Cyberattack: It Can Happen to Your Law Practice
Cybersecurity is an important concern not only for the safety of data, but also for the protection of people. In many ways, with the internet of things and the proliferation of breaches and exploitation, cyber threats are at the forefront of what attorneys, as advisers, employees, and business owners, face. The technology we attorneys now have at our fingertips allows us to more quickly integrate and innovate, network and share ideas more easily, and save money. Our digital capacity enables us to do amazing things, but it also makes us, our law practices, and our clients vulnerable. According to Martin Banks’ “Five Laws of Cybersecurity,” everything is vulnerable. Put another way, if there is a vulnerability it will be exploited, and that is a problem when your job is to protect people or your law practice/organization. Lapses in cybersecurity can subject attorneys and their organizations to civil liability.
We attorneys store a lot of data in our systems, as do our clients and the organizations we work within and for. We collect personal information, track usage, and hold terabytes of sensitive information. Even the so-called “zero trust policy” itself, the mechanism by which entities require pre-approval before allowing entry to a space, both physically (like a key card to gain access to a building) and electronically (like a password to enter a computer system), creates risk to data. That sounds far-fetched, I know, but think of what is required to implement zero trust. To approve a person for access to spaces and systems, data about them must be collected, organized, reviewed, and stored. This mechanism requires information such as social security numbers, fingerprints, birthdates, and other personally identifiable information as a baseline for entry. Once individuals gain access, their movements and habits are collected and tracked. As sensitive information and data points are collected and stored, more data is being created that companies must protect—all in the name of protecting its data in the first place! Thus, companies are tasked to find security measures to secure their security measures.