The cybersecurity firm Mandiant estimates that at least 80 of the 100 biggest law firms in the country by revenue have been hacked since 2011. These figures aren’t surprising given the valuable information that they hold and the fact that many lawyers regularly use email attachments — an easy entry point for malware to infect a network. However, they do underscore the necessity of adhering to data storage best practices.
Let’s take a look at how law firms can safely store client records to avoid becoming a statistic.
Who’s Liable for Stolen Data?
A growing number of law firms store data on cloud servers rather than using on-premise tape or hard disk backups, and almost all companies have some data present on cloud-based platforms. For example, many client email communications are archived in the cloud and documents that are too large to attach to an email are often uploaded and shared via Dropbox, Microsoft OneDrive or Google Drive.
More than 20 state bar associations have issued ethical opinions on cloud storage, and the consensus is that lawyers may ethically use cloud storage as long as they exercise reasonable care to keep client information and files confidential. The ABA Model Rule 1.1 also requires that lawyers keep abreast of changes in technology-related laws since they are constantly evolving to account for new developments.
Law firms may be able to use cloud storage services, but it’s important to understand where liability exists. The law states that the data owner is ultimately liable for losses that arise from a data breach, even if the security failure is the fault of the data holder (e.g. cloud provider). The only exception to the rule is healthcare data governed under HIPAA laws. This means that law firms that select insecure cloud providers could be on the hook for any liability.
Furthermore, law firms may be liable if clients find their cybersecurity measures to be insufficient, even if no data breach has occurred. In 2016, Edelson PC filed a lawsuit alleging that Johnson & Bell — a Chicago law firm — had vulnerabilities in its IT infrastructure. The class action suit was eventually dropped, but the move demonstrates that there could be a legal basis for failing to adhere to cybersecurity standards.
Best Practices to Protect Client Data
Many law firms use personal computers and on-premise storage (e.g. tapes and hard drives), but this requires a large IT staff to setup, secure and maintain. While cloud-based data storage is often cheaper than on-premise storage, it only addresses one part of the data lifecycle: storage. Law firms must still ensure that data is protected when in-use (e.g. on computers and other devices) and when it’s transmitted (e.g. sent over a network).
The best cloud data storage solutions ensure that the data is encrypted at every stage to prevent access even if a data breach occurs. In addition, data should be regularly backed up in at least two separate locations to enable a quick recovery from any data loss and ensure that no physical issues (e.g. hardware failure or fire) put the backups at risk. The in-use and in-transmission pieces of the puzzle are often best addressed with virtualization.
We typically recommend three services for complete protection:
Desktops-as-a-Service
Cloud-hosted virtual desktops simplify security by managing everything from a central location. Rather than updating individual computers, law firms can update a single server that runs all of the virtual desktops. The same technology makes it easy to facilitate secure remote work since there’s no need to secure multiple devices. Virtual desktop sessions can be configured to use two-factor authentication or hardware keys for maximum security.
Infrastructure-as-a-Service
Network security is the next factor to consider after securing desktop access. By outsourcing the management of these networks, law firms can ensure that their firewalls and other critical infrastructure are meticulously patched, maintained, and monitored. To maximize security, firewalls should block everything by default and only allow certain applications to access the network.
Disaster Recovery-as-a-Service
The final piece of the puzzle is securely backing up the data in case of data loss. It’s a good idea to store encrypted data in two redundant locations in case of a physical disaster, as well as to ensure that backups occur frequently enough to enable a quick recovery. The frequency of backups depends on your business and the amount of data.
It’s also important to ensure that all communications are kept confidential to prevent man-in-the-middle attacks. For example, sending confidential information via email could expose the data to attackers that may have access to a client’s email. Secure client portals are typically the best way to avoid these issues and keep communications protected by requiring clients to login with two-factor authentication to access any documents.
How Lockstep Can Help Manage Data
We have worked with many clients looking for secure storage capabilities, including a multi-state law firm with over 500 employees. After deciding to host critical apps and data with a large hosting and managed service provider, the firm realized that the off-the-shelf solution had critical shortcomings and higher than expected costs. Many large companies don’t provide a high level of attention to their clients — even if they’re large clients.
We stepped in to provide highly advanced and meticulously maintained data storage, computer security, and VDI systems that are all monitored and managed by high-level engineers at a predictable monthly cost. These services included a complete infrastructure-as-a-service solution with disaster recovery and professionally managed services to adhere to every best practice mentioned earlier.
“Lockstep’s high performance cloud offerings have transformed the way our attorneys and staff work,” said the law firm’s IT Director. “I know our critical systems and data are secure and our users have the flexibility to work from any device and location. Together with the excellent service we receive from Lockstep’s engineers, we have the perfect solution.”
The Bottom Line
There’s no question that law firms experience more cybersecurity attacks than many other industries due to their sensitive data and their tendency to send email attachments. Given the significant potential liability associated with these attacks, it’s more important than ever to secure your data storage and communication channels.
We have extensive experience in the legal domain, helping some of the largest law firms in the country. Contact us today to learn more about how we can help you secure your data and communications.
