A law firm’s IT department, or outside vendor, should conduct ongoing security risk assessments, vulnerability scans, penetration tests, and system and network monitoring to protect against and detect suspicious activity and potential data breaches. The use of antivirus software is simply not enough to detect sophisticated attacks which sometimes go unnoticed for months or years.
2. Defend the Network Perimeter
Routinely monitor and test security controls. Firms should employ secure configurations and ongoing security patch management for operating systems, applications and network devices, as well as monitoring for cybersecurity risk alerts. When properly configured, the perimeter defenses only permit those activities that are required to conduct business.
3. Restrict Access to Data
Strictly control employees’ access to confidential and sensitive information. Employees should only be given the minimum level of access in order to perform the requirements of their respective role.
4. Manage Passwords and User Privileges
Review users’ password and privileges policies. A strong password consists of at least 12 to 14 characters. Additionally, the password should include a combination of letters, numbers and symbols. Moreover, law firms should limit the number of privileged accounts and monitor user activity. It is critical that law firms implement the use of multi-factor authentication where feasible and appropriate for use on all accounts that allow access to data.
5. Backup System
Develop a reliable backup strategy where the firm’s data can easily be recovered in order to maintain business continuity. Law firms should perform routine backups of data and store it offline to ensure it is impervious to threats like ransomware. All backups should be encrypted with a user-defined encryption key, whether on site, off site or stored in the cloud.
6. Conduct Security Awareness Training for Employees
Provide training and education to employees so that they are aware of the law firm’s security protocols and responsibility to protect a client’s sensitive, confidential information. Law firms should provide mandatory cybersecurity awareness training to all users at least once a year and conduct periodic (e.g. quarterly) simulated phishing exercises for employees. Sanctions should apply to those users who fail to comply with security policies and procedure.
7. Conduct Inventory of Data
Conduct an inventory of the software systems and data and assign ownership and categorization of risk; the higher the sensitivity of the information, the stronger the security protections and access controls must be.
8. Use Encryption for Transmitting Sensitive Data
Encryption is the process of changing information in such a way as to make it unreadable by anyone except those possessing special knowledge (usually referred to as a “key”) that allows them to change the information back to its original, readable form. The sending of any personally identifiable information, protected health information or other sensitive, confidential data should be sent securely, via an encrypted email as required by ABA Formal Opinion 477R.
9. Third-Party Vendor Management
Third-party vendors are one of the biggest security threats to any organization. Therefore, law firms should vet every vendor who works with the firm to ensure they exercise the same security protection as your firm. This includes requesting your vendor’s cybersecurity policies and procedures to ensure they have an appropriate program in place and conducting periodic (e.g. annual) onsite security assessments. Law firms should carefully review vendor agreements for issues regarding indemnification, cyber liability insurance, and time periods for providing notice of vendor’s “incident” or “breach.”
10. Establish an Incident Response Plan and Team... Train and Test
Create and implement an incident response plan (IRP) and team (IRT) to be prepared to quickly contain, assess and respond to a data security incident. Law firms should have a cross-organizational IRT in place, which includes not only management, but legal, human resources, procurement, finance and IT to develop and implement a plan for detecting and managing a breach. In addition, tabletop exercises should also be performed involving the IRT, preferred forensic and breach response counsel to test their readiness to respond to a real attack.
11. Purchase a Standalone Cyber Liability Insurance Policy
Examine all insurance policies in place for cyber coverage and consider purchasing a standalone cyber liability policy to cover first and third-party losses. Law firms should consult with an insurance broker, well versed in cyber liability coverage, to ensure that they are procuring sufficient coverage and limits to cover their business needs.