In part one of this two-part series, we showed you why solos and small law firms must address the serious business risk presented by data breaches. The failure to do so, you learned, could be disastrous for your legal services business.
You learned not only could your solo or small law firm lose significant business due to system downtown caused by security breaches, but there are also both ethical and legal penalties for failing to put protections in place or even instituting inadequate ones. Not only that, the cost of a data breach to your reputation is enormous, in many cases, particularly the one at your practice makes the news.
In this article, we tell you how to prevent disaster as if your legal practice depends on your acting now—because it does.
Attorneys must plan to prevent security breaches
It’s no longer enough to stave off cyberthieves with a patchwork of unsystematic security measures. Determined criminal hackers easily override those methods. “The new mantra is to identify, protect, detect, respond, and recover,” cybersecurity experts tell the ABA’s GP Solo. That’s the framework all law firms, regardless of size, need to adopt which includes developing and executing a comprehensive Incident Response Plan.
However, experts caution solo and small firms relying solely on a template for establishing an IRP or cybersecurity plan. Every business is different and what you implement depends on your law firm’s size, network, resources and the data you control. Solo and small law firms, like their larger counterparts, should customize their IRP. Even so, the GP Solo blog provides fundamental elements to an an IRP in its article, “What to Do When Your Data is Breached”. Here is an overview:
- Internal personnel. Identify your team and do it by position titles rather than only their name in case of personnel changes. You’ll need a broad-based team that includes multiple staff even in a solo or small firm that’s easy to reach during all hours.
- Data breach lawyer. Have an experienced data breach lawyer on call and don’t decide you’ll handle this legal issue yourself.
- Insurance policy. Make sure you’re from the beginning of this process and have your policy and insurer’s number readily available. You’ll need to contact your insurer as soon after a possible breach as possible.
- Law enforcement. Know which agencies you should call, whether it’s local police or your local FBI office, and keep their contact information handy. This is one of the first calls you’ll make after an incident.
- Digital forensics consultant. Frequently, firms have data breaches for seven months or more before An experienced expert can investigate what happened and when carefully. Keep their contact information updated and available.
- Containment and recovery. A law firm that’s experienced a breach is likely to be targeted for another. You’ll need a containment and breach recovery strategy in your IRP to prevent or quickly respond to subsequent incidents.
- Compromised data. Pinpoint the personally identifiable information (PII) possibly compromised and discuss notification requirements with your team.
- Systems logs. Make sure you have logging activated and collect those logs for analysis after a breach.
- Intrusion and data loss logs. If you don’t already have intrusion detection or data loss prevention software, consider installing it so you’ll have those logs, too, in the case of a security incident.
- Your bank. You’ll want the correct contact information in case you’ll bank data is compromised.
- Public relations consultant. You may need this professionalif you must disclose your breach and it goes public. They’re optional but can help with damage control. Insurance companies often provide their services as part of your coverage.
- Clients and third parties. Carefully plan your third-party notification strategy. The consequences are disastrous for incorrect execution.
- Have an employee policy in place related to their ability to discuss a breach publicly, particularly on social media.
- Data breach notification law. Put both the guidelines and contact information for state authorities in your state in your IRP. Make sure you comply with your state’s requirements.
- Other legal obligations. Consider Health Insurance Portability and Accountability Act of 1996 (HIPAA), other legislation or agency regulations and client contractual requirements in case of a breach. Be ready to comply with those notice requirements, too.
- Training on the plan. Training is imperative for all involved in executing this plan. Be certain all internal personnel and external contacts know their required role under your IRP.
- Testing the plan. Plan testing is critical, too. It can range from a preliminary run through of mock incidents to complete drills. Consider all elements of the plan including external contacts. Revise the plan if necessary.
- Review of policies. Establish review policies and follow them unfailingly.
Getting started with the basics
Establishing a formal IRP requires an extensive planning process. But, even if you’re not in a position to begin this multi-step development process, solo and small firms can start their cybersecurity planning.
“Solo and small firms should begin by assessing what kinds of data they have on their computer systems, including the types of client data they have,” says Westby.
“Next, they should determine the privacy and security requirements applicable to that data,” she continues. “This information will give them a good foundation for then determining what access controls, encryption, logging and monitoring, and tools should be deployed.”
But, getting solid professional help to do this may be necessary. “Small firms should also consider using third parties to help them with managing their infrastructure and monitoring their computer systems and detecting attacks, malware, or suspicious activity,” Westby adds.
But, like most experts, Westby recognizes the financial constraints solo and small law firms may experience in establishing and maintaining the level of a cybersecurity infrastructure and expertise they need. She says costs include, license fees for security tools as well as fees for consultants, third-party managed systems, and internal IT staff. “
It’s those staff, however, that can help reduce some costs. “IT personnel can be trained on security issues,” Westby explains. “The cost of a couple of cybersecurity certifications or courses can reap benefits and save significant money otherwise spent on third party security program maintenance,” she states. Solo firms might use IT contractors with this background to meet their needs.
Put the right insurance protection in place
Small and solo firms must do what too many law firms have not, get cybersecurity insurance. It’s dangerous to assume other policies include this coverage; be certain.
Westby says it won’t satisfy legal requirements for cyber security programs or relieve a firm’s ethical obligations to inform clients of incidents but it can help cover the costs associated with cyber incidents. That includes specialized legal assistance to fight lawsuits related to a covered event.
But it’s important to be certain you obtain the right protection levels and add necessary endorsements. “Solo and small practices should carefully evaluate what coverage they may need, the types of incidents to be covered and understand what the response costs and business interruption costs will be before purchasing insurance,” explains Westby.
Get help from agents, brokers, and independent consultants who specialize in small law practices and can help with this analysis and save the small firm money.
Save your practice—take the advice you’d give your clients
If a client were facing a potentially serious but preventable legal risk, you’d tell them to act now to avoid potential ruin. It’s important you take your advice to clients when it comes to cybersecurity—act now to deter legal catastrophe.
Acting promptly will require monetary outlays, but Westby says, “Solo and small firms must develop a budget to implement required security measures and obtain funding to do so.”
“It will cost them less than responding to a security breach and may save their practice,” she concludes.