Confidentiality is an essential element of practicing law. Attorneys are expected to maintain confidences with their clients, regardless of whether communications are made in writing, orally or in hieroglyphics. Therefore, securing client data stored electronically is mandatory so it can’t be hacked or otherwise obtained.
The problem is that even the tightest cybersecurity software is vulnerable to breaches. Why? Because it is human beings, with their imperfections or sometimes, nefarious goals, who oversee the implementation of cybersecurity programs.
“A lot of risk exists due to human’s mischievous actions or error," says attorney Tom Barnett, Special Counsel with the Los Angeles office of Paul Hastings LLP. "Even the most amazing, elaborate home security system fails if you leave the front door open.” Barnett is also Chief of the firm’s Data Science & Analysis Investigation department.
With that in mind, is there really anything a law firm can do to minimize the likelihood of a cybersecurity breach or hack, even when the most sophisticated cybersecurity protocols are implemented? “Getting humans to comply is essential. No program can overcome the human element,” he says.
Protecting Against Human Error or Malfeasance
While the human element makes any cybersecurity program vulnerable, there are still steps a law firm can take to minimize that threat.
Proper training is one weapon, says Barnett. “Training programs have gotten more sophisticated with actual testing to simulate real-life cybersecurity risks, so it is important to implement and refresh training.” A lack of training can cause people to forget how to respond to a cybersecurity threat or breach.
Petronella agrees that consistent training is essential. In fact, his company developed a solution by “blending training with 22 patented security lawyers together, so even if a human clicked on infected ransomware, malware or zero-day malware payload link by accident, the breach would be stopped in real time,” he says.
Consistent monitoring for compliance is essential, too. “Watch for nefarious actors,” Barnett urges. He also suggests law firms invest in software that deciphers red flags indicating a breach has occurred so it can be eradicated quickly.
Law firms should also be testing their systems at least monthly, and performing security risk assessments at least annually, says Petronella.
Brett Burney, an e-discovery consultant, author and principal with Burney Consultants, agrees that thorough and consistent training is essential to keeping electronic data safe. But, he says, lawyers and legal professionals can be their own worst enemies.
“Lawyers and legal professionals are averse to training. No one has time for training, and most of the training today is long, laborious and lackluster, which means no one is interested in attending, anyway,” says Burney.
Therefore, he says, there must be a systematic and consistent push for attorneys and their support staff to become more aware of the dangers of a cybersecurity attack, says Burney.
Lawyers tend to believe the biggest danger is some dark individual trying to hack into their computer by writing some nefarious coding scripts trying to ‘break in’ to their computers, says Burney. “That is an ignorant and irresponsible approach to how cyber-criminals operate today," Burney says. "The biggest threat really is someone inside a law firm receiving a phishing email with a malicious link that will either install malware on a computer, send credentials to a remote computer or encrypt all of the firm’s files in the form of ransomware,” Burney says.
Unfortunately, while there is no way to fully protect electronic data, the responsible route for lawyers to take is to “raise awareness at the firm to protect from most of these scenarios,” Burney says.
Tami Kamin Meyer is an Ohio attorney and writer.