Written by: Daniel Haurey on 04/11/19


Given the accepted inevitability that a cyberattack or breach will happen, law firms must:

  • Properly secure their network perimeter.
  • Evaluate their vendors.
  • Involve all employees in the firm’s data protection plans.
  • Educate employees on the reporting of potential problem, as well as the protocol for dealing with client directives. 
  • Understand when and why you need to report an incident to your client.
  • Beyond the consequences of a security incident is a general loss of credibility that is difficult to regain. The New York area is one of the most competitive in the world.  Clients have choices!
  • Mid-sized firms should assign knowledgeable employees with adequate accountability to monitor the firm’s data privacy protocols, with support from external resources for incident response, cybersecurity policy development, and procedure creation, such as the increasingly popular CISO-as-a-Service model.
  • Conduct a vulnerability assessment to establish a baseline of your firm’s threat landscape and expose actual weaknesses.
  • Consider working with a CISO-as-a-Service to enhance your risk reduction efforts and cybersecurity posture.  This type of service is about a tenth the cost of a full-time CISO and just as effective. 
  • Maintain agreements governing data protection, cyber security, inside threats, and privacy to drastically reduce the risks and protect your lawyers from preventable errors.
  • Institute a reporting structure that requires several levels of approval before an action can cause any damage and an easy way to alert security teams about suspected phishing scams or associated, inadvertent security errors. 
  • Eliminate superfluously dangerous practices, such as sending unencrypted media through the mail or a courier; and provide a mechanism for employees to report lost data.
  • Enlist the appropriate level of expertise for the specific type of problem because information security and information technology are very different disciplines.
  • Provide guidance to the firm’s employees with training programs, staged phishing campaigns, and IT security awareness initiatives to lower your firm’s risk profile.
  • Educate your staff about the value of adhering to physical security standards and all related policies. 

Our sister frm, Partners in Regulatory Compliance, provides an array of cybersecurity services for law small and mid-sized law firms in the NYC Tri-State area.