5 Steps Law Firms Should Take to Protect their Sensitive Data

five-5It has become more apparent in recent years that cybercriminals looking to profit from sensitive data are zoning in on law firms and their wealth of client information. In 2016 alone, firms including Cravath Swaine & Moore LLP, Weil Gotshal & Manges LLP, and Mossack Fonseca experienced data breaches, demonstrating that many high-profile law firms do not have basic cybersecurity controls in place to protect against these types of incidents. The New York Times reported in 2014 that global banking institutions responded to this trend by putting an increasing amount of pressure on outside law firms to prove they are employing top-tier technologies to defend against attacks from cybercriminals and malicious insiders. These firms are often required to consent to on-site inspections and fill out 60-page questionnaires explaining which cybersecurity measures they are utilizing in minute detail.

While not every law firm is expected to consent to such strict requirements as the above, the examples demonstrate the gravity of the situation for banks with the constant threat that cybercrime is posing for law firms. Below, you can find five steps to help your firm comply with necessary IT requirements while also making sure to protect sensitive client data and intellectual property from malicious actors.

1. Recognize Where Sensitive Data is at Risk

Get ahead and prepare for clients asking questions about your security posture by closely examining your firm’s environment. Taking this preemptive action will help you detect gaps where confidential client data could be at risk, regardless of where and on what devices the information is stored. This assessment is easy to accomplish through the many proven services currently available in the market. Understanding where exactly your firm’s sensitive client data is being stored and how it’s being used is a critical first step to safeguarding that information.

2. Surpass the Traditional Network Security for a Data-Centered Approach

Network protection tools perform an important role and serve a purpose in the cybersecurity ecosystem. However, positioning these tools as the primary line of defense simply won’t be enough to prevent cybercriminals from accessing the information they seek. Law firms must take steps to implement a multi-layered approach to cybersecurity that centers on data protection. This methodology not only protects the network, it also defends the data and network from both outsider and insider threats and prepares the firm to counter each stage of a cyberattack. Employing a data-centered cybersecurity approach helps ensure that just because cybercriminals can gain access to a law firm’s IT environment, they aren’t immediately granted access to sensitive data.

3. Focus on Securing the Crown Jewels

No matter where the data is stored, law firms need to take steps to ensure that security travels with it to prevent cybercriminals from accessing the information. Solutions like Data Loss Prevention (DLP) and others that center on data protection can benefit law firms by helping them to classify data, apply a usage policy for that information, and enforce it. In today’s constantly shifting cyber threat landscape, these solutions are critical for protecting private business and client information from being exposed.

Something to remember is that if a law firm, or an organization in any other vertical, makes it slightly harder to access sensitive information, or renders the data useless once it travels outside the network, cybercriminals will move on to the next easiest target. Forrester Research and other analyst firms agree that law firms must begin focusing on data protection as cybercriminals begin targeting valuable client data specifically. This is even more critical as data continues to be accessed on more interconnected devices than ever before, with many of those devices being personal to the employee and accessed at home without adequate network security.

4. Look into Managed Security Program Options

Avoid the intimidation of implementing advanced data protection solutions without the help of an expert by hiring a Managed Security Program to do the work instead. This is a particularly good option for small firms that have fewer financial and personnel resources to work with. MSPs have deep DLP expertise and proven infrastructure, allowing law firms to focus on doing their best legal work while the MSP manages the protection of client data. In today’s IT talent shortage, a Managed Security Programs fills a critical role by supplementing an overcommitted IT team and exhausted human resources department, freeing them to concentrate on other business initiatives.

5. Provide Positive Social Engineering

Data protection solutions are just one component of protecting sensitive client data. Employee security awareness can have a major impact on preventing information from being breached. In order to make employee security training as effective as possible, law firms need to go beyond slideware and annual refreshers. Employees can self-correct data use issues through prompting functionalities that are built into many technologies. In one example, a customer recently reported an 85 percent decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. A simple, regular reminder of corporate policy and how to follow it is often all that employees need to improve their behavior.


As data breaches continue plaguing the legal sector, businesses are going to increasingly demand that their law firms prove they have programs in place to safeguard their data and monitor for possible threat actors. It’s becoming apparent to companies in every industry that the weakest link in their security posture may not be within their walls but inside the walls of those they choose to conduct business with. Consider the aforementioned five steps a guideline for helping your firm demonstrate to clients the attention you are paying to the security of their data. Following the steps may also put you in a favorable light with new and prospective clients due to your advanced security posture.


Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Join the Discussion

No comments yet.