Four steps to improve digital data security at law firms

Small law firms tend to think that they’re safe from becoming the target of hackers. Unfortunately, that assumption is wrong.

In fact, hackers are attacking small- and medium-sized businesses (SMBs) precisely because they usually don’t defend themselves as well as large enterprises. Whether it’s the lack of IT resources or budget constraints, SMBs — including law firms — need to confront today’s threats head on.

Breaches at law firms are not uncommon. An American Bar Association survey last year found that one in four law firms with at least 100 attorneys had experienced a data breach due to a hacker, website attack, break-in, or lost or stolen computer or smartphone.¹ Meanwhile, the consequences of weak security could impact your firm’s business, as more corporate clients insist that their outside firms do more to safeguard sensitive information.

Law firms are taking note. In a 2015 ILTA/InsideLegal Technology Purchasing survey, 59 percent of respondents said security management was their top IT challenge.² The issue topped the list, knocking email management out of the number one spot for the first time in eight years.

To build a better defense, your firm should review your data retention and security policies, ensure that both firm-owned and personally-owned hardware and software is well protected, and educate your attorneys on IT security best practices.

Step one

Make sure your firm has, and adheres to, an appropriate data retention policy.

In its code of conduct, the American Bar Association (ABA) has published general guidelines on how long attorneys should hold documents (see Model Rule 1.15, 1.16 (d) and DR 2-110 (A)(2)). Unlike most businesses, which typically retain documents for seven to 10 years, law firms have complex retention policies because of their fiduciary duty to store, manage and maintain certain types of documents, such as wills and living trusts, for specific periods of time.

The duties can also vary according to the type of law practiced and the jurisdiction where the firm operates. Above and beyond the ABA rules, for example, each state has model rules on records to retain and for how long.

An important part of data security is carefully monitoring when documents and email may be deleted, because hackers can’t steal data that your firm no longer has. Another benefit is that it limits the information that may be subject to a discovery motion. If your firm retains information beyond what’s required, it can create additional risks.

Your retention policy should also follow best practices about data storage. Sensitive data should never be transferred onto thumb drives, which someone can easily drop in their pocket and walk out the door. Nor should it be kept on the hard drives of attorneys’ individual PCs. Rather, sensitive data should be stored only on secure servers at the firm or your vendor.

Step two

Ensure end-point security.

In an ideal world, all sensitive data would be kept only on secure servers and never on individual devices or end points. In practice, however, attorneys carry important documents on and access potentially sensitive email using desktops, laptops, tablets and phones. Each device should have anti-virus and intrusion-detection software. The IT department should make sure that all application software, operating systems and browsers are kept up to date and incorporate the latest patches issued by their vendors. Each device should include encryption capabilities both for storing and transmitting data.