Cybersecurity breaches are on the rise. From small businesses to giant corporations, everyone is vulnerable to cyber attack. You don’t want to believe it but the unfortunate truth is: it could happen to you. Being aware of this is a good start. But if you’re faced with the reality of a cyber attack, you and your clients will be in a much better position if you have a privacy breach preparedness plan already in place.
How Will You Protect Your Clients’ Privacy in 2019?
Make Cybersecurity a Priority
Have a breach preparedness plan. Until now, mid-sized and smaller firms haven’t made security a priority. In 2019, businesses of any size must institute a plan to protect client information against cybersecurity breaches. If your firm doesn’t have a plan, it’s important to put one in place. In fact, failing to prioritize cybersecurity can leave you open to significant liabilities. By instituting a privacy breach preparedness plan, you will have more control over the damages that occur following a data breach. Plus, being proactive can minimize the impact of things like bad press.
Hire a computer security consultant. Especially if your firm doesn't have a qualified internal IT specialist, you’ll need to outsource.
Educate your staff. It’s imperative that everyone at your firm has training on your policies and procedures for preventing cyber attacks. Discussions and drills are key. Also, update your privacy policy at least once a year.
Explain your policies. Clients want to know what your firm is doing to protect their information. Above all, keep clients in the loop and informed on your cybersecurity measures.
Update everything. It is essential that your website is up to date. An outdated website is an easy target for hackers. Additionally, it’s important to stay on top of software updates and change passwords regularly to avoid data breaches.
Purchase insurance. Consider purchasing a cyber liability insurance policy for your firm. This protects you in the event of a potentially detrimental cybersecurity breach. (National Law Review)
The American Bar Association’s 6 Step Response Plan
-
Verify what happened.
-
Establish who is in charge of the investigation.
-
Solve the immediate problem. This usually means getting rid of hackers while being careful to preserve evidence.
-
Determine whether you should call in outside experts or use internal resources.
-
If a data breach has taken place, find out what steps the law requires you to take.
-
Harden your security to protect against future occurrences. (ABA)
What are the Main Concerns?
Exploitation of employee activities. According to the ABA, most successful cyber attacks happen when an employee opens an email that appears to be from a client or someone they know but instead it contains malware. This simple mistake can be incredibly costly. By opening this document the hackers are allowed access to the personal and confidential files of all of the firm’s clients. In fact, this can enable hackers access to not only the law firm client files but access to the data the clients have on their systems. Email security is a crucial part of keeping sensitive information confidential.
Ransomware. This easy hack doesn’t go after sensitive information. Hackers install ransomware and block access to files from everyone in the firm unless you pay a ransom. Ransomware enters the system by way of an employee opening an email or clicking on an unknown zip or pdf file. It can even sneak in through a USB drive. Above all, remote desktop applications are the most vulnerable to ransomware attack.
Discarded devices. All devices must be disposed of properly. This includes computer hard drives, copy machines, cell phones and any other mobile devices that store sensitive information. If these devices are not disposed of properly, sensitive information can easily end up in the wrong hands. This can be an expensive mistake for your firm as well as an ethical violation. (Parkway Tech)
Follow the Rules
At the end of 2018, 35 states had already introduced cybersecurity legislation. In 2017, the ABA Standing Committee on Ethics & Professional Responsibility explained in Formal Opinion 477R, that it is a lawyer’s “ethical responsibility to use reasonable efforts when communicating client confidential information on the Internet.” Then, in 2018 the committee issued Formal Opinion 483, which addresses “an attorney’s ethical obligations after a data breach.” These Formal Opinions require lawyers to safeguard client data. In addition, lawyers must notify clients if a data breach exposes their personal and confidential information. (Law Technology Today)
California’s Regulation for Internet-of-Things (IoT) Devices
Soon all states will have cybersecurity protection laws but California is leading the way with its new regulations. Use these new laws as a guideline for what is to come.
On September 28, 2018, California Governor Jerry Brown signed into law Senate Bill No. 327 and Assembly Bill No.1906, which requires that beginning on January 1, 2020, all manufacturers of a “connected device” must equip that device with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
A “connected device” is defined as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address of Bluetooth address.” Meaning anyone making Internet-connected devices and selling or offering them for sale in California is covered under this law.
California also passed the California Consumer Privacy Act (CCPA) in 2018. Starting in January 2020, the CCPA allows consumers to demand that a business disclose the personal information it collects on that consumer, the categories of sources for that information, its business purposes for collecting the information or selling it and who it shares it with. To comply with the CCPA, businesses will need to understand the details of the data they collect. Additionally, this includes how they collect data and where they store it. (ABA)
CRA Provides Cybersecurity Solutions
Above the Law predicts that by 2020, 60 percent of businesses’ technology budgets will be devoted to detection and response. The experts at Computer Resources of America can help you stay ahead of the game and protect your firm from data breaches with the latest cybersecurity technology.