Cybersecurity Tactics for Law Firms

The current threat landscape for law firms

For law firms, cybersecurity is just one item on a long to-do list, but it is not an issue that can be ignored. 

According to a recent American Bar Association (ABA) report, 29% of law firms experienced a data breach in 2023. Because they handle sensitive client information, law firms are a ripe target for threat actors, and cyber threats are only growing. Hackers now utilize automation and AI to create more convincing phishing and deepfake attacks. 

Sticking your head in the sand is not an option. ABA ruled that lawyers are ethically obligated to “prevent unauthorized access or disclosure of client information.” Compliance laws are continually updated to address how legal firms and other entities handle sensitive data. Compliance rules can be stringent depending on your location and the industry you work in. Regulators issue steep fines and dole out other consequences for falling out of compliance.  

Law firms that suffer breaches can face severe consequences. For example, one firm was forced to settle a class action suit against it for $8 million after a cyber-attack exposed over 600,000 users' personal information.

So, how can lawyers with limited time and resources address cybersecurity for their law firms? 

We recommend working with cybersecurity technology experts. However, a firm should proactively pursue several action items in conjunction with or independently of working with a cybersecurity firm. The actions discussed in this article will help your firm get a leg up on cybersecurity and better defend your client data.

Put it in writing

Creating a written cybersecurity policy is not a one-time project. Instead, it should become a living document, frequently reviewed and updated regularly. Your cybersecurity policy should include the following points:

•  Acceptable use policy (AUP): This text governs how your firm uses and interacts with technology, including laptops, desktops, software, hardware, and mobile devices. For example, this plan should detail whether firm lawyers can use personal devices for work or if they should only use devices provided by the firm to ensure security. Additionally, this document should detail how and when your firm interacts with generative artificial intelligence (gen AI) software. 
• Backup and data recovery plan: This document should detail how a firm backs up its sensitive data in a secure service and how to restore data in case of a breach or ransomware attack.
• Cyberattack response plan: Likewise, firm members need to know what steps to take during a cyberattack. These steps will include a timeline for when to inform law enforcement and affected clients. Note that these timelines are, in some cases, governed by the SEC or other regulatory bodies.
• Encryption file storage and communications: Encryption is like a lock on your filing cabinet. Hopefully, you will never need it, but it helps you rest easier knowing that sensitive files and communications are secure.

The rest of this post will cover categories you may want to mention in the cybersecurity plan for your law firm.

Audit cybersecurity measures

Creating a cybersecurity plan is a never-ending project, like cleaning the garage. However, a great first step is to document the current state of your cybersecurity efforts. This text details the current security tools, practices, and protocols in place, as well as areas to address moving forward.

Working with a vetted third-party security firm is recommended at this phase, as cybersecurity professionals can access in-depth scanning tools to pinpoint technical weaknesses you were unaware of. As a bonus, many cyber liability providers require a vulnerability scan as a part of their application process. 

Practice good cybersecurity “hygiene”

The audit will likely point out some areas where you are lacking. Some of the following may come up as areas to focus on, but regardless, improving your cybersecurity hygiene is never a bad idea.

• Implement password best practices: Adopt strong passwords with random letters, numbers, and symbols. Update all passwords frequently, ideally once per quarter. 
• Apply zero trust principles: Zero Trust is a cybersecurity framework from NIST that emphasizes restricting access and permissions to verified users across devices, networks, applications, data, and other digital environments. A cybersecurity professional can help you implement zero trust principles across your law firm’s digital landscape.
• Limit access: Use multi-factor authentication to reduce the risk of breach drastically. 
• Vet third-party providers: Breaches through the “digital supply chain” are increasingly common as professionals rely on Software as a Service (SaaS) tools and cloud-based technology. It is vital to carefully vet any technology partners before implementing a new tool and to read the terms and conditions.

Implement employee security training

Multiple sources, including Stanford University, have found that over 88% of data breaches are caused by human error. It is not enough to simply include phishing training for new employees once. Cybersecurity training must go beyond onboarding. ABA recommends firm-wide cybersecurity training at least once a year (ideally once a quarter). 

Also, it pays to get ahead of employees regarding using generative AI in training materials and AUP documentation. If not addressed, lawyers might seek shortcuts offered by AI without considering the unintended risks of AI hallucinations or exposing sensitive data to a public GPT.

Also read: Responsibly Adopting AI in Law Firms

Protecting your firm and your client’s data

In today's growing cyber threat landscape, law firms must prioritize cybersecurity to protect sensitive client information. To fortify your defenses, regularly update your policies, conduct audits, and invest in employee training. Do not wai`t for a breach—take proactive steps today to secure your firm’s future. Act now to protect your practice.

Protexure can help your firm make sense of cybersecurity for your law firm and select the liability policy that works with the current landscape. Get in touch to learn more.