We've partnered up with ServiceTitan to transform the trades. Learn More

Law Firms Law Firms
Top

What Your Law Firm Should Know about Cybersecurity

Law Firms

Campbell Conroy & O’Neil, P.C., which represents some of the globe’s biggest companies, was the victim of a ransomware attack that resulted in a large data breach in 2021.

In 2020, New York-based Grubman Shire Meiselas & Sacks, P.C., representing celebrities like Lady Gaga, was the target of a cyberattack using ransomware via phishing emails or stolen credentials. The cybercriminals demanded $21 million in ransom and leaked confidential client documents.

That same year, Vierra Magen Marcus LLP, a Silicon Valley-based intellectual property firm representing Fortune 500 companies, saw 1.2 terabytes of data stolen by hackers, including NDAs and patents, which were auctioned on the dark web.

If some of the world’s largest law firms, with enviable amounts of resources at their disposal, can get hacked, what’s protecting the thousands of smaller and seemingly more vulnerable law firms from similar cyberattacks?

With data breaches on the rise and a growing number of laws aimed at protecting people’s privacy, law firm websites and digital marketing strategies must consider so much more than logos and practice area descriptions. Protecting the firm, employee, and client data and privacy while complying with international and state laws must be a priority for law firms of all types and sizes.

Personally identifiableĀ information is a hot commodity. Legitimate businesses looking to connect with buyers have an interest in collecting and/or selling demographic and contact information. Meanwhile, bad actors use that information for identity theft, to hold for ransom, or to sell to others who could use it for the same nefarious purposes.

Law firms develop and store a lot of that valuable personal information, which makes them a target for an attack while also being accountable for data safekeeping.

Data Security

Law firms have two barriers of protection from cybercrime: technology and people.

An experienced and knowledgeable agency like Scorpion can help assess a law firm’s digital collateral to find ways to strengthen weaknesses. Everything from firewalls to secure hosting to regular site backups and malware scans must be a part of a law firm website’s security strategy. There are literally dozens of technological measures that can be taken to protect a law firm’s online data.

Meanwhile, educating and training attorneys and staff goes a long way toward minimizing the risk of a data breach. Employees need to be reminded that their information, and that of their clients, are all at risk if they don’t help protect it. Strong email passwords and logins for all digital platforms are a great place to start. All personnel should be educated on phishing scams and reminded to not click on any email attachments or links sent in emails if they don’t know the sender or see other telltale scam signs.

Data Privacy

When a law firm’s data security is strong, data privacy is the outcome. Any sensitive and personal information, from client work product and communications to employee tax information, must be kept safe. Data security, though, is only one part of the data privacy equation. The other part centers on the measures a law firm takes to keep personal information out of the hands of third parties, either by choice or because regulations require it.

There are several laws that govern how information is collected, shared, and used by law firms and other businesses. They include:

  • General Data Protection Regulation (GDPR): The granddaddy of them all — and the most robust — the GDPR is a European Union law that specifies how user data should be collected, used, protected, or interacted with. While it’s meant to protect EU residents, it can impact any U.S. or other international law firm that does business in the EU or with its residents.

  • California Consumer Privacy Act (CCPA): Similar to the GDPR, California was the first state to adopt legislation aiming to protect its residents from having their personal information shared without consent. (As of this post, four other states have passed similar laws: Colorado, Virginia, Utah, and Connecticut.) Any law firm that works with, communicates to, or employs residents of these states must comply with these laws’ regulations. These laws generally give consumers the right to know what personal information of theirs is being collected and shared, the right to delete the information (with some exceptions), the right to opt-out of the sale of their personal information, and the right to be free from discrimination for exercising these rights.

There is no federal law — yet — that addresses data privacy protection. There is legislation pending, the American Data Privacy and Protection Act, though its fate on Capitol Hill is unclear.

To comply with these laws, there are steps law firms must take depending on their circumstances. If, for example, a law firm has an online form for people to provide information to be contacted about a matter or to subscribe to a newsletter, there must be mechanisms in place for consumers to know what is happening with that data and how to ensure it is not shared. Likewise, it’s become the norm for law firm websites to warn visitors about the use of cookies and to provide links to adjust preferences or learn more in privacy or advertising policies.

Speaking of privacy policies, these often-ignored pages linked from website footers are an important and required component of data privacy law compliance. A privacy policy, sometimes lumped together with a law firm’s terms of use, cookie consent and/or advertising policies, discloses the ways the law firm’s website collects, processes, stores, shares, and protects user data.

Protecting everything from the law firm’s business data to confidential documents to employee and website user email addresses must be a priority. Contact Scorpion for assistance in creating a website and other digital assets that are safe from attack.