The majority of solo and small family law firms cannot afford to have their own IT departments overseeing their cybersecurity – so how can family lawyers protect themselves and their clients from cyber attacks?
By William N. Sosis, Lawyer and Information Technology Consultant
Long gone are the days when securing confidential and sensitive information only required preventing break-ins or office theft. With the coming of the digital age, the Internet, mobile apps, Cloud Computing, WiFi devices, and the Internet of Things (IoT), the line between physical and digital information has almost become invisible. Perimeter security by itself is insufficient.
Without an Adequate Cybersecurity Strategy, the Consequences Could be Appalling
According to a 2017 Gartner report, “The exponential growth in [digital] data generation and usage … is rendering current data security methods obsolete.” Moreover, the consequences that a cyber-attack can have on a business are appalling. Another report published by the Gartner Group in 2010 revealed that 43% of companies that had a major loss of computerized records never re-open, 51% permanently closed their doors within two years, and only the remaining 6% of companies were able to survive longer than two years after losing data.
Yet, with data security breaches and cyber-attacks on the rise, a 2016 lawyer survey by the American Bar Association (ABA) found nearly half of them say their firms have no data breach response plan in place. In addition, legal-industry experts say law firms are lagging behind their own corporate clients in data security measures.
Cybersecurity Strategy: Protecting Client Information from Cyber Attacks
As data breaches become increasingly inevitable, the ABA continues to alert lawyers of their role and responsibility in protecting their clients’ confidential information from cyber-related incidents. Lawyers are under increasing pressure to comply with a growing number of legal and ethical requirements.
But lawyers specialize in the law, not managing inter-net connected business risks. Mere compliance requirements, exhortations, and ethical standards do little to improve security and may do more harm than good. Telling lawyers what they must do without telling them how to do it only leaves lawyers feeling anxious and uncertain about the future.
Adding to the confusion is the cybersecurity industry that has sprung up in response to cyber risks. Despite its failure to contain the rising number of cyber attacks, between 2004 and 2015 the industry grew from $3.5 to $75 billion and is predicted to grow to $170 billion by 2020.
So how can family lawyers protect themselves and their clients from cyber threats? How should they winnow through all the options available for implementing a good cybersecurity program? This is where the National Institute of Standards and Technology’s (NIST) cybersecurity framework (CSF) comes into play. Although originally intended to protect the nation’s critical infrastructure, the CSF has grown to include small businesses.
Developing a Cybersecurity Strategy for Your Family Law Firm
Adopting CSF standards is a modest first step in developing a cybersecurity program. The CSF can help lawyers determine which technologies and processes are needed for good cybersecurity in today’s threat environment. By providing the tools needed, the CSF enables lawyers to create a unique cybersecurity strategy that fits their needs and budget. In a nutshell, there are three components to the CSF: the framework core, the framework profile, and the framework implementation tiers. These components work together to create a gap analysis allowing you to determine where you are and where you need to be. Closing the gap is where you address your risks and vulnerabilities and create your security plan.
It is fair to say that the NIST’s CSF is fast becoming a business imperative for avoiding liability. In April 2016, for example, the NIST hosted the largest cyber insurance panel in its history with about 900 registrants. The significance of this event is that insurance carriers are now using the CSF to understand cyber threats, underwrite cyber insurance policies, and determine liability.
Implementing a Cybersecurity Framework at Your Family Law Firm
However, the majority of solo and small family law firms cannot afford to have their own IT departments overseeing their cybersecurity or implementing the CSF. Lawyers in general also lack a basic understanding of the many technical aspects outlined in the CSF. For these reasons, the ABA urges that these lawyers hire an IT consultant on an “as needed” basis.
Finally, since there is no such thing as a totally secure system, it is important to remember that good cyber-security is always about identifying and managing risks, exercising reasonable care, and hoping for the best while preparing for the worst.
William N. Sosis (JD) also holds a B.S. in Computer Science and Mathematics and an M.S. in Operations Research. He has over 25 years’ experience in information technology as a consultant, business analyst, and project manager. He led the implementation and upgrades of numerous computer systems in North America, Europe, and Asia. www.sosislaw.com
Related Articles
Authentication of Digital Evidence
The volatile nature of digital evidence makes the Federal Rules of Evidence woefully inadequate and in need of change.
Cybersecurity: What’s a Family Lawyer to Do?
The legal profession’s move towards technology poses some serious security risks to lawyers, particularly in family law. Here’s an overview of your obligations as well as 8 questions to help guide your actions.
The Dangers of Free Wi-Fi
An attorney’s duty to keep client-attorney communications private now includes knowing how to prevent hackers from gaining unauthorized access to a client’s confidential information. Here’s a primer on the dangers of free Wi-Fi – and why using it is risky business.
