How prepared are law firms for cyber breaches? And how often are firms being attacked?
On the same day that a massive ransomware attack hit DLA Piper, cybersecurity startup firm LogicForce released a chilling report that found that law firms are still woefully unprepared for all sorts of cyber threats.
The study, released Tuesday, found that two-thirds of the 200 responding law firms had reported some sort of cyber breach. The LogicForce report, which compiled data from survey responses and proprietary information from clients, also found that 77 percent of responding firms did not have cyber insurance, 95 percent of responding firms were noncompliant with their own cyber policies, 100 percent were noncompliant with a client’s policies, and 53 percent of responding firms do not have a data breach incident response plan.
The report created an “implementation scale” to measure how far along the legal industry was when it came to adopting safe cybersecurity standards. Out of a possible score of 100 percent, LogicForce gave the legal industry a weighted average score of 29.6 percent.
“While there are some law firms that implement most, or even all, of these mediation techniques, the fact is, many aren’t doing enough when it comes to protecting themselves,” the report said. “It is truly not a question of if, but when, an incident will occur.”
The LogicForce numbers stand in stark contrast with some of the other available cybersecurity reports covering the legal industry. The 2016 ABA Legal Technology Survey Report, which received 800 responses for the section covering “technology basics and security,” found that 14 percent of responding firms had been breached (firms with 500 or more lawyers were the biggest targets, as 26 percent of those firms reported a security breach). According to a 2016 study (PDF) from the Association of Corporate Counsel, one-third of in-house counsel had experienced a security breach. When it came to compliance with a client’s cybersecurity policies, Altman Weil (PDF) found in 2016 that one third of general counsel had requested that at least one of their outside law firms comply with specific data security standards, with nearly 16 percent asking their top 10 outside lawyers to do so.
“Some of the numbers [in the LogicForce study] sound right, but generally, our experience is in line with the studies from the ABA and Altman Weil,” says John Simek, vice president at Sensei Enterprises Inc., a digital forensics, information technology and information security firm. The LogicForce study “has a very small sample set, and they compare apples to oranges to figs to pears and everything else.” For instance, the ABA study found that answers varied, considerably, based on firm size. When it came to having an incident response plan, for example, the ABA study found that 50 percent of firms with 500 or more lawyers and 60 percent of firms with 100 to 499 lawyers, had such a plan in place, compared to only five percent of solo practices and 20.5 percent of firms with 10 to 49 lawyers.
According to LogicForce chief information officer Jordan McQuown, the study incorporated a wide array of law firms but was geared, primarily towards midsize firms of 25 to 250 lawyers. “I don’t think firm size really makes a difference,” says McQuown. “However, it certainly feels like there is a drop-off after you get away from the Am Law firms. After all, those firms have resources, staffers and whatnot.”
While he didn’t agree with all of the numbers, Simek says that the LogicForce study is good in that it helps raise awareness and drive the conversation forward. When it comes to ransomware, for instance, Simek notes that those attacks are growing and that many firms end up having to pay the ransom because they didn’t have systems in place to recover the stolen data. “Our own clients are beginning to wake up to the fact that these types of attacks can happen anytime,” says Simek.
Another area of uncertainty involves cyber insurance. According to the ABA study, 44.5 percent of lawyers did not know whether they had cyber liability insurance, including 93 percent of firms with over 500 lawyers. The LogicForce study found that 77 percent of respondents did not have insurance, however McQuown admits that he “wouldn’t be surprised if the respondents really had no idea” whether they had cyber liability insurance or whether their general insurance covered cyber liability.
“We tell clients they should be looking at their policies to see what is and what is not covered,” Simek says. “A lot of people don’t know. If they believe they have it, they believe it’s already included as part of regular insurance and they don’t need to do anything different. The reality is that a large percentage of law firms don’t have cyber coverage.”