Cybersecurity Checklist for Law Firms
Timothy D. Shields, Ed.D., Esq. | 2021 – 2024 Member, The Florida Bar’s Standing Committee on Technology
Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Cyber-attacks against businesses small and large are on the rise. According to the FBI’s 2020 Internet Crime Report cybercrime reported losses exceeded $4 billion, up from $3.5 billion in 2019.
Cyber risks are managed by working with your people, processes, and products. People are the most important! A fancy door lock is only useful if people lock the door. Similarly, a cybersecurity policy is only effective if people abide by it and organizations enforce it. Cultivating a cyber risk-aware firm culture is your most important security tool!
This checklist provides an overview of the key issues to consider in drafting a firm’s cybersecurity planning, management, and response plans. Failure to plan is no longer an option for law firms storing important client information. If your firm does not employ IT staff, consider seeking legal counsel with privacy and data security expertise for legal and technical guidance.
Creating a Data Breach Avoidance Plan
In order to minimize risk, a firm should adopt a data breach avoidance plan before a breach occurs. Keep in mind, you will be attacked. Will you be prepared? As part of a comprehensive data breach avoidance plan, a firm should:
- Know what data you have! Create a data map of all the data collected by the firm. Each of these questions have significant legal and regulatory impacts when preparing your cyber security plan. The data map should contain detailed information about each piece of data, including:
- The type of data (e.g., regulated, confidential, or sensitive data; internal or private data; public data – this is to identify the sensitivity and severity of the legal impact on the firm in the event of breach)
- From whom the data is collected
- For what business purpose was the data given or collected?
- How the data is collected and input
- How and where the data is stored
- Who can access the data, and how (and where those persons are located)
- The purposes for which the data is used
- Whether and how the data may be altered or manipulated, by whom, and for what purpose
- Whether and how the data may be transmitted
- How the data is secured
- How long the data is to be retained
- How the data is disposed of or destroyed
- Any backups to the data- frequency and access
- Logs or documentation pertaining to the data
- Compliance and policies.
Assess and document the laws, regulations, and industry standards that apply to each piece of data (and make sure there are policies and procedures in place to ensure compliance). Such examples are Florida Bar rules, client policies, state data privacy laws (varies by state), and Federal obligations such as financial or educational records. If you have a breach and data is lost, there are many obligations your firm will have.
- Expectations for protecting data
- Confidentiality of data (categorized by levels)
- Expectations of privacy
- Monitoring of that impact privacy
- Limits of permissible access and use
- Social Engineering
- Password policy and security questions
Security and Protection
Small firms should protect information and should only assign authorized personnel to manage, store and use data (sensitive and private data). It should also be specified as to what are the user’s limitations in data management, (e.g., users can’t visit social media websites during work hours, etc.). This policy can include the following to secure protection of data:
- Workforce personnel
- Multi factor authentication (2-step verification process, etc.)
- Antivirus and Malware detection
- Internal controls/Access Controls (including physical access)
- Encrypting data
- Third-party Security Risk Program
Assess relationships with third party vendors, conduct due diligence of potential vendor’s data security and privacy practices, including protections in a contractual agreement. Contract should include:
- Data protection requirement and limitations
- Notification requirements in the event of an actual or suspected breach
- Indemnity provisions or limitation of liabilities
- The right to access the third-party security measures onsite (or the third party is required to submit an annual security assessment)
Consider acquiring cyber insurance. This will help small firms mitigate risks they cannot address and recover after a data breach including the costs that might cause firm disruption, revenue loss, equipment damages, legal fees, and other costs associated with an unexpected data breach.
Data Breach Response Plan
Small firms should have a response plan and the first step is to have a response team. First, identify your team members, draft the breach response plan, and then practice!
