Cybersecurity for legal
Legal services rely significantly on knowledge and information. In addition, the attorney-client relationship cannot exist without confidentiality and privacy. For these reasons, the protection of sensitive communications and information is paramount to the legal profession.
The large volume of highly valuable commercial information such as client records, banking details, contracts and legal records held by law firms makes these and other professional services organizations a prime target for cybercriminals.
As attacks become increasingly targeted and well-funded, many firms within the professional services sector can struggle to suitably defend themselves. Law firms, for instance, are often seen as a weak link in the security chain, as adversaries seek to use them as a conduit to gain highly personal, business-critical or commercially sensitive information about their clients.
According to the 2016 ABA Legal Technology Survey Report, 30.7% of all law firms and 62.8% of firms with 500 lawyers or more reported that current or potential clients made specific security requirements a part of their client agreements. Other law firms reported that corporate clients wanted access to the cybersecurity plans and prevention procedures implemented by the firms.
Common cybersecurity challenges in the professional services industry:
• Understanding what data is stored and how vulnerable it is
• Protecting highly distributed IT infrastructure
• Achieving compliance with the GDPR and other legal standards
• Maintaining client confidentiality
• Meeting the data security and policy requirements of clients
• Overcoming a lack of in-house security skills and resources
Key security questions for law firms
Security questions organisations in professional services should be asking:
How often is digital infrastructure tested for vulnerabilities?
Are suitable controls in place to defend against targeted attacks?
Are systems able to identify threats that bypass the perimeter?
Are staff sufficiently trained about information security risks?
Is there a plan in place to detect, remediate and report breaches?
What systems and controls are in place to mitigate insider threats?
How is the personal data of clients processed and protected?
Cybersecurity compliance in the legal sector
To achieve compliance with the GDPR it is essential that law firms and barristers’ chambers have suitable technical and organizational measures in place to ensure that personal data is protected against unauthorized processing, accidental loss and destruction. Another important requirement is the need to have robust procedures in place to detect and investigate personal data breaches as well as report them within 72 hours to the relevant authority and, in high-risk cases, to affected individuals.
Organizations in the legal sector that take online card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Requirements include maintaining a secure network, implementing robust security policies, regularly testing systems for weaknesses and proactively monitoring network infrastructure.