Risk Update

Law Firm Cybersecurity — ABA Survey Shows State of Law Firm Security Policies, Practices and Performance

TechReport: 2021 Cybersecurity” —

  • “The ABA’s 2021 Legal Technology Survey Report explores security threats and safeguards that reporting attorneys and their law firms are using to protect against them. As in past years, it shows that many attorneys and law firms are employing safeguards covered in the questions in the survey and their use is generally increasing over time. However, it also shows that many law firms report that they are not using security measures that are viewed as basic by security professionals and are used more frequently in other businesses and professions.”
  • “Significantly, 25% of respondents overall reported this year that their firms had experienced a data breach at some time… This year, the reported percentage of firms experiencing a breach ranged from 17% of solos and firms with 2-9 attorneys, about 35% for firms with 10-49, 46% with 50-99, and about 35% with 100+.”
  • “This Cybersecurity TechReport reviews responses to the security questions and discusses them in light of both attorneys’ duty to safeguard information and what many view as standard cybersecurity practices. It breaks down the information by firm size and compares it to prior years. This gives attorneys and law firms (and clients) information to compare their security posture to law firms of similar size.”
  • “While a dedicated, full-time chief information security officer is generally appropriate (and affordable) only for larger law firms, every firm should have someone who is responsible for coordinating security… A chief security officer has primary responsibility in some large firms, 13% of firms with 100-499 attorneys, and 16% of firms with 500+. A small percentage (.9%) report that nobody has primary responsibility for security.”
  • “According to the 2021 Survey, 53% of respondents report that their firms have a policy to manage the retention of information/data held by the firm, 60% report a policy on email use, 56% for internet use, 57% for computer acceptable use, 56% for remote access, 48% for social media, 32% personal technology use/BYOD, and 44% for employee privacy. The numbers have generally increased over the years and generally increase with firm size.”
  • “Incident response is a critical element of a cybersecurity program. Overall, 36% report having an incident response plan. The percentage of respondents reporting that they have incident response plans varies with firm size, ranging from 12% for solos and 21% for firms with 2-9 attorneys to approximately 80% for firms with 100+ attorneys.”
  • “The other reported consequences of data breaches are significant. Downtime/loss of billable hours was reported by 36% of respondents; consulting fees for repair were reported by 31%, destruction or loss of files by 13%, and replacement of hardware/software reported by 18% (percentages for firms that experienced breaches).”
  • “About 24% overall responded that they notified a client or clients of the breach. Formal opinion 483 addresses the duty to notify clients under Model Rule 1.4. The percentage reporting notice to clients ranges from 33% for solos and firms with 2-9, 9% for firms with 10-49, none for firms with 50-99, 18% for firms with 100-499, and 70% for firms with 500+.”
  • “The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises generally. Law firms have been slow to adopt this security tool, with only 27% of law firms overall reporting that they had a full assessment. Affirmative responses generally increase with the size of the firm.”