The modern data landscape is trapped in the eye of a raging storm. Private information is being swept away like debris caught in a violent crosswind, and the only options left are to prepare for impact or resign to drowning in the maelstrom.
In 2017 alone, cybercriminals breached over 172 million private records… and that's just in the United States. This might not be a shock, given that 90% of U.S. companies have experienced a hacking incident at some point, but things are still spiraling out of control faster than companies can keep up with. In fact, the Identity Theft Resource Center estimated back in June 2017 would see a 37% increase in data breach incidents compared to 2016. Those are alarming numbers, and no organization is immune to the threat.
Take Uber, for example. In November 2017, they revealed the details of a massive data breach that occurred a year prior. 57 million driver and customer accounts were compromised, and the criminals demanded a $100,000 ransom in exchange for deleting their copies of the stolen data.
That's bad enough, but Uber made things worse by orchestrating a gigantic cover-up. They paid the ransom, persuaded the hackers to sign a non-disclosure agreement, and explained away the $100,000 payout as funding for software vulnerability identification.
Now that the truth has come to light, Uber is facing a myriad of lawsuits on all sides—in addition to the near-irreversible damage to their reputation.
Uber wasn't the first company to go through a painful hacking incident, and they'll be far from the last. In the face of such dour stats and high-profile examples, what can law firms do to help protect their sensitive data from the ever-growing threat of cybercrime? Read on to find out.
Keep Informed on Evolving Data Breach Laws
Every state except Alabama and South Dakota has laws requiring organizations victimized by a data breach to notify all individuals affected. While the specifics of each state law vary, it's imperative your law firm understands its legal obligation to clients in the event of a cyber incident.
Conspiring to cover up a loss of confidential client information to avoid negative press is a bad strategy, as the Uber scandal demonstrates. Not only does the tactic make things worse for the organization when the truth is uncovered, but it's also downright unethical—even if you're operating out of a state where disclosing such information isn't required by law.
The ubiquity of cybercrime combined with the lack of consistency across state laws led to the U.S. Senate introducing the Consumer Privacy Protection Act of 2017. This bill, among other things, would standardize the legal obligations organizations must adhere to in regards to the private customer data they're responsible for.
Since 1974, only 2-7% of bills introduced in any given congressional session have become law. But while it may be unlikely that the Consumer Privacy Protection Act of 2017 will pass, expect congress to keep introducing similar proposals throughout the years until something finally sticks.
Stay aware of the rapidly changing legal landscape surrounding cybercrime, so you aren't caught off guard in the aftermath of an attack.
Shift Your Firm's Digital Culture
In 2016, hackers executed over 50% of all data breaches through the following tactics:
- Tricking victims into giving away password or account information (primarily through scams, spyware, and phishing tactics)
- Exploiting the loose restrictions most companies have over which employees can access sensitive data
- Exploiting basic software vulnerabilities (especially in organizations that don't keep up-to-date with software patches)
- Exploiting security vulnerabilities in third-party entities affiliated with the target
Thankfully, these four criminal strategies can be combatted if your firm is willing to change its internal culture surrounding the handling of technology.
Training is a must. All it takes is one employee mistakenly downloading a malicious email attachment, and your entire digital security system can come crumbling down.
In addition, top brass within your company must lead by example. Conversations about how to keep your firm's data safe should become commonplace to continually reinforce the topic's importance.
Set new policies requiring each employee to keep their company devices updated with software patches, and make sure all stored data is encrypted. Patches make it harder for criminals to access private records upfront, while encryption makes the data much more difficult to decipher if the hack succeeds.
Finally, vet all third-party partners you share information with. If their security safeguards aren't up to par, know that allowing them access to your sensitive data is reckless and may someday put your firm in jeopardy.
Take a Holistic Approach
Employee training and cultural attitude shifts about cybersecurity are great starting points, but they're far from comprehensive solutions. Guarding against such a widespread and malicious threat requires a multi-pronged approach.
While your firm's internal leadership can start reshaping corporate policy on their own accord, other areas of the cyber defense process may be outside the scope of your organization's expertise. If your firm is out of its element in implementing strong technical architecture, consider bringing in a third-party digital security specialist to do a complete assessment of your current infrastructure. They can pinpoint your vulnerabilities and offer solutions, which removes guesswork from the equation.
Cyber liability insurance is also an effective way to safeguard against worst-case scenarios. With a cyber liability plan in place, your firm can recoup lost funds from data breaches caused by hackers, cyber terrorists, unauthorized third parties, computer viruses, and more. Some plans even have a public relations provision, which can help your firm fund breach notification expenses and reputation management efforts.
And no matter what steps your firm takes in addressing cybersecurity, make sure you have an action plan in place before a breach occurs. For example, what's the very first thing your firm will do the moment an attack is discovered? Who will you call? What steps will you take to mitigate the damage?
Questions like this must be answered ahead of time, so you aren't left scrambling in the midst of a digital crisis. Your local law enforcement agencies are a good place to start. Ask for their recommendations on the exact steps you should take if your firm's data is ever breached.
The quicker your response to a cyberattack, the better your chances of containing the fallout.
Swimming Through a Sea of Cyber Madness
The scope of modern cyber threats is overwhelming, infuriating, and downright scary. But ignoring the reality of the problem instead of battening down the hatches can ultimately leave you drowning in devastated finances and a ruined reputation.
While no cybersecurity plan is foolproof, taking proactive measures to protect your firm's data can be the difference between sinking or swimming when the storm hits.
This article is for informational purposes only.
“Survey: 90 Percent of U.S. Businesses Suffered Hacking Incident.” Brink. Brink Editorial Staff, 24 May 2016. Web.
Lohrmann, Dan. “After Uber Data Breach: Lessons for All of Us.” Government Technology, 2 December 2017.
“Security Breach Notification Laws.” National Conference of State Legislatures, 12 April 2017.
“2017 Data Breaches Hit Half-Year Record High.” Identity Theft Resource Center, 2017.
Isaac, Mike, et al. “Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data.” New York Times, 21 November 2017.
Larose, Cynthia J. “Two Data Breach Bills Introduced in US Senate.” The National Law Review, 11 December 2017.
“Statistics and Historical Comparison.” GovTrack.
Sharma, Vivek. “Why do data breaches happen?” USC Marshall School of Business, 25 September 2017.
“2017 - Data Breach Category Summary.” Identity Theft Resource Center, 13 December 2017.
Allen, Kathryn T. “Law Firm Data Breaches: Big Law, Big Data, Big Problem.” The National Law Review, 11 January 2017.