The Importance of Cybersecurity in Law Firms

The purpose of ethics is to provide tools to help discern what people should do and how they should behave. In the legal field, this tool guides legal professionals to ensure that they are all doing their job in the most justified and moral way they are able. In this day and age, people are analyzing the legal profession whether it be every new law, court case, or story that is reported on the news right from the comfort of their mobile device. With this evolution of technology lawyers in almost every area of practice have by now realized the necessity of electronic proficiency, at least for access to research, communications with clients, courts, and the public, and general information. As technology advances for legal professionals, so does the public’s access to the law and the many legal services that are offered to citizens. Although there are many positives to having online proficiency in the law, one major downfall is that sensitive information can be hacked into.  The broad issues relating to electronic information systems involving ethics include control of and access to information, privacy, and misuse of data. 

One of the greatest challenges that the Internet brings is freedom of expression. This can be demonstrated by something in one area of the world being considered offensive, whereas in a different sector could mean something completely different. For instance, in America, people like to throw a peace sign with their fingers to people as a form of acknowledgment or to greet another person. However, if this same sign is used in places like the United Kingdom, Ireland, Australia, or New Zealand this gesture can be interpreted as the American equivalent of the middle finger. 

The growth of technology provides a platform where people from all over the world enjoy real-time communication and interaction, which the sharing and learning of ideas. The social networks allow citizens to discuss the failures of their legal authorities including the government and suggest possible ways of expressing their concerns collectively. The social media has greater democratic potential because the discussions held in online forums result to the formation of social movements, power revolutionary groups and new forms of power relations, which may influence the country’s political and leadership structure. The establishment of social and networks, which represents the integration of democracy and centralized power has been facilitated by the rapid advancement of Web 2.0 tools (Tan, Hasegawa & Beuran, 2018). The multi-dimensional opinions and views raised on social media platforms by citizens, whistle-blowers, and activists are useful in helping to reshape a country’s political and leadership structure, behavior as well as outcomes. The establishment of social media and mobile phones with internet connectivity capabilities has led to more riots and protests by facilitating the rapid development of digitally-connected social movements. Technological advancements have led to the development of social media and mobile web, which creates a virtual and digital environment and promotes communication and interaction among geographically dispersed individuals. This environment or atmosphere mobilizes social movements by allowing people to raise their concerns and opinions regarding the actions and behavior of their political leaders and authorities.

Cyber-attacks have significant effects on the critical infrastructure of law firms. This makes cybersecurity to be important in protecting the valuable information of law firms from external attacks. Successful attack of critical infrastructure of law firms by cyberterrorism may result in major damage to their operations. The successful attack of the infrastructure by cyberterrorism result in a substantial loss of finances in the organization. This is experienced due to the theft of confidential information from firms. The attack of the critical infrastructure of law firms may result in a negative effect on the relationship between attorneys and clients.  This is because cyber-attacks have the ability to erode the trust and reputation of law firms from its clients.  With a damaged reputation, law firms may have a greater potential of losing their clients, who are the main source of finances.

The success or failure of law firms is established on the reputation of reputation management. When a firm loses its publicity especially when it concerns the security of the clients, it hard to recover it. Given the depth and volume of data that law firms hold, they have become major targets of cyber-criminal networks (Randall & Kroll, 2016). At the center of every client-attorney relationship is trusting since a client expects to receive all kinds of communication including emails and to be kept under strong confidence. Breaching of the clients’ information in any manner is becoming a nightmare for lawyers. Therefore, it should not be surprising that most law firms and legal professionals have started to take steps that strengthen their defenses against cyber attacks.

Cyber-security can no longer be focused on the information technology department, procedures manual or a training manual that are not read by employees. Cybersecurity has become part of doing business. To be ahead of many of the cybersecurity risks, law firms should install new security systems and protocols that keep the information of the client private. Firms should use user-friendly, cloud-based and custom-based program that can allow users and receive and send files securely online. Since the majority of vendors and clients conduct their business using cell phones, law firms should ensure that clients access secure documents with easy “clicks.” In addition, law firms should use manage and maintain firewall changes that block some websites, installation of on-site and new server, strict procedures and off-site back-ups. A new policy should be implemented on the internal email and attorneys should not open emails that they do not expect and do not know the source. For lawyers, cybersecurity should be part of their life because of the everyday attempts of hackers. They should not stop paying attention and assume that everything is going on well. Hackers evolve and the law firms should do so tor their cybersecurity systems. Law firms should stay up to date with the most effective software and technologies to keep their clients feel secure while dealing with their information.

