers, symbols, and uppercase and lowercase letters could take a lifetime for the average hacker to break through, according to data from cybersecurity company Hive Systems. Simple passwords or those containing fewer than eight characters can be cracked within seconds or minutes.
Develop clear password standards for all team members as part of your law firm operations. You can read more about creating strong passwords in this guide from Microsoft. We’ll also share a cybersecurity policy example below, which contains information about password creation.
For extra security, consider adding two-factor authentication to your accounts. This type of multi-factor authentication requires two methods of identity verification. It can include a website username and password—plus a code sent via text message.
2. Develop Phishing Awareness
Defending against phishing attacks starts with knowing what they look like. Watch out for these common features of phishing emails.
- A strange greeting
- Odd terminology or tone
- Typos and grammar issues
- Unfamiliar domain names or email addresses
- Unusual and/or urgent requests, such as purchasing gift cards, changing or sharing passwords, or transferring funds
If you suspect an email is fraudulent, don’t click any links or take the requested action. Reach out to the supposed sender in a separate communication for verification.
3. Invest in Hardware Security
Cybersecurity policies should also cover hardware. The following strategies can help you keep your tech safe.
- Keep hardware under lock and key.
- Limit access to only necessary team members and third parties.
- Invest in security cameras or a real-time monitoring system.
- Consider requiring team members to lock their workstations (e.g., logging out of their computers) when stepping away from their desks.
- Ensure that all work-related hardware (including smartphones, computers, and tablets) feature encryption to prevent unauthorized disclosure of sensitive communications and records. This is becoming a must-have law firm cybersecurity practice. Learn more about encryption and other strategies to protect systems in “Cybersecurity Tips for Lawyers Working Remotely.”
4. Create an Incident Response Plan
Failing to plan is planning to fail, as they say. Although no one wants a data breach, odds are your firm may be on the receiving end at some point. Don’t wait until there’s a crisis—now is the time to proactively create your response plan.
According to the National Law Review, a thorough response plan should include:
- Key stakeholders, and their roles and contact information
- A contact list of external resources, including law enforcement
- Strategies for assessing, containing, and eradicating the incident
- A communications plan
Check with your state bar association regarding post-breach disclosure requirements and include these details in your plan as well.
5. Conduct Internal and External Security Auditing
Regular check-ups into your internal and external security systems can identify issues before they become larger problems. For example, is all anti-virus software up-to-date and functional? Are employees abiding by all elements of your law firm information security policy, including communications and document management? Did former employees lose access to company premises and systems immediately upon leaving the firm?
Tip: Do you have a remote or hybrid team? Check out these must-know cybersecurity tips for remote lawyers.
Your Cybersecurity Policy: Where to Start
Develop your information security protocols by reviewing this cybersecurity policy example. Then, use MyCase to help protect your firm and clients’ data—without missing a beat on billable hours.
MyCase uses bank-grade encryption to protect your work and help you stay compliant. Your team can also take advantage of:
- Unlimited secure storage in highly secure Amazon facilities
- Consistent data backups to ensure that you never lose valuable files
- A Client Portal that allows you to securely communicate with clients, send invoices, share documents, and accept payments
- Adjustable permissions to manage employee access to files
- And more
See how MyCase can keep your sensitive data secure. Get your free 10-day trial today—there’s no credit card or commitments needed.
For more attorney best practices and tips on law firm information security policies, subscribe to our complimentary email newsletter, “For The Record.” Just enter your email in the right-hand sidebar near the top of the page.