Not so long ago, if someone wanted to steal your information from a law firm, she'd have to break into your lawyer's office. Now, all she needs is a computer, an interconnection, and hacking skills.
Sadly, the legal industry is a technology laggard which means your lawyer's systems and software may well be out of date. In addition, few law firms have the security and cybersecurity expertise necessary to safeguard their clients' information.
Third Parties May Already Have Access To Your Information
Your law firm may be sharing information with other organizations out of necessity. For example, "the other side" of a case is entitled to certain information pertaining to the case.
There may also be a service provider involved that helps your law firm organize huge volumes of information so that litigators can find the information they need quickly.
Your law firm may also use "local counsel" if it needs help in a particular jurisdiction. If so, that firm needs access to your information to do its part of the job.
So, when you hand over all the information your lawyer needs to represent you, you may have no idea where it will go or who will have access to it.
What to Ask Your Lawyer
Before you ask your lawyer any questions, jot down the questions you want to ask and pay attention to how you're phrasing the questions. If you ask questions that yield "yes" or "no" answers, your law firm will tell you what you want to hear, according to Andy Wilson, CEO of San Francisco-based online legal software company Logikcull.
That means don't ask whether the law firm is secure or whether your law firm takes security and cybersecurity seriously because those questions will result in binary answers. If you want an actual answer, ask questions that require more detailed answers, such as those listed below.
#1: Who has access to my information inside and outside your firm?
Usually, when you hire a lawyer, you're actually hiring a team of people that may include partners, associates, paralegals, and secretaries. Wilson would ask who is involved in the entire workflow.
#2: Why does [a third party or a role in the law firm you don't understand] have access to my information?
There are legitimate reasons why different people have access to your information. You are entitled to an explanation.
#3: When are you encrypting my information?
Your information should be encrypted when stored ("at rest") and when sent to another person or business (in motion).
#4: How are you ensuring the physical security of my data?
The legal profession is going digital, which means paper is being replaced by bits and bytes. However those bits and bytes are often saved on physical media including hard drives, thumb drives, CDs, or DVDs, which are easily lost or stolen.
#5: What does your firm do to avoid social engineering risks?
Hackers exploit weaknesses in computer systems, software, and networks. Social engineering exploits human weaknesses.
Your company probably educates (or should educate) its employees about the risks of social engineering. Some law firms have been victims or targets of phishing (fraudulent email) and http://fortune.com/2016/12/07/china-law-firms/ spear phishing (fraudulent email which appears to be sent by a trusted party).
#6: How are you ensuring that the vendors you use are protecting my information?
Jay Edelson, CEO of Chicago-based law firm Edelson PC would want to validate the answer by hiring a team to test the system to find the weak spots, assuming the case justifies the expense.
#7: If you use local counsel, how are you ensuring that they will protect my information?
A firm with good data security may hire a firm in another jurisdiction that has little or no security.
Why You Should Care
Law firms are lucrative targets because they house, use, and share information that is very valuable on the black market or could be used for nefarious purposes such as blackmail and insider trading. Hacking is a clear and present danger to law firms and their clients.
Edelson posits that clients are going to face liability for choosing the wrong law firm. If sensitive information is involved, the law firm gets hacked, and the client failed to do due diligence, there could be a lawsuit against the client and the law firm.
In short, blind faith is a poor form of security. Trust, but verify.