In 2017, Formal Opinion 477R was issued by the ABA Standing Committee on Ethics and Professional Responsibility, which explained the ethical responsibilities of the lawyers in using reasonable efforts while communicating confidential information of a client on the internet (Trope & Hantover, 2017). The same standing committee later issued Formal Opinion 483 that provides guidance on the ethical obligations if attorneys after experience breach of data. These formal opinions demand laws to safeguard and notify clients if a breach of data exposes their confidential information. Lawyers need to prioritize cybersecurity and start to take preventive measures because ignoring them will expose their clients and firms to significant liabilities.

Law firms should ensure that their processes involve updated and secure technologies. These efforts may involve implementing or restoring practical technological systems and refusing a technology solution not required by the task. The main idea here is that Internet-based services can make the firm more vulnerable. Lawyers must establish responsible efforts to establish internal procedures and policies to detect and resolve conflicts of interest. It is easy to achieve this by monitoring and updating the firm’s technological processes. Hackers can easily find and exploit vulnerable information, which can make the device manufacturer stop offering support for the product. Old software and devices increase the possibility of breaching information because they have not been developed to address the latest cybersecurity threats. Clients are becoming tech-savvy and seek lawyers who implement more secure ways of safeguarding their information. A Microsoft survey established that 91 percent of individuals can stop doing business with a firm when they realize that their technology is outdated. Implementation of secure collaboration and communication tools such as secure client portals and email encryption are simple ways of protecting the data of clients. For instance, email encryption is established in web-based platforms such as Microsoft’s Outlook and Google’s Gmail. Another option is PGP encryption that lawyers seeking more secure methods of communication can use. Another method to further protect clients’ data is secure online client portal built within other software programs. 

Lawyers are responsible for protecting the information of clients when communicating digitally. This makes communication with the clients important to their representation. Communication is the best practice that lawyers should use to utilize the required tools to secure and encrypt digital communications between them and clients. A report made by Above the Law shows that email is the weakest link that most law firms (Black, 2018). This makes emails to be the common channel that hackers use to get to confidential data of the law firms. Hackers can engage in phishing scams, which involve sending of emails from what looks like a prominent individual or a firm to fool the recipient into sharing confidential and protected information. Rule 1.6 Formal Opinion 483 requires lawyers to preserve clients’ confidential information and prevent any disclosure of information that relates to the clients’ representation (Hricik, Morgan & Williams, 2017). Therefore, law firms should train their staff on how to identify and prevent phishing attacks or scams. In addition, law firms should keep their staff up to date on the appropriate ways of handling sensitive clients’ data as an essential way of keeping hardware and software systems updated. 

Law firms can employ cyber consultant. Consultants have adequate knowledge of accessing a law firm’s vulnerable information, develop effective response measures and help the firm create ways of protecting data. These measures are usually done by looking if a law firm can detect and respond to a cyber-attack and offer practical recommendations on the best way of handling cybersecurity. Law firms should realize that even with preventive measures in pace, breaching of data can still happen. If this happens, rule 1.4 of the Formal Opinion 483 requires lawyers to act promptly and reasonably to stop the breach of data and mitigate any damage (Hricik, Morgan & Williams, 2017). Lawyers have a duty of informing clients concerning breaching od data to a point that can enable them to make informed decisions concerning the representation. Low firms should have a protocol in place to make everyone aware in case the breaching of data happens. This will make them to better handle and cyber risks and mitigate them.

It is important for law firms to determine the kind of technology they will use to offer and effect remote access and provide clear assurance that confidential information of the clients will be protected. Based on the evolving and fact-specific nature of cyber risks and technology, there are no particular steps that involve reasonable precautions to avoid confidential information from getting into the hands of unintended recipients. This includes protection of passwords to ensure to allow only authorized individuals to access the system, the nature of the security devices that lawyers use to gain access to confidential information, whether encryption is needed or not and the security measures that law firms should use to know if there has been any form of unauthorized access to information belonging to a client. If law a law firm determines that it has made reasonable precautions, it should offer remote access. However, if a law firm makes a determination of reasonableness, client consent is not required.

Lawyers are constantly using documents like PDF, Excel, and Word, which are generated within the firm and others emailed as attachments from outside parties. Regardless of the sources of these documents, risk professionals and legal technology should ensure that the privacy and security standards are in control and manage information to limit risk. The systems and controls used must not hinder lawyers from doing their jobs and controlling privacy and security.  Interruptions for a well scheduled time for dealing with a particular case can impact on the client’s relationship with lawyers. This makes a cost-benefit analysis of a solution that maintains compliance of information essential. Putting forward effective means of investing in information security should be important because of the current age where cyber attempts and attacks on the confidential files received by law firms are on the rise. 

