Legaltech 2020: A Legal Cybersecurity Checklist

GrowPath’s Cybersecurity Diagnostic and Roundup – 22 Questions For Diagnosing Your Firm

Your responsibility of cybersecurity as a legal professional

It goes without saying that it’s a good idea to wear a helmet when riding a motorcycle. Nevertheless, you can still see some bikers riding without a helmet. You would never do that, of course, but it’s always easier to spot someone else’s lapses than our own. When it comes to the safety of your law firm’s data and confidential information, are you blithely speeding along without top-of-the-line digital protection? Proactive prevention against cybercriminals and cyber attacks is an immediate, ongoing, and absolute necessity of legal tech in 2020. Below, we’ve prepared a legal cybersecurity checklist that can help. After all, ignoring tech advice is as bad as riding a bike without a helmet.

The ABA’s Ethics and Professional Responsibility Opinions on Client Data and Monitoring

Law firm cybersecurity best practices has been a hot topic of conversation and professional analysis recently. In 2017’s Formal Opinion 477R, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued some guidelines for how attorneys should transmit client data over the internet. In short, a lack of reasonable efforts to protect confidential information from hacking or accidental disclosure could result in violating some ethical rules.

The ABA followed 477R with Formal Opinion 483, which focuses on a lawyer’s duties and responsibilities in the event of a data breach. Clearly, the topic of cybersecurity as it relates to client confidentiality is an important one.

Embracing Encryption

An important aspect of legaltech in 2020 is data and email encryption. When you encrypt a document or other sensitive information, outside readers cannot make sense of the scrambled data. It is only through the use of a digital key that you can unlock and read the data once again. In contrast, when you send unencrypted data across the internet, hackers can intercept and read it. This is obviously a legal and ethical confidentiality issue.

Lawyers should send data through an HTTPS website rather than a simple HTTP site. A simple website check allows you to verify that you data in transit will be encrypted and safe. A lot depends on one letter, as that extra S stands for secure and means that your sensitive info is safe from prying eyes. An icon of a padlock in the address bar also indicates a secure site. Remember that third party vendors can quickly undo your caution in encrypting your data in transit if they are careless in how they handle your data. Indeed, hackers can find their way into your system through an indirect security breach.

Even your data that’s not actively being transmitted (data at rest) should be encrypted. Yes, your laptop requires a password to be unlocked. However, if your laptop or phone is lost or stolen, hackers can still access your password-protected but unencrypted files. A Mac, for example, can be booted up with just a Linux Live CD, with all files fully accessible. Here, then, is your first tip: Full disk encryption, like BitLocker for PCs and FileVault for Macs, is not completely impervious but does increase your data at rest security. Should an issue arise, your implementation of full disk encryption could show your proactive steps in safeguarding sensitive client information.

Are you following law firm cybersecurity best practices? 22 legal cybersecurity checklist questions to ask.

Here are 22 legal cybersecurity checklist questions to ask yourself about the current state of your law firm’s cybersecurity. Indicate whether you’re currently compliant and, if not, when you expect to be compliant:

Legal Cybersecurity Protocols and Policies:

1. Is your software set to automatically patch and update?
2. Do you encrypt your internet traffic through the use of a VPN?
3. Are your off-site security protocols as stringent as your on-site procedures?
4. Does your security policy address the use of mobile computing in unprotected environments?
5. Does your security policy address employees who telecommute?
6. Do you have strong physical security of your office to complement your network security?
7. Do you maintain meticulous network access logs long past the date of logging?

Employee and Third Party Accountability:

8. Is there a specific and accountable owner for your security policy?
9. Do your employees receive hands-on, regular, and mandatory security training in law firm cybersecurity best practices?
10. Are you aware of what security measures your service providers are taking?
11. Do you know the security procedures of third-party vendors that can access your sensitive information?
12. Do executives in your organization follow the same security policies and procedures as other employees and staff?
13. Have all of your employees signed a non-disclosure agreement?
14. Do your employees know what reporting procedure to follow if they see a security threat?

Cybersecurity Prevention:

15. Does anybody who doesn’t need access to your system nevertheless have access to your system?
16. Have you disabled the credentials of workers no longer with your organization?
17. Do you know when your last cybersecurity audit was conducted?
18. Do you utilize the services of an ethical hacker to probe your cyber defenses?

Response:

19. Have you developed and tested an incident response plan in the event of a cyber crisis?
20. Do you know the first person you will call in the event of a security event?
21. Do you have a continuously-updated inventory of key items each information system contains?
22. Are your backups segmented from the main network?