Ride the Lightning

ABA TECHREPORT 2018: Cybersecurity

February 12, 2019

We were delighted to see that the ABA has recently posted an article stemming from the 2018 ABA's Legal Technology Survey Report written by our friend and colleague Dave Ries. As always, Dave does a thorough job of updating some of the recent developments in cybersecurity as well as offering some of the details from the ABA survey.

23% of respondents reported in 2018 that their law firm had experienced a data breach at some point in time. In 2018, the reported percentage of firms experiencing a breach generally increased with firm size, ranging from 14% of solos, 24% of firms with 2-9 attorneys, about 24% for firms with 2-9 and 10-49, 42% with 50-99, and about 31% with 100+.

The paragraphs below, taken directly from Dave's article, contain one of the highlights of the report, the stats regarding law firm data breaches.

"Larger firms have more people, more technology, and more data, so there is a greater exposure surface, but they also should have more resources to protect them. It is difficult to tell the completeness of larger firm’s responses on breaches because the percentage of those reporting that they “don’t know” about breaches (18% overall) directly goes up with firm size—reaching 57% in firms with 100-499 attorneys and 61% in firms with 500+. This makes sense because attorneys in medium and large firms may not learn about security incidents that don’t impact the entire firm, particularly minor incidents and ones at remote offices.

The majority of respondents—60%—reported that their firm had not experienced a breach in the past. Hopefully, this does not include firms that have experienced a security breach and never detected it. Another common saying in security today is that there are two kinds of companies: Those that have been breached and know it, and those that have been breached but don’t know it. The same is likely true for law firms.

The most serious consequence of a security breach for a law firm would most likely be unauthorized access to sensitive client data (although the loss of data would also be very serious). The 2018 Survey shows a very low incidence of this result for firms that experienced a breach—about 6% overall, up from 1% last year. The reports of unauthorized access to sensitive client data by firms that experienced a breach is 11% for solos (up from none last year); 6-8% for firms with 2-9, 10-49, and 50-99; none reported for firms with 100+. While the percentages are low, any exposure of client data can be a major disaster for a law firm and its clients.

The information on breaches with exposure of client data is incomplete because almost 7% overall report that they don’t know about the consequences, with “don’t know” responses increasing from none for solos to 38% for firms of 500+. The uncertainty is increased by the high percentage of respondents (18%), discussed above, who don’t even know whether their firm experienced a data breach.

Unauthorized access to non-client sensitive data is 6% overall, with 8% for solos, 5% for firms with 2-9, 10% for firms with 10-49, 8% for firms with 50-99, 5% for firms of 100-499, and none for firms with 500+.

The other reported consequences of data breaches are significant. Downtime/loss of billable hours was reported by 41% of respondents; consulting fees for repair were reported by 40%; destruction or loss of files by 11%, and replacement of hardware/software reported by 27% (percentages for firms that experienced breaches). Any of these could be very serious, particularly for solos and small firms that may have limited resources to recover. No significant business disruption or loss was reported by 65% overall.

About 9% overall responded that they notified a client or clients of the breach. The percentage reporting notice to clients ranges from 11% for solos, 8% for firms with 2-9, 7% for firms with 10-49, 17% for firms with 50-99, none for firms with 100-499 and 19% for firms with 500+. This is equal to or in excess of the reported incidence of unauthorized access to client data for firms of each size, consistent with the view that ethical and common law obligations require notice to clients.

Overall, 14% of respondents that experienced a breach reported that they gave notice to law enforcement, ranging from 13% for solos, 10% with 2-9 attorneys, 20% of firms with 10-49, 25% of firms with 50-99, 5% of firms with 100-499 attorneys to 25% of firms with 500+."

I heartily recommend that you read the entire article, which is full of information and stats regarding security programs and policies, security assessments and client requirement, cyber insurance, security standards and frameworks, authentication and access control, encryption, basic security tools, remote access, wireless networks, and disaster recovery. A superb piece of work. Not that I'm prejudiced. 🙂

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson