This is a guest blog from our consulting partners at EXTEND Resources.
From M&A details to sensitive HR matters to litigation strategies, your legal department maintains confidential information that should not be exposed to the public. This requirement makes the unprecedented rise in cybercrime a significant concern for chief legal officers, legal operations leaders, and their teams.
Now, consider the amount of highly sensitive information your law firm panel manages and stores related to your matters and projects. Beyond that, law firms create a mountain of derivative data – which is equally confidential – on your organization’s behalf. Finally, law firms provide data to third parties that provide services on matters, such as eDiscovery vendors. Understanding where your data is stored and how it is protected is of paramount importance in reducing your exposure to a breach.
Understanding your panel’s risk indicators
Ensuring legal data confidentiality begins with asking good questions and gaining a high-level picture of your law firms’ cybersecurity practices. The six questions below offer a good starting point for identifying potential information security gaps.
1. Do you know that law firms and other professional services firms are the top targets for ransomware attacks?
According to a recent report from Fitch Ratings, professional services firms are targeted more than twice as often as the next highest industry, which is healthcare. Experts predicted that a cyberattack incident will occur every 11 seconds this year.
If your law firms are not knowledgeable about the cyber threat environment, can you be confident they have the proper data protections in place for you? Ask them to discuss their perspective on the threat landscape and their strategy for combatting threats and avoiding security incidents.
2. Can your firm demonstrate compliance with recognized information security and privacy standards?
The gold standard for information security is demonstrated compliance with a recognized framework or standard, such as ISO 27001 certification for Information Security or audited compliance with the NIST CSF Cybersecurity Framework.
However, checking the compliance box is not enough. The scope of an organization’s compliance matters. Does the program apply to only certain locations or offices? Is it focused only on IT systems, or does it incorporate all forms of information? How many information assets are included in the program inventory? The narrower the scope of their program, the less likely your data is protected.
Ask your firms for their certification credentials and the results of their most recent audit (internal or external) to understand how broad – or narrow – the scope of their information security program may be.
3. How do you evaluate and validate the security posture of your third-party vendors that also have access to our data?
Just as you evaluate your law firms, your law firms are responsible for validating their vendors’ security postures. After all, eDiscovery, document management, and other vendors gain access to your confidential data in the course of matter management and corporate work.
Ask your firms about the processes they have in place to evaluate vendors’ cybersecurity practices. For example, what percentage of their vendors are evaluated? How often are they reevaluated? Request the results of any surveys or evaluation tools.
4. Where is our data stored within your firm’s systems and those of your third-party systems?
When managing a security incident or breach with a vendor such as a law firm, it is critical to know the locations where your data is stored in a firm’s systems. This information can help your organization work with the vendor’s IT and IS teams to determine if your information was breached and how to manage any response and mitigation.
When evaluating this area, consider both internal and external systems. Is the data stored on-premises, in the cloud, or both? What type of infrastructure are they using? Ask for a complete inventory of locations where your data is stored.
5. Who is responsible for protecting our confidential information, and who has access to it?
75% of successful data breaches resulted from giving too much privileged access to third parties. Therefore, understanding who has access to your information is just as important as where it is being stored.
In addition to understanding your firm’s data access policies, ask how those rights are managed. For example, what is the business purpose for an individual’s access? What happens when there is a change: Personnel changes, upon closure of a matter, and other changes. Are there restrictions? How often are access rights evaluated?
6. What are your law firms’ and their associated vendors’ data retention policies?
Technology advances typically result in system upgrades, new hardware and implementations, and shifts from local systems to cloud repositories. Updates and changes by your law firm, their vendors, and their hosting providers can affect the security of your information – especially if data is retained on legacy systems and servers instead of being properly removed. Ask your firms how often these upgrades and changes are made at the firm? Is your data retained on legacy servers, hard drives, and other systems?
You should also know what happens to your data when a matter, project, or relationship ends. For example, is the data retained for some period of time? Do you receive a copy of the data? How and when is your data deleted? To protect your organization, it is a good practice to require written confirmation that the data has been deleted.
The answers to these questions will undoubtedly uncover some red flags. In that case, contact an experienced legal cybersecurity expert to investigate further and evaluate the risk.
EXTEND Resources can help you mitigate cyber risk by assessing the overall risk of your panel, evaluating individual law firms' cyber practices, and performing a data audit to catalog data locations, custodians, and workflow. Contact us at [email protected] for more information.