Attorneys are required to uphold ethical rules by providing their clients with highly competent communication and confidentiality standards, however do you feel that is enough to apply to today’s cyber concerns when businesses are shifting their data to the cloud? Can an attorney guarantee the safety of client’s data in transition and implementation into the cloud storage base?
In all fairness, no one can guarantee anything in a rapidly changing technological environment, however it is fair to say that attorneys should be holding just as high standards of data security as they do with other basic confidentiality standards.
Like many other businesses, law firms are consistently at high exposure of security breaches and should not be taking their risk management measures lightly. Data security should be at the top of the list, not neglectfully taking the back seat. No longer it is a matter of “if” a data breach happens, but “when” it happens. If an attorney does not take reasonable efforts to prevent or respond to a data breach, the lack of effort can lead to a poorly executed incident response plan and/or greatly affect the life of their legal profession.
In the past year, malicious activity has greatly increased, leaving many to scramble. One of the larger incidents that occurred last May of 2020, was the ransomware attack on Grubman Shire Meiselas & Sacks law firm. If you are not already aware of this incident, Grubman Shire Meiselas & Sacks is an entertainment law firm that handles high profile client cases, many of which are celebrities. The law firm fell victim of the cybercrime group known as Revil. Revil demanded $21 million to free their files of the malware. Since the law firm refused to pay the ransom and had initiated late damage control, the law firm still experienced a tremendous loss in data. Although we do not have the official reason as to how this happened, we can infer that this may have stemmed from an infectious e-mail. E-mail is a common method of malware delivery and most commonly stems from lack of process and human error. Proper preventative processes should be placed and be monitored daily. Law firms could improve their security management by implementing a strong risk management protocol. Many businesses mistakenly utilize an uncultivated risk management protocol which is simply not enough. If you find yourself doubting the security measures your law firm has placed, you should remind yourself of this malware attack.
Aside from implementing sufficient security practices, it is equally important to continue those standards. It is also important to remember that a onetime risk method you may be applying now, may not be applicable in the future. Data transfer to cloud-based storage only increases your risks. Law firms should commit to protecting themselves and their clients from cyber-attacks and take a perspective that it truly parallels their existing ethical requirements. You cannot underestimate what in turn can save you from the risk of a devastating loss accompanied by negative publicity.