In the first part of this article, we considered the peculiarities of the legal sector and the types of cyber threats and data breaches that can affect law firms.
In this concluding part, we examine the importance of cyber hygiene and recommend steps that can be taken to ensure cyber hygiene.
The Importance of Cyber Hygiene to Law Firms and Lawyers
According to a recent report, email malware creation increases by 26% year over year, with about a million malware threats created every day. Additionally, between 2014 and 2015, the number of new malwares that emerged grew from 317 million to 431 million. By 2016, a breach of more than 11 million confidential and privileged documents which included emails, databases, files, PDFs and thousands of text documents, occurred as a result of an attack on Mossack Fonseca law firm. Based on the reports released by security researchers, there were multiple reasons for the success of the attack. These reasons included external-facing servers running outdated software while missing critical security updates. This suggests that the Mossack Fonseca law firm did not have adequate cyber hygiene protocols and procedures as there was a clear lack of visibility across the firm, as well as missing patches and vulnerabilities including poor network segmentation. This clearly indicates that the worst cyber breach is often a result of poor cybersecurity.
To this end, law firms and lawyers need to pay more attention to their cybersecurity. With the growing rate of cyber breaches, law firms cannot afford to be careless with the information of their clients within their possession. Procedures and protocols must be established by these law firms to ensure cyber hygiene.
For the purpose of clarity, cyber hygiene underscores a successful incident and threat management program that keeps computer systems up to date, promotes full visibility and guarantees data protection. It includes a range of procedures and protocols that helps to maintain best practices in keeping sensitive data safe from external attacks. It also helps to ensure compliance with the latest security standards. If a proper cyber hygiene procedure is not put in place, then the valuable and sensitive information in the possession of these law firms may be tampered with by cybercriminals. This will affect the integrity of the firm and may also result in some legal actions being taken against the law firm.
Additionally, ethical issues may also arise, particularly with regards to the provisions of the Rules of Professional Conduct (“RPC”) which vests with legal practitioners in Nigeria, an ethical and professional obligation to make sure that valuable and sensitive information of clients are protected from unauthorised access and they are kept confidential.The provisions of Rule 19 (1) – (3) of the RPC is clearly to the effect that a lawyer has a duty to ensure that whatever information that is disclosed to him by his client, is not divulged to another person, except:
- with the consent of the client (upon full disclosure to them);
- where such lawyer is required to disclose any relevant information on grounds of law or by an order of the court;
- where the intention of the client is to commit a crime and a disclosure of such information is necessary to prevent the commission of such crime;
- where such disclosure is necessary for the lawyer to establish or collect his fee; or
- where such disclosure is necessary to defend himself or his employees and associates against an accusation of wrongful conduct.
Clearly, the above exceptions provided for under the RPC does not cover cyberattacks/breach. The inference drawn from this is that a lawyer may be liable under the RPC for any cyber or data breach that affects his clients’ information.
Possible steps that can be taken by law firms to ensure cyber hygiene
The following steps can be taken by lawyers and law firms to ensure cyber hygiene and prevent any further cyber or data breach.
- Law firms should routinely identify items such as unmanaged laptops, servers and desktops.
- Engage in regular awareness and training of its employees on cyber security and cyber hygiene in general.
- Carefully address any system updates and operating-system-specific updates.
- Initiate a regular change of password policy and multi-factor authentication.
- Adequately identify unencrypted valuable and sensitive data and adhere to the required industry security compliance program.
- Develop a security system that adequately addresses insider threats.
- Scrutinise hardware and firmware updates for the purpose of identifying security risks and priorities.
- Obtain cyber insurance policies for future cyber liabilities.
- Establish and frequently update cybersecurity policies.
- Carry out regular penetration and vulnerability test on the various software and hardware being utilized by the firm, to determine their cyber strengths, overtime.
As earlier noted, cyber hygiene in Nigerian law firms is now more than ever, imperative. Law firms must begin to take steps to secure information that is stored online and offline. An understanding of the responsibilities vested with a lawyer to protect and keep confidential, information of clients, is sufficient for a lawyer to be proactive and take the necessary steps to avoid any cyber breach. Lawyers must also understand that they are not in any way immune from the activities of cybercriminals. In fact, they appear to be one of the most vulnerable targets of these cybercriminals.
Hence, law firms must begin to establish and maintain policies that guarantee and promote cyber hygiene. These firms must consider educating and enlightening their employees on cybersecurity. Apart from the steps recommended in this article, Nigerian law firms must also look forward to other ways, in which their data will be secured. Similarly, the services of experts and consultants should also be acquired by these law firms where necessary.
Though some of these measures may be expensive, it is better to expend resources ensuring the safety of the information of their clients, than to spend on any resultant legal action or liability that may be incurred as a result of a cyber breach.
Raphael Irenen is an Associate of the Firm.