Law firm cybersecurity incidents have risen in 2023, with 27% of firms experiencing a security breach, according to the ABA’s 2022 Legal Technology Survey Report. Notably, there were several high-profile data breaches at Am Law 100 firms.
Law firms are particularly vulnerable to cyberattacks, due largely to the wealth of sensitive data they possess, which can include information on government entities and corporations. The consequences of these attacks—particularly data breaches resulting in loss of confidential client information—can be costly, with 36% of firms reporting lost billable hours. Some firms pay millions in recovery and reparation costs and even close down after facing significant reputational damage, loss of clients, lawsuits, and regulatory inquiries.
A lawyer’s duty to protect client data is defined in the ABA’s Model Rules of Professional Conduct. Comment 8 to Rule 1.1 states a lawyer should keep abreast of “the benefits and risks associated with relevant technology,” while Rule 1.6 (c) indicates lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Essentially, Rule 1.6 means lawyers must safeguard client information against inadvertent and unauthorized disclosure or by the lawyer or others.
While Comment 18 to Rule 1.6 provides some insight into the “reasonable efforts” required to preserve confidential client information, it doesn’t set forth concrete actions you can take as part of managing your practice. Unfortunately, many law firms don’t adhere to best practices for cybersecurity, exacerbating the problem. We offer just some of the proactive measures you can take to prevent potential cybersecurity attacks and keep your client and firm data safe.
Purchasing subscriptions for antivirus, anti-malware, and anti-spyware software is an obvious and essential step in protecting your firm and clients. Ensure this software is installed on every device that sends or stores any confidential client information, such as your computer and phone.
But installing software is just a start—hackers are continually developing new viruses and malicious code. This is why keeping that software updated is vital. Resist the temptation to decline update reminders when they pop up, as bothersome as they might be. This includes timely security patching. Security patches are essentially software fixes designed to address any security weaknesses or vulnerabilities identified in a program or product. When vendors send updates, don’t put off installing them. You might not want to interrupt your current task, but the potential loss is a much greater risk.
The cyberattack against law firm Mossack Fonseca and the resulting leak of 11.5 million documents—known as the “Panama Papers”—is perhaps the most well-known example of disastrous consequences resulting from failure to update software. Prevent these incidents by ensuring security patches have been applied to all software relied upon by your firm.
External assessments are a great way to gauge the strength of your firm’s security policies and protocols. Although you can routinely conduct internal reviews of your firm’s security protocols, a third-party audit will provide an unbiased and fresh perspective.
An independent auditor will nearly always reveal potential vulnerabilities you might otherwise miss. They’ll also assist with implementing appropriate security measures and training your firm on best practices.
You as a lawyer and any staff and assistants must understand risks associated with using technology and how to appropriately use it. But undertaking regular training and staying up-to-date on ever-changing technology and risks are just a start.
Any third parties using or accessing sensitive client data—such as consultants or expert witnesses—must also take steps to appropriately protect privileged and/or confidential information. You should also conduct due diligence on any vendors, such as software providers. Inspect your vendors’ security policies, hiring practices, and conflict check systems to ensure their credentials are legitimate and up-to-date, and whether they’ve had any issues in the past.
Vendor security programs should align with the NIST Cybersecurity Framework, which is a widely used resource for understanding and managing cybersecurity risk. Another resource is the Vendor Supply chain Risk Management Template published by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Casetext’s security program is an example of vendor compliance with industry standards (aligned with ISO 27001 and SOC 2 standards)
Cyber liability insurance isn’t a preventive step, but it’s one that can reduce the impact of attacks should they occur. Whether it’s worth it depends on what is and is not covered. For example, certain ransomware attacks aren’t defined as data breaches and therefore aren’t covered.
A thorough review of plan coverage is critical when considering insurance options. Insurance potentially covers litigation costs, response effort costs, and even preventative security measures. Be prepared for an assessment of your current cybersecurity practices, which will impact the insurance quote you receive.
The ABA’s 2020 Legal Technology Survey Report found that only 34% of respondents had a written cybersecurity incident response plan in place. Seventy-seven percent of large law firms—defined as firms with 100 or more attorneys—reported their firms have an incident response plan, while 38% of respondents from firms of 10-49, 23% of respondents from firms of 2-9, and 14% of solo respondents had written plans.
