Law firms are second only to financial institutions in being targeted for attack.
Due to current events, remote work has now become routine. In this new environment, many law firms have not adequately considered how to attract and retain their clients. One issue that should be of concern to every practice is cybersecurity—law firms are second only to financial institutions in being targeted for attack.
Sophisticated clients are much more likely to pay a premium for legal services that come with an added level of security. Clients are now demanding security documentation and even audits, demonstrating the value clients place on security. Clients are more likely than ever to change firms if their current counsel does not prioritize security. Firms always need to position themselves to show their value; therefore, they should highlight their commitment to cybersecurity in their marketing and communications to potential clients.
The following policies and procedures will reassure current clients that they have chosen a quality law firm, and will serve to attract prospective clients as well:
- Get your security affairs in order. This may include implementing assessments, penetration tests, upgrades, policies/procedures, awareness training, third party attestations or certifications. Working with a qualified cloud provider is also important.
- Provide details about your firm’s security policies and procedures before the client (or prospective client) asks. Clients want law firms to share this information proactively.
- Challenge current and prospective clients to compare your firm’s security policies with other practices in your area. You can provide a comparison chart illustrating the measures your firm has taken to ensure security versus how other firms have approached remote work and cybersecurity.
- Actively discuss with your client the firm’s confidentiality, privacy and compliance programs to protect their information. Your discussion should include: awareness of external and internal threats, documentation of storage, access and sharing and retention/destruction of matter-related files. Clients will want to know where their information is stored, who can see it and how long it will be kept.
- Let your clients know that you have a sharing platform (or client portal) that is secure and easy to use. Many clients are working remotely as well and will want to access shared documents and communicate with you easily. Some clients may want you to use popular applications like DropBox. DropBox and similar applications are useful for other purposes, but not confidential legal information. Make sure your clients are using your secure platform for confidential correspondence, and that they know that this is part of the added value you deliver.
- Demonstrate your commitment to protect your clients through secure credit card processing. Do not record any client credit card information. There are affordable outsourced options for every size law firm that will maintain this type of security. Processing can be easily implemented so the client can pay via your website, or even through a smartphone, without liability to the firm.
- Internal firm awareness training should be a prominent piece of the firm’s value statement. Human error is the easiest way for data to become compromised. Regularly inform clients and prospects that your firm educates all employees about social media best practices, and about phishing and scams that could possibly jeopardize confidential information. The firm can offer CLE to its attorneys and offer education to its clients too.
- Advise your clients about your document storage and retention policies to reassure them that their information will remain secure. During that conversation, talk about where the information is stored, who has access to the information, and the amount of time electronic and paper documents will be stored before being destroyed. With many firms moving to the cloud, clients need to know that their information is being hosted in a safe place, accessible by only authorized users after a rigorous authentication process, and managed and updated by vetted, competent professionals.
- Be forthcoming about the backup/continuity and notification processes in the unlikely event of an incident.
- Share details regarding the firm’s general, professional and cyber liability insurance carriers as another way to demonstrate the firm’s commitment to security.
- Be sure to also specify “privacy-by-design” steps that your firm has implemented, such as security measures that limit access to various types of information for use within the firm by individual attorneys and staff members (for ethical or compliance reasons). Firms have to provide access to data and files on a “need-to-know” basis. Ethical walls maintain confidentiality in accordance with the Rules of Professional Conduct, and other restrictions to ensure compliance with legal obligations. Ethical walls also prevent individuals who have no relationship to the client or matter from gaining access to client information.
Clients (and prospective clients) want law firms to share details about the firm’s security policies and procedures proactively.
In addition to a cybersecurity plan, you might also consider sharing how your firm handles compliance with Federal, state, and international laws privacy mandates. For instance, HIPAA (the Health Insurance Portability and Accountability Act) now includes law firms as covered entities, making them susceptible to lawsuits for information violation. These regulations must be discussed with all new employees and reviewed with existing employees on a regular basis. Firms may want to share these policies with current and future clients. Many firms have clients in or from the European Union and need to comply with GDPR (General Data Protection Regulation). Likewise, firms with clients in or from California need to comply with CCPA (the California Consumer Privacy Act).
Include some or all of these safeguards in the standard engagement letter and comply with these initiatives. It is very important that the firm actively practice what is documented.
Despite these unprecedented times, today’s legal market continues to be competitive. With more activity taking place online and businesses embracing a hybrid model for remote work, cybersecurity threats are greater than ever before. Firms must invest in strong, stable systems to ensure the security of the information they have been trusted with. Clients will choose firms that make their safety a top priority. So to retain your current clients and ensure you win the business of new ones, implement a cybersecurity plan immediately.
Written by CARET Legal partner, Gail Ruopp. Gail Ruopp has acquired more than 25 years of professional experience in senior law firm management, initiating best practices in administrative operations, including: financials, accounting, lateral recruiting, personnel, day-to-day operations, systems management, and firm marketing.