Everything you’ve ever heard about how much money is lost due to information security breaches is only part of your exposure. When word gets out you’ve been breached, the reputation of your law firm for privacy, discretion, and protection are damaged, perhaps irreparably. There are few ways to recover, but the best strategy by far is to protect from being breached in the first place. This article from our friends at BrainTrace discusses some of the ramifications of a cybersecurity breach.
Legal software provider Wolters Kluwer reports that the average cost to a law firm experiencing a data breach is more than US$7Million. If you’re among those who believe such a thing could never happen, consider that, according to the American Bar Association’s (ABA) 2018 Legal Technology Survey Report, 23% of respondents reported having experienced a data breach at some point in the past.
This one-in-four ABA statistic is doubtlessly conservative, given that the majority of data breaches are neither acknowledged nor reported. The exposure, the risk, and the likelihood are all very real, but they are only the beginning of the ramifications of a data breach to a law firm.
Aon, a leading global professional services firm providing a broad range of risk, retirement and health solutions surveyed 2,600 risk managers in 2019, asking them to rank a list of key risks or challenges that their organizations are facing. Only “Slow recovery from economic slowdown” was cited more often than “Damage to Reputation.”
Finally, ABA ethics rules “require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6 and Comments).” The most common reaction from law firms in the wake of a breach is to increase the number and quality of security provisions, at significant cost.
Consider a CyberSecurity breach a certainty. So, what is a law firm to do to protect itself?
The Costs Keep Coming
When a data breach occurs, it is s usually difficult to determine
- how extensive it was,
- how many records were compromised,
- and how many clients were impacted.
Cybersecurity forensics experts are costly, but necessary, for all of the reasons cited above.
Only 9% of the previously referenced ABA survey respondents reported giving any notice of a breach either to their clients or to law enforcement, though this is a requirement in many states. Costs associated with reporting can be considerable, and fines for failing to do so far more so.
41% of the respondents in the survey reported loss of billable hours and related disruptions. More than one in four were required to replace computer hardware and/or software.
The Biggest Long-term Cost
When you consider the reputational risk of a cybersecurity attack, it risk managers need to recognize that the firm’s clients are not experiencing the breach themselves. They do not feel the violation and exposure experienced by the firm that is the victim of the attack. What the clients know is that you have very sensitive information about them, their company, their operations, their personnel, their legal matters, and more. What they fear most is that their information entrusted to you was accessed during the breach.
As such, the first casualty of any data breach is trust. Law firms depend upon their clients’ trust to form the core of their most valuable asset, their reputation. No matter what measures are taken to protect client data, the breach becomes the fault of the firm entrusted with the data, in their clients’ perceptions. Trust is gone, and once eroded will be extremely hard to rebuild.
Also consider the disruption in services to clients. If data is corrupted or systems damaged during the attack, how long will it take to recover and resume full operations? The longer it takes, the more the firm’s reputation for prompt, attentive service is eroded. Worse still are situations in which firms chose not to be fully transparent, and choose not to disclose the breach to clients or to law enforcement. Subsequent discovery of the breach by clients can become an existential event.
Consider CyberSecurity Breaches a Certainty
The cost of all these subsequent exposures is difficult, if not impossible, to calculate, but can easily be well in excess of that initial $7M estimated impact. Clearly the proverbial ounce of prevention is worth much more than the pound of cure.
New regulatory standards not only require that adequate, efficient measures be taken, but also that their effectiveness must be demonstrated – and documented. You should begin improving your preventative posture by engaging experts to assess the current state of your readiness, and provide detailed remediation recommendations. For security to be effective it must exist at every layer of your information management systems and network. There really is no such thing as total security, but you can achieve a complete prevention and protection strategy with proper planning and foresight.
Cybersquatting threatens your brand and your reputation. Cybersquatters violate your trademark and identity by creating link addresses and content that resemble your information closely enough to fool many clients, potential clients, associates, and others.
Braintrace Domain Protection Services and our Cybersquatting Protection Dashboard protect both you and your clients from the most widespread kinds of cyberthreats. Learn more about it by visiting www.braintrace.com or contact us at 866-508-5471.
Jack Schaller has been active in the field of law office technology since 1989, and has worked with a variety of commercial accounting, legal billing, practice management, and document management software products during his twenty plus years in the software consulting field. During his tenure as a software consultant he has garnered many sales and service awards for his work with legal software products. Jack is a frequent presenter at legal conferences and seminars, and is a regular contributor to TechnoLawyer and other technology publications.