A written plan can help you minimize damage and take appropriate action quickly in the wake of a data breach or other cybersecurity incident. The plan should map out steps you can take to protect your clients’ data and prevent additional data loss. It should also detail relevant data breach disclosure obligations, such as federal, state, and client requirements.
Your plan might include identifying an in-house lead or team to helm the investigation into the breach, procedures, and methods for stopping additional data loss, among other actions. This team could also serve as the point of contact for regulatory inquiries.
CISA offers great resources for preparing a written plan, including its Cybersecurity Incident and Vulnerability Response Playbooks. The two guides are a solid starting point for creating your own incident response plan.
Investing the time upfront to protect your client and firm data pays off in the long run. Proactive steps—such as assessing potential threats, ensuring your software is up-to-date, and training your staff and vendors—are critical to preventing cybersecurity incidents such as data breaches. Additionally, creating a thorough incident response plan and obtaining insurance can mitigate the damage should an attack occur.
Rapidly draft common legal letters and emails.
How this skill works
Specify the recipient, topic, and tone of the correspondence you want.
CoCounsel will produce a draft.
Chat back and forth with CoCounsel to edit the draft.
Get answers to your research questions, with explanations and supporting sources.
How this skill works
Enter a question or issue, along with relevant facts such as jurisdiction, area of law, etc.
CoCounsel will retrieve relevant legal resources and provide an answer with explanation and supporting sources.
Behind the scenes, Conduct Research generates multiple queries using keyword search, terms and connectors, boolean, and Parallel Search to identify the on-point case law, statutes, and regulations, reads and analyzes the search results, and outputs a summary of its findings (i.e. an answer to the question), along with the supporting sources and applicable excerpts.
Get answers to your research questions, with explanations and supporting sources.
How this skill works
Enter a question or issue, along with relevant facts such as jurisdiction, area of law, etc.
CoCounsel will retrieve relevant legal resources and provide an answer with explanation and supporting sources.
Behind the scenes, Conduct Research generates multiple queries using keyword search, terms and connectors, boolean, and Parallel Search to identify the on-point case law, statutes, and regulations, reads and analyzes the search results, and outputs a summary of its findings (i.e. an answer to the question), along with the supporting sources and applicable excerpts.
Get a thorough deposition outline in no time, just by describing the deponent and what’s at issue.
How this skill works
Describe the deponent and what’s at issue in the case, and CoCounsel identifies multiple highly relevant topics to address in the deposition and drafts questions for each topic.
Refine topics by including specific areas of interest and get a thorough deposition outline.
Ask questions of contracts that are analyzed in a line-by-line review
How this skill works
Allows the user to upload a set of contracts and a set of questions
This skill will provide an answer to those questions for each contract, or, if the question is not relevant to the contract, provide that information as well
Upload up to 10 contracts at once
Ask up to 10 questions of each contract
Relevant results will hyperlink to identified passages in the corresponding contract
Get a list of all parts of a set of contracts that don’t comply with a set of policies.
How this skill works
Upload a set of contracts and then describe a policy or set of policies that the contracts should comply with, e.g. "contracts must contain a right to injunctive relief, not merely the right to seek injunctive relief."
CoCounsel will review your contracts and identify any contractual clauses relevant to the policy or policies you specified.
If there is any conflict between a contractual clause and a policy you described, CoCounsel will recommend a revised clause that complies with the relevant policy. It will also identify the risks presented by a clause that does not conform to the policy you described.
Get an overview of any document in straightforward, everyday language.
How this skill works
Upload a document–e.g. a legal memorandum, judicial opinion, or contract.
CoCounsel will summarize the document using everyday terminology.
Find all instances of relevant information in a database of documents.
How this skill works
Select a database and describe what you're looking for in detail, such as templates and precedents to use as a starting point for drafting documents, or specific clauses and provisions you'd like to include in new documents you're working on.
CoCounsel identifies and delivers every instance of what you're searching for, citing sources in the database for each instance.
Behind the scenes, CoCounsel generates multiple queries using keyword search, terms and connectors, boolean, and Parallel Search to identifiy the on-point passages from every document in the database, reads and analyzes the search results, and outputs a summary of its findings (i.e. an answer to the question), citing applicable excerpts in specific documents.
Get a list of all parts of a set of contracts that don’t comply with a set of policies.
Ask questions of contracts that are analyzed in a line-by-line review
Get a thorough deposition outline by describing the deponent and what’s at issue.
Get answers to your research questions, with explanations and supporting sources.