I predict that when we reflect back on 2016, we will see a year filled with notable events and turning points. With Cloud-connected watches, doorbells and cars, will it be the year of an Internet of Things. With there being some concerns over privacy, will Microsoft’s Windows 10 manage to regain some of the luster the Redmond, WA giant used to have? Will Mr. Trump become President Trump or simply go back to telling people ‘you’re fired’?
And, just as important, will the legal industry finally recognize the role they play in cybersecurity and begin to proactively engage in the fundamental measures needed to secure their valuable information? I say yes. But it won’t be easy.
In this three-part series, we will review the approach law firms should take when building a cybersecurity game plan.
A Digital Ecosystem
The first and biggest challenge is simply getting law firms to understand the situation. While they may not have millions of credit cards to steal like Target or Home Depot, they are arguably at far greater risk than other types of businesses. Why? Because law firms today not only maintain valuable information, but also present rich gateways to the very clients, vendors and partners that they support, work and collaborate with.
A digital ecosystem is the network of target rich companies and individuals that are all linked through a firm’s email system, client portal, billing system, website, docketing system, litigation support tools and more.
When you understand this ecosystem, it’s much easier to see how the role of cybersecurity isn’t a topic to be relegated to the IT people in that dark server closet down the hall. It’s not something you call your consultant about and ask if you’re ‘covered’. Properly protecting the information within your ecosystem is a business function that is executed, only in part, by the IT department. Cybersecurity planning and execution is a lot like billing – a key task whose responsibility is shared throughout the company.
So assuming you agree, your next question should be ‘so where do we start?’ Regardless of your firm size, most will struggle out of the gate because they don’t understand one very important principle: Know exactly what information you have and where it is stored.
Step 1: Identify The Information You Keep
It is unreasonable and unrealistic for law firms to completely protect every piece of information (data) from every potential threat. The time, money and resources that would be required to properly defend every corner of your business from every threat are simply out of the reach of many firms. Knowing what information and associated locations need the most robust protection will allow firms to spend responsibly and maximize ROI.
So we should begin by looking at your potentially sensitive information as being in one of two categories: client data and employee data.
Let’s start with client data since it’s the most complicated. It’s complicated because what constitutes client data will vary by firm and practice area. There will never be a definitive guide for what risky information any one firm will maintain. A ligation or IP firm will have a very different sensitive data profile than will a family law firm. But there are a few basics to look for:
- Client lists – This may seem obvious but the loss of your client list due to a security breach or a lost backup tape has very real confidentiality implications. Do you keep lists in different documents, places or systems? Does it ever leave your control?
- Personally Identifiable Information (PII) – Many firms maintain very sensitive information within their Practice Management systems but do little to ensure that information is properly protected. Do you store social security numbers, driver’s license numbers, financial accounts, credit cards or other sensitive information that could be easily retrieved by someone outside the company?
- Client Contacts – That estate plan you’ve just finished has detailed information about dependents, relatives, parents, etc. and many firms store those contacts in their management systems. If someone were to break into your network, would they have access to not only your clients but their related contact’s information as well?
As for employee data, this one is a little more straightforward. When you hire a new employee, you capture a lot personal information, including social security numbers, birthdays, identification, addresses, etc. Where is that information maintained and stored? Who has access to it?
Firm member and employee data are becoming favorite targets for ne’er-do-wells. In the hacks on Sony, Target, Home Depot and others, employees that had their data stolen are taking advantage of their rights and suing their employers for not taking the reasonably appropriate measures to protect their PII.
Understanding where information is stored (or supposed to be stored) will allow your firm to streamline procedures across all users to ensure you’re actually saving information to the place you intend. Once you know where data resides and that it is consistently in a single place, you can build the necessary defensive systems to protect it (which will be our next post on this subject). Skip this identification step and you’re left trying to protect everything. And that, my friends, is a tough job indeed.