Reprinted with permission from CentricPro.
All law firms are at risk of a cyberattack. Most law firms are concerned about the consequences of a cyberattack. Yet unfortunately there are still many law firms that are not focusing efforts, resources and financing towards mitigating the risk.
Why should you care? It was just reported in June in the 2016 Ponemon Cost of Data Breach Study1, that the average cost of a data breach is now $4 million; that is $158 per record, but in a highly regulated industry it can be as much as $355 per record. This is an increase of 29% since 2013. It continues to rise because 48% of the breaches are malicious attacks which cost more to remediate. Forensics, legal costs and regulatory requirements are identified as the majority of the cost, with the lack of an incident response plan being a significant cause as well. First-party losses from a data breach include loss of data, loss of business income/ business interruption, restoration, re-creation and remediation, notification and credit monitoring expenses to name a few. The costs of a cyberattack on your law firm could have a devastating financial impact.
In addition, there are liability considerations. Absent clearly defined rules, regulations, standards and best practices, it is said that a “reasonableness” standard comes into play in determining negligence and assigning liability. A business doing nothing to mitigate risks will not be acceptable. There are professional conduct rules to consider, and where federal and/or state rules and regulations govern your practice, there are more liabilities and penalties that could impact your operation. You even have some states reviewing their requirements in light of the increase in cyberattacks and enhancing requirements on notification and credit monitoring as well as now considering requiring businesses to implement certain safeguard measures. Some states are also expanding the definition of what information is required to be protected.
Further, you now have certain industries pushing for model cybersecurity laws. For example, the National Association of Insurance Commissioners (NAIC), along with state insurance regulators, is proposing its own state model cybersecurity law (Insurance Data Security Model). The concern here is that there may be different laws enacted for the various types of roles one may take on in one’s business, which laws may also conflict with existing state and federal data security laws making it difficult for a business to comply with all of them. Then you cannot forget about the contractual obligations you may have with third parties like your lenders and insurance companies. You may be obligated by them to employ reasonable or appropriate administrative and technical security measures to protect information.
And of course there is the loss of good will and the negative impact on your reputation in the event of a cyberattack, especially if you have not taken reasonable steps to mitigate risks that impact your clients and employees. Clients are inquiring more now than ever as to whether you are secure. They are becoming more educated on the matter and are looking for the law firms that represent them to confirm that their information and if applicable their funds are adequately protected and secure.
Unfortunately there is no guarantee that whatever you are doing is enough to keep you from ever experiencing a cyberattack, but doing nothing is not the answer and could lead to more exposure. Make sure you are focusing efforts on cybersecurity initiatives for your business.
1For the information reported in this paragraph and more see, Ponemon/IBM Security – 2016 Ponemon Cost of Data Br each Study; Also, www.cnbc.com, Cost of data breaches hits $4 million on average: IBM, by Berkeley Lovelace, Jr., 6/15/2016.