At the end of this article, you will understand the steps you need to take to a) lower your risk of losing client information, whether it’s lost or stolen, and b) significantly reduce, if not eliminate, any liability and loss of reputation you could potentially suffer if client data is lost or stolen.
Information is being lost and stolen at tremendous rates due to the use of mobile computing devices. The amount of information that could be stored in an entire room can now exist on a smartphone. Until recently, most information traveled over wire and phone lines. Now, most networks are wireless. Hacking has become as easy as download, point, and click.
Is cybersecurity an IT thing? Well, yes and no. IT sets up your computers and network, keeps them running, and likely installs some security. Many IT personnel are versed in some aspect of security, but it is not their specialty. It is like asking your uncle who is a real estate attorney to handle your criminal case or divorce. If you are serious about implementing good security, then ask a security expert. If you are comfortable with your current level of security, then don’t worry about it, but don’t ignore the warning signs.
Today, convenience rules and security are usually an afterthought. Firms looking to save money and implement more convenience are moving data to the cloud and relying on third-party vendors to store and secure their data.
Interestingly, recent cybersecurity headlines reveal that law firms are one of the new targets, because hackers believe they are an easy backdoor to the firm’s clients. That means the threat to information will increase as lawyers and the rest of us become more and more mobile.
Even a small practice is at risk. Consider this: according to Ponemon Institute’s “2012 Cost of Cyber Crime Study: United States,” attacks against small businesses are up 60% since they usually have very little security and do not have in-house IT support. Many rely on outdated technology. Basic security protections, such as proper use of encryption, are often overlooked out of ignorance or sacrificed for convenience. Antivirus software and a good password do not equal security.
As promised, here are the steps:
- Do a risk assessment, wherein you identify all the information you are collecting, processing, and storing so you can identify how it is secured.
- Draft or have the proper policies drafted and reviewed by an attorney or someone skilled in this area.
- Obtain or implement some sort of cybersecurity awareness training for you and your office.
- If you use a vendor and that vendor stores or controls your or your clients’ information, then you must ask about their security. Ask these and many more questions you’ll think of: How they are protecting what is most important to you, if and how soon they will notify you if they suffer a breach, what sort of insurance they have, and if you will be compensated for losses you may incur.
These steps will provide peace of mind and enable you to recover quickly if an incident occurs, thus protecting your reputation and, if applicable, your license.
As a business owner who stores client information, you have an ethical obligation to competently protect client confidentiality and information. Interestingly, a handful of bar associations across the country have informed their members of the ethical obligation to keep up with technology and take reasonable steps to protect client information from being stolen. Further, in 2012, the American Bar Association rewrote some of the model rules of professional conduct to provide more guidance on the use of technology and protecting client information.