How Law Firms Can Protect Data & Reduce Legal Malpractice Risk

Imagine that you open your laptop and find that all of your client data is encrypted — a message tells you to pay a $25,000 bounty by a certain deadline or lose everything.

That’s exactly what happened to Moses Alfonso Ryan, a 10-attorney firm in Rhode Island, in 2017. After seeing the ransomware message, the firm had trouble acquiring the cryptocurrency needed to pay the ransom, and when it did finally pay the $25,000 bounty, the deadline had passed, and they had to pay an additional ransom. The incident left all 10 attorneys unable to bill for a single hour for three months, resulting in over $700,000 in lost business.

In addition to cybersecurity breaches, clients are holding law firms to higher standards when it comes to cybersecurity practices. Johnson & Bell, a mid-sized Chicago law firm, was publicly named in a class action data security lawsuit in December 2016. The complaint accuses the law firm of systematically exposing confidential client information and storing client data without adequate security — even though no client data was ever stolen.

In this article, we will take a closer look at why cybersecurity matters for law firms, how to protect client data, and why every law firm should have regular cybersecurity audits.

Why Cybersecurity Matters

Cyberattacks have been increasing in frequency and sophistication. While more than 90 percent of malware is still delivered via email, now browser plug-ins, Microsoft Office macros or server exploits have replaced more obvious executable files. Criminals that gain access to a computer system can use it to steal data, demand a ransom, attack others, or even mine cryptocurrency — all without the user even being aware until it’s too late.


Download our free law firm cybersecurity audit checklist to use as a starting point when auditing your firm.

Law firms are an attractive target for several reasons:

  • Easy target: Most law firms don’t have sufficient cybersecurity policies, procedures, and technologies in place, making them an easy target for cybercrime.

  • Valuable data: Law firms have a lot of valuable data for both independent and state cybercriminals, including trade secrets, intellectual property and private financial information. For example, law firms involved with mergers and acquisitions have data that could be extremely valuable for insider trading.

  • Well capitalized: Law firms regularly pay large sums of cash for settlements and have strong incentives to pay ransomware demands. For example, law firms have been duped by phishing emails into sending large settlements to cybercriminals.

While large companies capture the headlines, 43 percent of cyber attacks target small businesses and only six percent of major data loss victims survive two years. Small law firms face the biggest challenges since they have limited resources and experience a larger potential impact from reputational damage from data loss or other cybersecurity incidents. The possibility of class action lawsuits only amplifies these concerns.

Cybersecurity Best Practices

Cybersecurity solutions have become better over the years: Spam-detectors prevent phishing emails from reaching an inbox; anti-malware scanners react in real-time to new threats; and Cloudflare has made DDoS attacks much costlier and more difficult for criminals. That said, the best technology in the world won’t prevent cybersecurity incidents from occurring — that requires human elements that only internal policies can address.

While cybersecurity solutions have become better over the years, software alone will never be enough to protect your business.

Top cybersecurity best practices for law firms include:

  • Assign a point person: It’s easy to forget about cybersecurity until it’s too late, which is why it’s important to designate a person responsible for cybersecurity. Their role will be to ensure that all employees are trained, technology is updated, and cybersecurity policies are in place to minimize risk.

  • Educate employees: Employees should be informed about why law firms are a target for cybersecurity and how to spot potential problems. For example, they should know how to spot a phishing email and alert the right person about it. They should also be able to spot other social engineering tactics using the phone or other devices.

  • Secure & backup data: Client data should be encrypted on every device, backed up on a regular basis, and stored in encrypted cloud storage. That way, a stolen laptop or destroyed data doesn’t become a major cause for concern. Secure email archiving is also a great way to keep emails safe, secure, and searchable.

  • Secure your network: Use active network protection to protect your internal network, as well as VPNs for remote access. A properly secured network can prevent malware and ransomware from reaching users, as well as block botnet and DDoS attacks, which can keep your firm safe from non-phishing related forms of attack.

  • Enforce secure passwords: Generate unique random passwords for every account and manage them in a password manager rather than storing them on a spreadsheet. That way, there’s less of a risk of one compromised password impacting all areas of the firm and no risk of every service being accessed via a spreadsheet.

  • Update Software: Anti-virus, anti-malware, and anti-phishing desktop software is a great last defense against threats reaching employees. At the same time, it’s important to keep all software—server and desktop—up-to-date at all times. The failure to keep up with security patches can leave entire servers vulnerable to attack.

Jungle Disk provides a full cybersecurity suite that’s especially designed for small businesses that need flexibility when it comes to budget. Our solutions are priced on a usage or per month per employee basis, making it easy to get started and scale as you grow.

Don’t Forget Cybersecurity Audits

Cybersecurity audits are another very important piece of the puzzle, particularly given the law suits against firms for failing to provide enough security. In fact, a 2017 Logicforce survey found that nearly half of law firms had their data security practices audited by at least one corporate client in the past year. These audits are likely to increase in volume and complexity, and law firms will be faced with a decision to comply or lose business.


Download our free law firm cybersecurity audit checklist to use as a starting point when auditing your firm.

Jungle Disk provides a free network security scan that detects several common cybersecurity vulnerabilities. Take the test today to see how your existing network stacks up.

The Bottom Line

Law firms tend to rank highly when it comes to cybersecurity, but there are many firms that fail to appreciate the risks. If your firm is falling short, consider implementing these best practices and using technologies like Jungle Disk to improve your security and reduce risk.

Sign up and protect your business today.

Protect Your Business Data

We are passionate about helping our customers protect their data. We want you to use Jungle Disk to protect yours. Click on Sign Up to get started. It takes less than 5 minutes!

Sign Up