By Tim Rollins
This article is a reprint of a post that orignially appeared on the EDRM blog on Monday, June 6, 2022.
With Memorial Day weekend behind us, many people are celebrating the unofficial start of summer. And summer is almost always a blessing—nicer weather, beach vacations, shorter Fridays (if you’re lucky)—you’ve got to think that IT professionals in the legal industry are probably breathing a sigh of relief and hoping for a nice, relaxing summer after a rough spring. Every other day, it seemed, I received an email update giving more bad news about ransomware attacks, data breaches, and other nefarious cyber-doings in the legal industry.
Late in April, data breaches were reported at law firms McCarter & English and Stevens & Lee. Unfortunately, many mid-size firms (as these are) and smaller don’t budget for technology—under 50% according to the ABA’s 2021 technology survey. As Sharon D. Nelson of Sensei Enterprises, explains, “While small and midsize firms consistently believe that they are not at great risk, they do not understand the mindset of cybercriminals. Law firm size doesn’t matter as much as the clients they serve and the extreme likelihood of weak security in smaller firms.”
This is especially borne out by details arising from the Stevens & Lee breach, which actually occurred in 2021, but was not made public until April 2022. Apparently, the breach compromised “the private information of a very large number of people”—over 23,000, including many customers of the firm’s financial institution clients, according to subsequent reporting. As is abundantly clear by this point, organizations must take care of customer data when it is in their hands—but it is equally important for organizations to vet the security practices of their third-party partners.
Unfortunately, though, ransomware attacks and data breaches are not a seasonal matter—and it’s not novel for cybercriminals to target firms in the legal industry. So summer is unlikely to see a downtick in cyber-incidents? (If you don’t believe me, feel free to check out the infographic on legal industry data breaches we’ve put together.)
The figures are compelling. According to the same ABA survey, one in four respondents had suffered a data breach at some time—but only 36% of firms had a response plan in place. While legal requirements demand that firms notify authorities or breach victims within 30 to 60 days, on average it takes 74 days for organizations to do so. Legal industry breaches have had ripple effects through government agencies, financial organizations, AmLaw 200 firms, Fortune 500 companies, and the entertainment industry—just to name a few.
Fortunately, there are some steps organizations in the legal industry can take (and that their clients should make sure they’re taking!). First, increasing investments in technology, specifically cybersecurity measures, are paramount. Not only do things like multifactor authorization, endpoint detection, and endpoint response technology help mitigate the risk of cyberattacks, they’re increasingly seen as important factors in whether or not an organization can afford (or even obtain) cyberinsurance.
But of course, protection must go beyond firewalls and other protective measures. Law firms and LSPs should also develop, implement, and train teams on incident response plans. At this point, cyberattacks are inevitable. But the ability to respond automatically with measures including digital forensic software can help slash response times and remediation efforts, as well.
For more information on data breach and ransomware trends in the legal industry, download Exterro’s infographic Don’t Get Burned today!