InfoSec Best Practices: Data Security Behaviours Your Law Firm Needs to Adopt

8 min read

Because even the best encryption is only as good as your least tech-savvy employee.

One of the core responsibilities of any law firm is protecting not only privileged information and sensitive documents, but client information in general. Clients (quite rightfully) expect that their lawyers will be able to keep confidential information, well, confidential – and professional associations & disciplinary bodies have been known to go to extreme lengths to uphold this expectation when law firms fall short.

One story in the May 2021 issue of The Lawyer showcases just how seriously the industry takes data security. In one incident, a junior lawyer in the United Kingdom mistakenly emailed medical evidence and an impact statement to the wrong person – to someone who had nothing to do with the case she was working on. When the intended recipient asked her where the evidence was, she chose to lie and claimed her email program’s firewall blocked the message.

Thankfully, she came clean and told her superiors the truth later that day. Her firm reported the issue to the Solicitors Regulation Authority, the U.K.’s regulatory body for lawyers. After an internal investigation, her employer issued a formal written warning, while the Solicitors Disciplinary Tribunal fined her £5,000 and suspended her license to practice for six months.

When most businesses think of data security breaches, they think of external threats, like getting hacked. But there are also several threats to your data security that could emerge from inside your organization, often through human error (like emailing evidence to the wrong person). In many cases, lawyers have breached client confidentiality and data security by leaving confidential papers on the train and (allegedly) publishing confidential client data like social security numbers in public court records.

Protecting your law firm’s sensitive data involves guarding against internal threats just as much as external ones. If you want to keep your law firm’s data secure, your entire team needs to be cyber-aware. Here are some data security behaviours that every law firm should train into its staff.

Always Encrypt Sensitive Data Before Sending It

Standard email communication might work for typical things like setting up meetings or coordinating the schedule for your company softball team. But if you’re sending or receiving sensitive documents like shareholder agreements or probate forms, the security features in a standard email program aren’t enough to keep your data private and secure.

The most common method of protecting sensitive data while it’s being transmitted over the Internet is encryption. When you send an unencrypted document, whether through email or other electronic means, you’re transmitting the plain text of the document in a way that is immediately readable to anyone. If your document is intercepted by a hacker, that hacker would be able to instantly see the entire contents of the document.

Encryption ensures that only the intended recipient can read a message or access a document.

If, as a child, you ever played with a decoder ring that you found at the bottom of a cereal box, then you’ve encrypted a message. Technology-based encryption works in much the same way. 

Encryption uses a cipher to turn your message into unintelligible nonsense. The recipient of your message will have a cipher key that they can use to reverse the encryption and view the original message. If any unauthorized parties intercept the message along the way, they’ll only see a random, meaningless string of letters, numbers, and symbols.

So if, for instance, you’re sending a settlement offer via an encrypted messaging service, the encryption service might turn the sentence “Here is the settlement offer” into a string of characters looking something like x#~~L¡7Qï4°¥§A•»9{‰.

Whenever anyone in your organization is sending confidential information or sensitive documents, you’ll want to ensure they’re encrypting that information first. Some of the most popular email programs on the market, like Gmail, Apple Mail, and Microsoft Outlook, do not enable encryption by default

In contrast, services like Appara use end-to-end encryption to prevent unauthorized users from reading your data. Adopting encrypted communications services is an easy way to instantly improve your firm’s data security.

Gone Phishing: Make Your Team Ransomware Aware

“Don’t click that link!”

If you’ve ever said those words, you probably already know the dangers that malicious emails can pose to your organization. 

Phishing and ransomware are rapidly-growing threats, and sophisticated hackers are now using these tools and attacks to exploit law firms of every size. According to a 2018 report by Verizon, phishing attacks are responsible for over 90% of all cybersecurity breaches at small law firms. Meanwhile, Washington, D.C.-based cybersecurity firm PurpleSec estimates the global cost of ransomware to be $20 billion USD.

Phishing and ransomware are two different threats, but they often go hand-in-hand. 

