Late last year major health insurers got taken by surprise. Turns out there’s a huge black market for health insurance information. Premera Blue Cross was unprepared for a cyberattack that affected 11 million of their customers. Health insurer Anthem was hit in February with an attack which may have affected more than 78 million people. Then Community Health Systems experienced a breach that may have compromised the personal data of 4.5 million patients.
The FBI warns that hackers get major cash for intellectual property and customer data. For example, the Anthem breach likely revealed the names, Social Security numbers, birthdays, addresses, email, and employment information, including income data, of millions of customers.
Guess what other industry tends to store intellectual property and tons of personal data?
Take your average firm going through an average document review. Regulations around data retention means ESI has grown out of control. District Court Judge James D. Whittemore found $3.1 million dollars a reasonable fee for an e-discovery vendor for processing and hosting 2.7 million documents in a 2013 professional malpractice case. E-discovery comprised 10% of the total value of the case. According to one 2012 study, discovery will often make up 20% of the total cost for a case.
Think all that data might be valuable to someone, somewhere?
Last May the Western District of Pennsylvania grand jury indicted five Chinese military hackers for spearphishing an AmLaw 100 firm that was representing a US solar panels company using a Chinese supplier. Last February a large law firm’s vendor was hacked, revealing current and former employees’ personal data, including tax information, Social Security numbers, passport information, and other federal data. And last year the Chinese government allegedly hacked multiple Canadian law firms in an attempt to derail a multi-billion dollar corporate sale.
Insurance broking and risk management firm Marsh surveyed 50 firms in 2014 about their cybersecurity practices. They found that:
- Cybersecurity and privacy were among the top 10 risks for 79% of respondents
- 72% had not assessed what a data breach would likely cost
So what steps can you take to mitigate risk to yourself and your clients from a cyberattack? Here are three must-do’s.
1. Get cyber risk insurance
The Marsh survey also found that 51% of respondents said their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures. Cyber risk insurance is a smart move, not just for the protection in case of a major breach: insurers will also evaluate where your firm is at risk and will help you set up security best practices.
According to the American Bar, cyber liability insurance first appeared in 1998. But it didn’t start getting traction until 2003, when California mandated entities maintain personal data about state residents to provide notice when certain information is accessed without authorization. Today 46 states have such laws in place.
Steve Fletcher wrote in Law Technology News that today firms must manage risk and comply with “federally mandated (and now enforced) regulations on privacy and personal health information.” And Matthew Goldstein warned in the New York Times that financial regulators are beginning to require cyber vigilance from the vendors banks rely on, such as law firms.
The American Bar considers cyber liability coverage necessary for firms. Jennifer A. Coughlin, Claims Counsel for Bond and Financial Products at Travelers Insurance explained firms need it “Because data is not considered tangible property and is therefore excluded from coverage under general insurance policies.”
2. Encrypt email and use a client portal
In the long list of stuff that makes no sense, one is that email does not come encrypted by default. Between that and how easy it is to forward and bcc, it’s a major weak point in many a firm’s cyber armor. Robert Ambrogi describes email encryption as a “must-have tool for lawyers.” Virtru is one of the easiest solutions available for encrypting emails and their files. But it does require both parties to opt-in.
Files must also be encrypted. Lawyerist’s Sam Glover is concerned about all this unencrypted data. “If you do not encrypt your files, do you lose sleep worrying about losing a laptop full of client data? If not, you should.” Clio’s Derek Bolen agrees. “Encrypt your locally stored client files,” he advises.
A better way to communicate with clients is through a client portal. Many law practice management software products offer a client portal and most of them are encrypted by default. Besides encryption, communications and files are more secure within a client portal because they are more difficult to foward. Also, as long as credentials aren’t being shared, additional people can’t access them without a firm’s knowledge and permission.
Two-step verification for your email and client portal is also essential. “Two-factor authentication is key,” wrote Nicole Black, Director of Business Development and Community Relations, over Twitter. Black also advises firms to research vendors thoroughly.” MyCase offers two-factor authentication as an optional feature, as does Clio and Time Matters.
3. Mobile security
Malware is an issue with mobile devices, for sure. The latest problem installs apps in the background. But more often the trouble starts when a smartphone gets lost or stolen. After that, accessing data isn’t terribly difficult. And as lawyers perform more and more legal business on their mobile devices, those devices become ever more valuable to steal.
Here again a mobile-accessible client portal is a great idea. At the very least, assume your attorneys and clients are doing business on their phones, and plan accordingly. It’s a good idea to require all attorneys password protect their phones and relevant apps.
Speaking of passwords, Clio’s Bolen advises firms to consistently use strong passwords in conjunction with a password management utility. Passwords should be changed regularly, and ideally comprise a random assortment of numbers, capitalized and lowercase letters, and symbols.
Hackers want you(r data).
Enabling encryption, two-factor authentication, and availing yourself of cyber risk insurance won’t take your risk level down to zero, but it’ll reduce it, while enabling you to recover from a breach.
What are your current practices for protecting your data? Let us know in the comments!
Looking for Law Practice Management software? Check out Capterra's list of the best Law Practice Management software solutions.