A 2016’s report made by Symantec reveals that email hacking and malware is rising. For instance, between 2014 and 2015, the new malware increased from 317 million to 431 million. Attacks brought about by crypto-ransomware increased from 269,000 to 362,000. In addition, web attacks increased in the same timeframe from 493,000 million every day to 1.1 million every day (Wood et al., 2016). Web attack is a growing and real threat that appears to remain for a long time. This call for the law firms to ensure the protection of its information through cybersecurity to ensure secrecy of its sensitive information. In 2015, web attacks became evident. The legal world was affected by Panama Papers scandal, where about 11.5 million documents with sensitive client data and financial records leaked from Mossack Fonseca, a Panama-based law firm (Rettig, 2016). The leaked files made the financial records of wealthy individuals and elected public officials that had offshore accounts to become the main focus of the media. Since that time, it is evident that law firms face serious threats. the leaking information is a serious issue for any law firm. With information being managed through computer systems, hackers have the ability to get to the legally protected information, leaving a wide-ranging effect. Not only can law firms experience legal action for letting the information released to unauthorized individuals but also evaporate their reputation. Large firms can switch to through computer security and legal professionals may fail to recover after a scandal happens. All these can happen when law firms lack encryption or have outdated software. The scandal at Mossack Fonseca happened because the firm used outdated security software and had not encrypted its emails. 

A security program that law firms use should dress procedures, policies, people and technology. These areas constitute an effective and efficient program. Security of the law firms should not be left only to consultants and IT staff. In addition to the law firms’ measures to avoid security breaches and incidents, there has been an increasing recognition that security involves a wide spectrum to identify, detect, protect, respond and recover breached data. Therefore, security programs should consider all these functions. An essential step that law firms should focus on when establishing an information security program is clearly defining the responsibility of security. The security program should show the ensure the effective designation of people responsible for coordinating security since someone must be in charge of the program. The security program must define the responsibility of everyone ranging from CEO or managing individual to supporting staff.

An increasing number of law firms are using information security frameworks and standards such as those published by the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) (Bahuguna, Bisht, & Pande, 2018). These organizations offer census approaches necessary for a comprehensive security program. Some law firms use the guidelines to establish their security programs while others seek formal security certification. Public wireless networks that law firms use have high-security risk, especially when they do not have passwords. Without putting in place appropriate measures, others who are connected to the network, both attackers and authorized users may be able to view data and the information exchanged over it.

In conclusion, this paper has offered an overview, with some supporting information on what law firms and attorneys should do to protect information. Web technology integrated into mobile devices facilities easier access to information shared on social media by connected individuals. In most cases, the information and opinions address a faulty political system and thus incites citizens to engage in protests, riots and boycotting because most people believe it’s the best way of solving leadership issues in their government and other authorities. The last several years show increasing attention to security issues and an increase in the use of safeguards. Although many firms have made various attempts to ensure that cybercrime is not a major issue to their functionality, there is still a lot to be done. Attorneys and law firms that are still behind on safeguarding their client’s data should evaluate their security mechanism to determine if they require to do more to offer competent and more reasonable safeguards. Law firms that are ahead of others in dealing with cybersecurity issues need to review and update their current security because threats, new technology, and available safeguards change daily. Having effective security should be an on-going process and not just a one-day effort. All law firms and attorneys should have effective and comprehensive security programs that include training, updating, periodic review and constant security awareness.

Works Cited

• Bahuguna, A., Bisht, R. K., & Pande, J. (2018). Roadmap Amid Chaos: Cyber Security Management for Organisations. In 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT) (pp. 1-6). IEEE.
• Black, N. (2018). Cybersecurity And The Realities Of Practicing Law In 2018. Above the Law. Retrieved from: https://abovethelaw.com/2018/11/cybersecurity-and-the-realities-of-practicing-law-in-2018/?rf=1
• Hricik, D., Morgan, A. L. S., & Williams, K. H. (2017). The Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents. Tex. A&M J. Prop. L., 4, 465.
• Randall, K. P., & Kroll, S. A. (2016). Getting Serious about Law Firm Cybersecurity. NEW JERSEY LAWYER, 55.
• Rettig, C. P. (2016). The Panama papers and lessons learned from years of offshore leaks. Journal of Tax Practice & Procedure, 29-34.
• Tan, Z., Hasegawa, S., & Beuran, R. (2018). Concept Map Building from Linked Open Data for Cybersecurity Awareness Training. SIG-ALST, 5(01), 1-6.
• Trope, R. L., & Hantover, L. L. (2017). Reckoning with the Hacker Age: Cybersecurity Developments. Bus. LAw., 73, 227. 
• Wood, P., Nahorney, B., Chandrasekar, K., Wallace, S., & Haley, K. (2016). Symantec internet security threat report. Symantec Corporation, Tech. Rep., 21.