Law Firms: What Are You Doing to Protect Your Clients’ Data?


How safe do you think your law firm’s data really is? Cyber criminals often target attorneys by sending an email from an unknown source asking the attorney for representation or by notifying the attorney via email that a complaint has been filed against him or her with The Florida Bar. If even one of your employees clicks a link or downloads an attachment from a hacker, your law firm’s data and your clients’ information could be comprised.

It’s no surprise that in March the Wall Street Journal reported that unspecified hackers had breached networks at several U.S.-based law firms that represent Wall Street banks and Fortune 500 companies. That news was followed just days later with what was by far the biggest data leak to date. A data breach at Panamanian law firm Mossack Fonseca led to the now infamous Panama Papers leak in which more than 11 million documents detailing financial and attorney-client information was exposed. How do you think their clients felt about that? What about their shareholders?

With data security threats on the rise, law firms need to worry about protecting their clients’ information, which may include trade secrets, financial data, health records or other non-public or confidential information. Understanding the types of threats that are out there and keeping an eye on trends can help you to protect your law firm.

Currently we are seeing two big cyber security trends that law firms should be watching and proactively addressing to minimize their risks:

  1. Phishing and spear phishing– Phishing and spear-phishing threats targeted at businesses typically involve fraudulent emails sent to employees. The emails may appear to be from a potential client or even from the managing partner of the firm, and employees can compromise the business’ IT systems and data if they download an attachment or click on a link within the email. Download our Social Engineering FAQ to learn more.
  2. Ransomware – Another type of cyber threat that is becoming more prevalent is ransomware, in which the law firm’s computer system is effectively taken hostage by cybercriminals looking for a payout. These types of attacks are difficult for law enforcement to prosecute, and are often not even reported to the government.

So what can you do to help protect your firm (and your clients) from these risks?  Frankly, there is no way to guarantee 100% protection.  Even government organizations, the military and major corporations with the most sophisticated cyber security teams report breaches.

But there are many things you can do to reduce your risks.  Consider the following areas.

  • Training– If you’re not training your employees on phishing and spear-phishing, your company may be at greater risk. These types of social engineering attacks try to exploit your employees to gain access to your IT system. Educate your employees on how they can help reduce your firm’s  A qualified consultant can conduct phishing testing at your company to increase your employees’ awareness of these kinds of threats and reduce the likelihood that they will to fall victim to social engineering attacks.
  • Policies and procedures – Establish and document technical and administrative policies and procedures surrounding data security, educate employees about those policies and hold them accountable for adhering to the rules.
  • Data backup – Don’t overlook the importance of backing up your data on a regular basis. This simple step can reduce the risk of losing everything if a hacker takes your system hostage or if your system fails.
  • Incident response plan – In the event of a data security incident at your firm, an incident response plan can help you manage the situation. You should involve teams from across the organization (e.g., IT, compliance, management) in creating the plan as early as possible; don’t wait until you need it to start thinking about it.

Contact me or another member of Kaufman Rossin’s IT security consulting team to learn more about managing your company’s data security challenges.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.