Ride the Lightning

Lawyers Get a Poor Cybersecurity Grade: ABA Report

October 29, 2019

Last week, the ABA released a cybersecurity summary based on its 2019 Legal Technology Survey Report. The results were predictable – and worrisome.

26% percent of respondents reported that their firm have experienced some sort of security breach (which, of course, is not necessarily a data breach). 19%, many no doubt from large firms, don't know if their firm has experienced a data breach. As we customarily state, many lawyers have no clue about their firm's security incidents or even data breaches.

Consequences of security incidents included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).

On the topic of viruses, spyware, and malware, results indicate more than a third of respondents (36%) have had systems infected with more than a quarter (26%) not aware whether any such infection has ever occurred. Again, the size of a firm impacts the respondents reporting that they do not know: solo respondents (7%), firms of 2-9 attorneys (15%), firms of 10-49 attorneys (30%), and firms of 100+ attorneys (58%).

Consequences of infection have included the destruction or loss of files (14%), unauthorized access to (non-client) sensitive data (3%), and taking steps to report to law enforcement and clients (1% each). Other consequences resulting from a virus, spyware, or malware infection include costs incurred for consulting fees for repair (40%), downtime/loss of billable hours (32%), temporary loss of network access (23%), temporary loss of web site access (17%), and replacement of hardware/software (15%).

This year, the overall number reporting an incident response plan improved to 31% from 25% last Favorable responses generally improved— from solos (11%), firms with 2-9 attorneys (23%), and firms of 10-49 (35%). Only those responding from firms with 100+ attorneys dipped to 65% from 71% in 2018.

The 2019 Survey results indicate that less than half of respondents use file encryption (44%), slightly more than a third use email encryption (38%), and even fewer use whole/full disk encryption (22%). This result is a material positive change from the prior year in the use of email encryption (29% in 2018) while the number for file encryption and whole/full disk encryption (46% and 24%, respectively in 2018) are slightly up.

Overall, 33% of respondents in 2019 report their firms have cyber liability insurance (compared with 34% in 2018). The two prior years had seen much more dramatic progress—as 26% of responses reported such coverage in 2017 and 17% in 2016. One notable statistic from the 2019 results: a full 39% of respondents report that they do not know whether their firms have cyber liability insurance.

I suppose the biggest news, if you can call it that, is that we are making pathetically slow advances in cybersecurity. Overall, our grade is pretty much an "F."

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson