Bear Chasing MenAs explored in last week’s posts, the bad news for law firms is their challenging data security threat environment.   On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.

Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.  Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.

Why are law firms so vulnerable?

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture:  computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
  • Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
  • 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

Why are so many firms behind the curve in their data security safeguards?  Here are ten factors to consider (warning – some of the below is not sugar-coated):
Continue Reading

Business woman screaming at laptopMany years ago, before common sense kicked in, I thought it would be a good idea to rent a storage space for all the extra furniture and other stuff I could not fit in my new house.  Knowing it would only be temporary, I stashed everything from upholstered and leather furniture, to boxes of books.  Fast forward twelve months.  The rental agreement was expiring, and I realized that I would never need nor have room for all that I’d stored, so I decided to have a sale to dispose of it.  When I went to the storage space I was horrified to see that everything was covered in a thin film of mold.  (This was years before climate-controlled storage was widely available.)  I had no choice but to trash it all, which both cost me money and prevented me from converting my goods to profit.

I was reminded of this long-ago event when I heard about the latest ransomware attack.  We’ve been reminded countless times of the importance of backup, and ransomware is only the most recent reason.  If you have ever had a hard drive fail, you know the pain that comes with irretrievable data.

So what happens when your backup media fails.? Or your archival media?  Don’t CDs last forever?
Continue Reading