Most Law Firms Not Compliant with Cyber Security Policies, Says Study

Cyber SecurityBased on recent news and reports, it is evident that cyber attacks against law firms are on the rise. Most law firms have to deal with enormous amounts of valuable data ranging from corporate intellectual property and strategy documents to sensitive government secrets and more. But, are U.S. law firms cyber secure? No, says a LogicForce survey report. 95% of assessments conducted by LogicForce show that law firms are not compliant with their data governance and cyber security policies. Even when considering legal transcription outsourcing, legal entities should have a clear idea of the partnering company’s security measures to protect their data.

Implementing sound IT systems and data security practices is vital for these firms to ensure protection for their client data. Federal laws like the Health Insurance Portability Act “HIPAA” and the Fair and Accurate Credit Transactions Act “FACTA” clearly obligate lawyers to protect certain types of data in their possession.

LogicForce surveyed and assessed over 200 law firms, ranging in size from 1 to 450+ total attorneys, located throughout the United States, and working in a full complement of practice areas.

Key findings of the study include the following.

  • 34% of firms reported getting a client data security and systems audit in 2016. Based on industry data and survey responses, the study expects this to reach 50% in 2017 and 65% in 2018
  • Approximately 40% did not know they were breached
  • 80% of firms are not vetting their third-party service provider’s data security practices
  • 60% of firms do not have a specifically appointed Security & Compliance Manager and have no plans to appoint one
  • Only 23% of firms have cybersecurity insurance policies
  • 77% of firms do not maintain any cyber insurance coverage
  • 95% of assessments conducted by LogicForce show firms are not compliant with their data governance and cyber security policies
  • 100% of those firms are not compliant with their client’s policy standards
  • 53% of responding firms do not have a data breach incident response plan
  • 66% of law firms have reported a breach of some type, with varying levels of compromise
  • Only 22% of law firms have a documented cyber security training program for their employees

As per the study, certain cyber threats that a law office faces include over 10,000 intrusion attempts per network every day, 59% of all email attempting to be delivered are classified as phishing/SPAM emails, 1,000 invalid login attempts per day by users, and approximately $221 average financial risk per compromised record.

How Prepared Is Your Law Firm?

Failure to protect client data can result in severe monetary and reputational repercussions. Therefore, implementing a comprehensive data security program at the enterprise level is critical for every legal firm.

Cyber SecurityCertain recommendations to improve the security of your clients’ data include:

  • Develop regularly scheduled training programs for all staff. Employees should be aware of the need to combat attacks. Many user-training programs will teach lawyers what to look out for, how hackers break into computer systems, and what to do if they fall victim to an attack. Law firms should regularly train employees on new attack methods, teaching them how to identify and report suspicious emails and how to respond in the event of an attack.
  • Choose third-parties with experience and education in data security. For instance, while outsourcing your transcription tasks, choose an online transcription company that follows strict security and confidentiality measures to protect your sensitive legal files.
  • Personal laptops or iPads are the biggest sources of trouble for such firms. Ensure that all the lawyers are working only on their company-issued computers. This allows the IT team to properly maintain anti-virus software, monitor suspicious activity and combat any threats as soon as they appear.
  • Avoid unapproved Remote Access Trojan (RAT). Certain non-standard remote-access tools can raise security concerns like providing easy entry for hackers. It is ideal to have a single, standard, approved RAT detection tool that is used by the entire company and monitored by IT.
  • If your firm is connected to the Internet, receives email, or maintains any sort of electronic records, make sure to utilize cyber insurance. This insurance is designed to assist before, during, and after an attack.

Make sure that you do not ignore the data breach risk and devote the proper amount of resources to protect client data.

About Rajeev Rajagopal

Rajeev Rajagopal

Prior to joining MOS, he worked as a physical therapist. Having worked in several rehabilitation clinics, Rajeev has learned the importance of good medical records for medical billing and liability issues and the importance of the good back and front office support. He has extensive knowledge in SEO, medical billing and coding, and medical transcription.