Phishing is when a hacker uses an email, a text message, a fake website link, or another form of electronic communication to trick someone into handing over sensitive information, like a password.

One particularly high-profile and widespread phishing attack took place in late 2020, when taxpayers in the District of Columbia received malicious emails asking the recipient to disclose his or her bank account information in order to receive government COVID-19 relief benefits. The IRS issued a public warning on January 14, 2021 informing consumers that such emails are fraudulent.

In some cases, the hacker may send a phishing email directing the recipient to click a certain link that will then cause the recipient’s computer to download ransomware. If you are the victim of a ransomware attack, the hacker will encrypt all of your data to prevent you from accessing it, and then threaten to destroy or publish the data if you don’t pay a ransom.

The most famous ransomware attack in recent history is the WannaCry attack of 2017. In this attack, hackers used WannaCry, a piece of malware developed by the U.S. National Security Administration, to infiltrate 200,000 computers in 150 countries, including computers at FedEx, Nissan, Honda, and 14 different government agencies around the world. WannaCry encrypted users’ data and demanded a payment in the form of Bitcoin in exchange for the decryption key. 

A hacker-turned-cybersecurity-consultant named Marcus Hutchins stopped the attack four days after it started by using a secret kill switch he had found in the WannaCry code, but by that time, at least 80 organizations had already paid the ransom.

Phishing and ransomware are social engineering attacks. These attacks work by exploiting human psychology and social interactions in order to gain trust. Phishing emails will often try to imitate legitimate sources and leverage human emotions like curiosity. The best way to guard against these kinds of attacks is to verify through other means that an email actually came from the person who appears to have sent it.

Make sure all of your staff know to:

  • Turn on automatic security updates on all of their devices
  • Verify the sender of any suspicious-looking emails before clicking on any links (check the email address!)
  • Scan every email attachment with an antivirus tool before opening it
  • Never open an email or attachment from an untrusted source
  • Keep a secure backup of important documents, either on an external hard drive or in a trustworthy cloud-based solution
  • Use a VPN if working on an unsecured network

Share Sensitive Data on a Need-to-Know Basis

Not everyone in your law firm needs to know every detail of every transaction or communication. Your receptionist probably doesn’t need access to your largest client’s regulatory compliance forms. And the more people who know confidential or sensitive information, the more likely it is that said information will be leaked. That’s why sensitive data should only be shared on a need-to-know basis.

The US Cybersecurity & Infrastructure Security Agency, a branch of the US Government, calls this the principle of Least Privilege. Whenever you’re sharing sensitive data, only provide it to those who absolutely need to know it, and only give those parties the minimum access they need in order to do their job. Even if you’re providing someone with access to sensitive data for a legitimate reason, they may not need full administrative access – a lower level of permission, like viewing permission, may suffice.

Software suites like Appara use sharing permissions features to achieve this purpose. With Appara, you can customize the access and edit permissions of individual users, so you can easily implement the Least Privilege principle in your law practice.

Look for Software Solutions That Undergo External Audit

Plenty of software solutions claim to be secure. Very few of them go the lengths required to prove it. Even if you’re using software solutions that claim to use certain security features, that doesn’t mean you have the best protection available.

For full confidence in your legal records management software, you’ll want to look for solutions that have been externally audited and certified. An external audit means an independent cybersecurity firm has examined that tool’s security features and found them to be best-in-class. Appara, for instance, undergoes an annual third-party security review to maintain ISO certification.

Keeping your law firm’s data secure involves a multilayered approach that incorporates both software solutions and human behaviour modification. By training your staff to always be cyber-aware, you’ll protect your clients’ sensitive data from prying eyes and keep hackers at bay.

Is your legal tech software lacking in data security? Appara’s industry-leading security features can help. Appara is the only product on the market with ISO security certification – and we undergo a third-party security audit every year. 

Contact us today to discover how Appara can save your law firm time and money while keeping sensitive documents secure.

Join our newsletter

Engaging insights and the latest news, designed for legal professionals.

Email Newsletter Signup