Lawyers are a profession keenly aware of why privacy matters. Similar to yet distinct from doctor-patient privacy, attorney-client privilege acts as the foundation for the professional relationship. A law firm data security incident has a different impact than one at a retailer. A retailer data breach may impact a customer’s financial information, but a law firm data breach can affect a client’s civil and legal rights. As more supply chain attacks take place, vendor risk management for law firms becomes increasingly essential.
What does the American Bar Association (ABA) say about cybersecurity and professional conduct?
Although on the logical level lawyers know that cybersecurity impacts their reputation, the ABA’s Legal Technology Resource Center has conducted an annual Legal Technology Survey Report since 2012. The report details technology use by attorneys in private practice.
Accompanying the 2019 report, John Loughnane’s article, “2019 Cybersecurity” addressed the “professional imperative for strong cybersecurity programs.” Notably, the article cites:
- Model Rule of Professional Conduct 1.1, Comment 8: arguing duty of competency requires cybersecurity considerations
- Model Rule of Professional Conduct 1.4: suggesting that keeping client “reasonably informed” includes communication by “electronic means” leads to an obligation to secure those means
- Model Rule of Professional Conduct 1.6(c) Comment 18: noting factors lawyers should consider as “reasonable” to prevent “inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
- ABA Formal Opinion 477: highlighting seven factors for consideration when determining the appropriate level of cybersecurity
- ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483: including the quote, “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
Based on the article and citations within it, the ABA appears to take the stance that maintaining a robust security posture is part of attorneys fulfilling their ethical and professional responsibilities.
What cybersecurity risks do law firms face?
Law firms collect, transmit, process, and store some of the most critical sensitive data that people and companies possess. From financial data to trade secret information, firms are a veritable goldmine for cybercriminals.
According to a 2020 survey focused on the legal industry, an in-depth analysis of twenty representative firms found that three shows strong evidence of a compromise with an additional nine evidencing suspicious traffic. The same survey provides insight into the types of data compromise and information security risks facing the legal industry, including:
- Business information compromise: financial or business intelligence information to sell on the dark web
- Non-ransomware extortion: Trade secrets, pre-public market information, and litigation documents to extort clients and firms
- Ransomware: encrypting and stealing data to hold hostage
- Personally Identifiable Information (PII): client information to sell on the dark web, like bank account numbers, birth dates, social security information, and healthcare information
- Third-party risk: organizations with whom the firm shares data or IT resources
- Password compromise: insecure passwords as part of brute force attacks to gain network and system access
- Hacktivism: malicious actors with social or political goals
These seven risk categories can be whittled down to a few broader risk types:
- Sensitive data: information that should be kept private
- Social engineering: tricking users into sharing credentials or installing malicious software
- Third-party cyber hygiene: legal supply chain focused around data-sharing
At the core, law firms need to manage their cyber hygiene and when taking vendor risk management into account, prove that they understand the various risks that their vendors pose as part of the overarching legal supply chain.
7 vendor risk management strategies for law firms
In April 2017, the American Bar Association’s Cybersecurity Checklist for vendor contracts. However, when taking vendor risk management into account, law firms need to consider their entire IT stack and business ecosystem. The legal industry is built on sharing information, so vendor risk management needs to include the various third-parties with whom the firm works. These include:
- Opposing counsel
- Cooperative counsel
- Experts
- Courts
- Law enforcement agencies
- Cloud services providers
- Software providers
- Managed IT service providers (MSPs)
1. Identify all sensitive data
Before sharing information with a vendor or other third-party, law firms should ensure that they have appropriate data categorization processes in place. They need to identify all sensitive data that they plan to share with third-parties, including:
- Sensitive corporate data
- Client PII
- Employee PII
- Information protected by the attorney-client privilege
A large part of securing data lies in knowing the data that needs protection. After identifying the information that needs enhanced security, law firms can engage in more robust due diligence with third-parties that store, transmit, or process that information.
2. Provide security questionnaires
Standard security questionnaires usually align with a regulatory or industry-standard compliance requirement. However, while law firms need to meet traditional best practices, they do not all have the same compliance requirements that other industries, like healthcare, face.
Thus, many law firms may need to create customized security questionnaires that speak to their unique needs. For example, payroll and enterprise resource planning (ERP) technologies may need to meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements, but experts testifying on behalf of a client would not.
3. Obtain documentation about the security posture
When looking to outsource IT services, law firms need visibility into the risks that these partners pose. As part of their due diligence processes, law firms should request documentation that includes:
- Service Organizations Controls (SOC) Type I or II report
- Penetration testing results
- Security policy, processes, and procedures
- History of any known reported or unreported data security incidents
These documents can provide visibility into an organization’s security posture and ability to maintain effective controls.
4. Compare documentation and responses
As a best practice, law firms should compare the third-party’s security questionnaire responses to the documentation provided. Before sharing information with the organization, the law firm should ensure that the documentation provided supports the questionnaire responses. In cases where discrepancies exist, the firm should investigate the differences before working with the vendor.
5. Incorporate cybersecurity into service level agreements (SLAs)
Vendor risk management processes go beyond the pre-contract due diligence process. Incorporating cybersecurity as part of a vendor’s contractual obligation to the law firm adds another level of protection. As part of the SLA, a law firm may want to consider protections like:
- Data encryption: when and how it encrypts data-at-rest and in-use
- Patching cadence: how often it updates firmware and software
- Anti-virus protection: how it manages endpoint device security to protect from malware
6. Continuously monitor all third-parties
In some cases, law firms have third-party business partners with whom they do not contract. For example, firms need to share information electronically with state and federal courts, but they are unable to enforce security controls around these business partners.
Continuously monitoring these third-parties with a security ratings platform provides visibility into potential security vulnerabilities. For example, security ratings platforms can monitor the law firm’s third-party ecosystem, including the courts, and alert the firm to risks. This enables the firm to prove governance over their third-party ecosystem, even when they have little ability to control the third-party’s IT environment.
7. Obtain cyber risk insurance
As law firms look to protect their clients, cyber risk insurance becomes increasingly important. Firms can transfer their risk by purchasing cyber risk insurance which often enables them to recover money spent on the data breach. For example, a cyber risk policy may provide coverage for costs like:
- Breach notification
- Computer and legal expert
- Cyber extortion costs
- Data restoration costs
- Public relations
- Business interruption
- Reputation harm
Continuous monitoring with SecurityScorecard to mature law firm vendor risk management
SecurityScorecard’s security ratings platform enables law firms to enhance their vendor risk management strategies. Our platform continuously monitors publicly available information across the internet, detecting new risks in an organization’s cyber ecosystem. Our easy-to-read A-F security ratings provide visibility across ten categories of risk, including DNS health, IP reputation, web application security, network security, endpoint security, and patching cadence.
Leveraging SecurityScorecard’s security ratings platforms, law firms can continuously monitor all third-party risks. As your firm looks to mature its security posture, doing due diligence becomes even more difficult. With SecurityScorecard, you can passively, non-intrusively, continuously monitor your hyper-connected ecosystem to help mitigate data security risks associated with the sensitive nature of your work.
