“Fully 70% of large firm respondents reported that they didn’t know if their firm had experienced a security breach,” according to the 2013 survey, entitled “Security Snapshots: Threats and Opportunities” conducted by the ABA’s Legal Technology Resource Center. Of course, the fact that they don’t know does not indicate a breach (easy to overlook that point).
According to the survey, 15 percent of survey respondents had experienced a security breach, and respondents of mid-size firms (10-99 attorneys) were most likely to know about the breach. That makes sense because mid-size firms are more attuned to anything major happening that might affect the firm.
The survey highlighted the increased risks from bring-your-own-device policies which allow attorneys to access firm networks through their smartphones , tablets or other devices. The report found that “34% of respondents reported that their firms allowed them to connect their personal mobile devices to the network without restrictions.”
Our own experience, and conversations with other friends in information security, confirm how often law firms don’t tell their attorneys that there has been a breach. They seem to operate on a “need to know” basis concluding that their attorneys don’t need to know. We often hear “we have no proof that anything was done with client data” in spite of the fact that the intruders had full access to their network. Our encounters with these breaches indicate that if law firms can keep the breach quiet, they will.
They will spend the money to investigate and remediate the breach, but they will fail to notify clients under state data breach laws and they won’t tell their own lawyers for fear the data breach will become public. Is that unethical? Probably. Unlawful? Probably. But until there is a national data breach law with teeth, that approach to data breaches is unlikely to change.
There will, of course, be multiple sessions at ABA TECHSHOW dealing with law firm data breaches and how to secure your firm’s data.
- By Sharon Nelson and John Simek
Nelson and Simek have been frequent presenters at ABA TECHSHOW. Nelson served as Chair of the 2006 TECHSHOW Planning Board. Together they are principals of Sensei Enterprises.