Law firms can be attractive targets for hackers, in part because they handle sensitive, confidential documents such as financial records or medical histories that could easily be exploited.
But firms also may not be doing enough to prevent cyberattacks, experts say.
The biggest challenge facing law firms is the “shoemaker’s children have no shoes” trap, where they may focus heavily on clients’ needs and focus too little on their own security, said Susan Stobbart Shapiro, a director of the Council Baradel firm and member of the Chesapeake Regional Tech Council.
Shapiro is one of several speakers scheduled to discuss cybersecurity and law firms Friday at a panel discussion at the Maryland State Bar Association Conference in Ocean City.
Major corporations themselves may be difficult to hack into, but if they gain access to a lawyer or third-party vendor, hackers can find a way in, Shapiro said. A data breach at Target in 2014 was traced back to an air-conditioning vendor, she said.
But an increasing number of firms are stepping up their cybersecurity defenses, either by hiring IT teams with a security background or by outsourcing some of their data storage to the cloud, Shapiro said. “Clients are demanding it,” she said.
Using the cloud can be an effective solution because it places security in the hands of experts, said William McComas, a lawyer with the Towson-based Bowie & Jensen firm, who is also scheduled to take part in Friday’s discussion. Google, for example, is probably far more qualified to handle cybersecurity than a legal practice, McComas said.
Cloud storage may work particularly well for smaller firms, but could actually hinder work at a larger firm where the volume of data to download and upload is much greater, Shapiro said. The connection speed could end up being too slow she said.
But when it comes to handling cybersecurity in-house, many firms are aware of the dangers but haven’t made recruiting the necessary talent — IT professionals with security expertise — a priority, McComas said.
And there are disparities among law firms; just because a firm is bigger doesn’t mean it’s more secure; some firms aren’t as nimble to employ new technology and some may have younger employees who have a more sophisticated understanding of technology, he said.
While discussions of cybersecurity often focus on personal data and identity theft, the issue of insider trading is often overlooked, McComas said. A hacker with access can easily obtain merger documents from a law firm and learn the details of upcoming corporate transactions, he said.
Documents related to medical malpractice suits can reveal a person’s entire medical history, McComas said. And not all data breaches are sophisticated cyberattacks; client information, such as email addresses, could accidentally be shared by employees, he said.
Lawyers who do patent work could also be targets, said Howard Feldman, an attorney with Whiteford, Taylor & Preston in Baltimore. “That’s highly confidential information that a competitor might like,” he said.
Feldman also said that as clients become more savvy, they are starting to force their law firms to examine their own security practices.
Feldman said one topic he plans to address in Friday’s discussion is cyber insurance, which many insurance carriers now offer for clients who may fall victim to a cyberattack or data breach. All businesses that deal with personal or confidential client information should consider that kind of coverage, Feldman said.
An internal report from Citigroup, circulated earlier this year and reviewed by The New York Times, said that law firms should expect to be targeted by foreign governments and hackers.
But Citigroup warned that large firms in the country refuse to discuss or even acknowledge data breaches, the Times reported.