Penalties can include the loss of clients, negative publicity and sanctions. Costs can exceed $1 million for
notification, credit monitoring, fines,
computer forensics, legal representation and corrective action programs.
Multiple federal and state agencies
can penalize you for a single data
breach. Clients can sue for malpractice if you lose their data.
Lesson 1: Your Data is Valuable
to Bad People
Law firms store lots of valuable data in
many forms. It doesn’t matter if you
specialize in family, corporate, real estate or criminal law. You have something someone else wants – financial
information, health records, strategic
information and secrets that your client’s competition would love to see.
Your data may be protected not just by
attorney-client confidentiality, but also
by federal and state laws.
Lesson 2: Cybersecurity is Not
Optional for Law Firms
You must protect data for ethical and legal reasons. You have an ethical responsibility to maintain confidentiality, and
a legal responsibility to secure legally
The State Bar of Arizona requires:
Cybersecurity for Lawyers:
n “…Competent and reasonable
steps to assure that the client’s
confidences are not disclosed
to third parties through theft or
Law firms are being targeted by hackers, so says the FBI,
which has issued multiple warnings to that effect.
It’s Not Optional
DAVE KINSEY, PRESIDEN T, TOTAL NETWORKS
As President of Total Networks, Dave is responsible for providing strategic
information technology assistance to many Arizona law firms. Dave’s team
is the first and only Arizona IT company to earn the Comp TIA Security
Trustmark, certifying that Total Networks meets or exceeds security best practices.
Have a question for the IT Expert? Call or email Dave directly at
n;…Competent and reasonable
measures to assure that the
client’s electronic information
is not lost or destroyed.”
n “…An attorney must either have
the competence to evaluate the
nature of the potential threat to
the client’s electronic files and to
evaluate and deploy appropriate
computer hardware and software
to accomplish that end, or if the
attorney lacks or cannot reasonably obtain that competence, to
retain an expert consultant who
does have such competence.”
State Bar of Arizona, Opinion No.
05-04 (July 2005)
Lesson 3: To Be Effective, You Must
Implement Security Safeguards
Effective cybersecurity requires a belts-and-suspenders approach, including
technical, physical and administrative
Your staff must know what to do,
how to do it, and what will happen
(discipline, termination or criminal
prosecution) if they break the rules.
Buying security tools, and not training everyone on your staff to properly
use them, is a waste of money. Telling
everyone what they should do, and
then not conducting some internal
audits to validate compliance is meaningless. Invest in security, make sure
everyone knows how to use it, and really does.
Lesson 4: If Your Data is Breached,
Bad Things Happen
Once data is breached, a lot of bad
things will happen. The same data can
be protected by federal and state laws,
requiring reporting to federal agencies,
the state attorney general and the Bar.
Your clients will have to be notified and
the breach will be public information in
the media and with regulatory agencies.
Additionally, there have been several
successful data breach lawsuits demonstrating how a firm fell below the reasonable standard of care in protecting
Lesson 5: Cybersecurity is a Specialty,
like the Law, Medicine and Accounting
Specialized skills and tools are required
to manage your cybersecurity. Security
tools must be properly configured and
continually monitored to ensure they
are working properly, and have had
their definitions and patches updated.
Logs must be kept to prove that data
was encrypted – after the device has
been lost or stolen.
The Benefit of an Independent
A good way to make sure you have the
proper security in place is to have an
independent security audit. This can
help you understand where your data
is, how it moves within – and in and out
of – your firm, and what vulnerabilities
you have. Because cybersecurity isn’t