published March 28, 2016

By Noelle Price

Worst Mistakes and Best Practices in Law Firm Cybersecurity Measures

Learn law firm cybersecurity worst mistakes and best practices in this article.

Although law firms also suffer security breaches like any other industry, it rarely makes the news. Why? According to, such news would be detrimental to a firm, so these breaches are often quietly handled as quickly as possible. However, this can cause further issues in the legal industry. By underreporting data breaches, many firms are unaware that they are at risk for such events. Thus, many firms have failed to take proper precautions against security breaches. In fact, if law firms ignore this risk, they may become ethically and legally responsible for breaches that do occur. Fortunately, there are simple, inexpensive measures that firms can take to increase their cybersecurity.
The FBI has been warning law firms for around five years of the risk of hackers and breaches of cybersecurity. After all, firms have some of the largest collections of sensitive documents. In addition, breaches may occur from within the firm—for example, a stolen laptop or a misplaced smartphone could mean that clients’ sensitive information is available for misuse. Many firms also allow their associates to use their own devices to access records and servers, which may allow additional points of entry for those who are after sensitive information.
According to, a firm’s own users are the biggest threat—and many are not even trying to do any harm to the firm. The article recalls one firm that allowed a receptionist access to read, edit and delete client documents, and another that had an associate attorney who worked on an unsecured wireless network from home, rendering the firm’s security measures essentially useless.
Four years ago, Jeffrey Brandt of noted that 86% of firms do not require two-factor identification, 94% do not track iPhones and Android smartphones, 78% do not issue encrypted USB drives, 61% have no intrusion detection tools, and so on—numbers that are shocking to many.
Firms stand to lose more than just money after a data breach. Firms may also face lawsuits, fines, penalties, and a loss in consumer confidence. Losing clients can easily mean the death of a firm. After all, a law firm’s reputation is often its most valuable asset.
Sending unencrypted data and using cloud-based litigation software without proper protections in place are dangerous moves that many firms make on a daily basis. It is easy for hackers to obtain such data and use it immediately. Firms should carefully consider whether employees should use their personal cell phones and laptops, and they should carefully investigate any vendors they use.
As for dumb mistakes to avoid, consider the following:
1. Do not keep unnecessary client data “just in case you need it someday.”
2. Do not forget to encrypt data.
3. Do not leave access paths unsecured.
4. Do not delay in patching weaknesses and vulnerabilities as soon as they are discovered.
5. Do not neglect reconfiguring badly configured servers and databases.
Implementing the above practices will add significant protections to the law firm.
As for best practices for the firm, first, encrypt everything. Do not send any data that is not encrypted—it is simply too risky.
Be mindful of what goes into the cloud, because it is hackable and often out of the control of the firm.
Consider prohibiting employees from using their personal devices at work, as the firm has less control over these items.
Vet every single vendor the firm uses to ensure they are using proper security precautions.
Train staff properly to understand and avoid risks.
In addition, make sure all employees understand the hazards of working wirelessly, as it often has its own set of risks.
Make sure the firm has a policy on passwords. Do not make it easy for hackers to guess firm passwords to email, servers, and the like.
Consider cyber liability insurance, which can protect a firm in the event of a breach.
Make sure the firm is using the right cybersecurity standards.
Always be prepared for the issue to happen anyway—have a plan of attack ready for if and when a breach does occur.
Firms should also consider keeping spam filters and antivirus software up to date and using host-intrusion protection programs. These programs detect unusual changes in the firm’s system and help discover breaches.
Additionally, make sure that the firm has strong legal docketing and calendaring methods in place. After all, egregious human error can set the firm up for a malpractice claim, which can ruin a firm’s reputation. Missing a deadline or a court date can cost a client millions of dollars.
Photo credit:

Related Articles