Team members should include, but not limited to, the following:
- An incident lead (e.g., Chief Information Security Officer)
- Legal Counsel
- Information Technology (IT) representatives
- Data privacy representatives
- Risk management representatives
- Public relations/affairs/communications representative
- Human Resources (HR) representative
- Customer service representative
- Develop Identity and Access Protection
All firms can take several measures to ensure only those employees with proper authorization have access to confidential information. Limiting access to only those with authorization demonstrates that the employer is not widely disseminating its confidential information, thereby keeping it as secret as possible. Such limited-access measures include, but are not limited to, (1) individualized and unique log-in credentials to certain files, programs, or software; (2) password protections; and (3) restrictions on access.
Develop Policies Restricting Employee Use of Portable Storage and Mobile Devices
Digital information can be taken, and malware can be introduced, through portable storage and mobile devices, including, but not limited to:
- Tablets (e.g., iPads)
- USB Drives
- External hard-drives
- Laptops –and–
- MP3 players
For example, a court found that an employee misappropriated his employer’s trade secret when, on the last day of his employment, he transferred confidential information from his work laptop to a CD that he intended to keep for his personal use.
Policies restricting use of portable storage and mobile devices should also emphasize that storage on a mobile or portable device must be temporary. The device must be cleared as soon as the need for temporary storage ceases. For example, employers should consider implementing a system wherein employees must check out mobile and portable storage devices and check in the portable storage and mobile devices when the employees no longer need them. This allows the employer to control possession and dissemination of mobile and portable storage devices and to ensure devices are properly “wiped” or cleaned after the employee returns them.
Prevent Physical Removal of Confidential Information
In addition to restricting digital removal of confidential information, employers should also take steps to restrict its physical removal. Employers should adopt policies prohibiting removal of confidential information and employer records from the firm premises.
In addition, employers may implement measures such as restricted printing permissions for electronic information that is flagged as confidential, or only permit certain employees to have printer access. Restricting the physical removal of confidential information is one more precaution aimed at avoiding unauthorized dissemination.
Take Advantage of Network and Information Protection Technology
The following cybersecurity measures may also assist in preventing unauthorized entry into an employer’s network and/or computers.
A firewall is a type of software designed to monitor and control inbound and outbound network traffic. Employers use firewalls to prevent users outside of an employer’s network from getting into it and accessing confidential information. Courts have found that an employer’s use of a firewall, along with other measures, constitutes reasonable efforts to keep confidential information secret.
Data Encryption Software
Encryption software is designed to alter information and files into unreadable codes that can only be deciphered by the employer’s own encryption software. Encryption is an effective tool when an employee or unauthorized user removes confidential information from a company computer or network and tries to access it on a non-company computer, making it impossible for him or her to actually open and view the confidential information. Thus, encryption is useful because it prevents the individual from accessing and using confidential information.
Protect Customer and Proprietary Data
This policy should help in identifying shared data and unnecessary data. This is essential to prevent risk of information or identity theft. This includes PII (Personal Identifying Information) which might lead to data breach. This policy should establish a differentiation of your company from third-party.
Maintain a Strong Password Policy
This policy is essential in maintaining confidentiality and safely inside the workplace. The policy should include the following:
- The use of multi-factor authentication (extra protection)
- Require a timetable as to when an employee change or update passwords
- Prohibit employees in sharing login credentials
- Encourage the use of password generator to ensure strong password
- Provide encrypted password managers to store passwords securely
- Require employees to use different passwords for each account
Zero Trust Security Strategy
A zero-trust security strategy assumes compromise and sets up controls to validate each user, device, and connection into the firm for authenticity and purpose. To be successful in this policy, small firms should propose a way to establish security information to generate the context (device, security, location, etc.) that informs and enforces validation controls.
ABOUT THE AUTHOR
Timothy Shields is a partner at Kelley Kronenberg. In his practice, Timothy focuses on cybersecurity and data privacy issues for small businesses by serving as their general counsel.
This LegalFuel publication is intended for educational purposes only and does not replace professional judgment. Statements of fact and opinions expressed are those of the author individually and, unless expressly stated to the contrary, are not the opinion of The Florida Bar or its committees. The Florida Bar does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information published. Any feedback should be provided to the author.