Breaking Legal News & Current Law Headlines | Daily Legal Briefing
  • Home
  • Hot Topics
  • Breaking
  • Business
  • Big Law
  • Small Law
  • Law School
  • Legal Tech
No Result
View All Result
No Result
View All Result
Breaking Legal News & Current Law Headlines | Daily Legal Briefing
No Result
View All Result
Home Legal Tech

Your Law Firm Has Been Breached: Who Are You Going To Call?

Daily Legal Briefing by Daily Legal Briefing
January 4, 2022
in Legal Tech
0
Your Law Firm Has Been Breached: Who Are You Going To Call?
4
SHARES
32
VIEWS
Share on FacebookShare on Twitter


Ed. note: This is the latest in a new article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.

We’ve Had a Data Breach!

No lawyer wants to hear those words about their law firm. But across the country, those words have been repeated time and again. How often? The ABA’s 2021 Legal Technology Survey Report tells us that 25% of respondents said that their law firms had a breach “at some time.” That’s a big percentage. Most law firms are ill-prepared for responding to a data breach with only 36% reporting that they have an Incident Response Plan (IRP). Understandably, 80% of law firms with 100+ attorneys do have an IRP.

If you have no IRP, you are asking for a catastrophe – and one likely to make the headlines. Roll up your sleeves and get to work creating one. Then do regular tabletop exercises on the IRP, adding and subtracting issues (electric grid compromised, managing partner inaccessible on a safari, etc.). Make sure the IRP is accessible during a disaster – we saw one data breach where the IRP was only in electronic form and it got encrypted with all the other data by a ransomware attack. “Whoopsie-Daisy” doesn’t quite cover the extent of that debacle.

Who Are You Going to Call?

If you have an IRP, you have a plan which includes (in order) the steps you are going to take and the names of those you are going to call, with contact information. If you don’t have an IRP, you are likely to panic – some victims are literally paralyzed by shock. Since we get a lot of those calls, we became very interested in who should be called and when – and take note that even experts disagree on who to call first.

Our #1 Pick is a Data Breach Lawyer

We didn’t pull that out of thin air. We’ve talked to all kinds of cybersecurity experts and a majority think calling a data breach lawyer is your logical first step. You should have someone in mind (and identified in your IRP), but if you don’t, get referrals from colleagues.

Why the data breach lawyer? First, they know pretty much everything you need to know and they have a lot of experience dealing with data breaches. Data breach lawyers tell us it is helpful to the client to have a “coach” early on and one who knows how to handle the myriad laws, regulations and ethical duties associated with data breaches. They will help you devise a game plan, depending on the circumstances.

Three Things to Do Quickly

• Notify your cyberinsurance company – you can file a claim later, but put them on notice and plan to have a meeting to discuss what’s covered under what circumstances, exclusions, etc. Does the policy cover the payment of a ransom? Some companies are backing away from ransom payments. Insurance companies may have recommended digital forensics companies or, if you have a preferred company you know of, the insurer may want to approve that company before they are engaged.

• Get a digital forensics firm onsite as soon as possible. These are the folks who figure out what happened, remediate the problems, figure out whether your data can be restored and determine whether your data was accessed or exfiltrated. Help them out before the breach by making sure you are using logging mechanisms. Logs help the digital forensics folks figure out what happened and how, pivotal to understanding how to move forward. While on the subject of logs, make sure you maximize the amount of data in the log files (both in type of data collected and time of retention) as the default settings are rarely adequate. Also, the logs should be stored in a protected and safe area. Cybercriminals will seek out and destroy or encrypt your logs in order to remove any evidence of their activities.

• Contact your regional FBI office. The agents who come out will ask a lot of questions and sometimes answer some of your questions or tender advice, but they will not remediate the problems – that’s not their job. Recently, businesses who have suffered a breach tell us that it can take several days for the FBI to come out. We are starting to hear data breach lawyers recommend that you file a complaint with the Internet Crime Complaint Center (IC3) which is a part of the FBI. Their response time is much shorter.

• Immediately review your state’s data breach notification law with your data breach lawyer (yes all the states and U.S. territories have such a law). If you’re a firm which does work nationally, you may have a lot to do. Don’t forget to review the requirements of the states which have data privacy laws (currently California, Virginia, and Colorado) as well.

Who Else Do You Need to Call?

• It’s a good idea to call your bank – many banks will put an alert on your account so that any substantial transactions are verified with the customer before they are processed.

• It’s no fun, but if you truly had a data breach and not a cybersecurity incident, ethical rules require that you share information about the breach with your affected clients so they can be prepared for the possible impact of the release of the data that has been accessed or exfiltrated.

• Do you need help with public relations? If knowledge of the breach has hit the press or your clients, this may be critical help if you can afford it. Ransomware gangs, in particular, often release data to pressure you into paying the ransom.

Last words

Data breaches are no fun. So have a playbook in hand – your IRP. Review the plan at least yearly because threats and defenses are constantly changing. Train your employees on cybersecurity – not from a high-tech standpoint, but from a user’s perspective. 82% of users will not recognize a well-crafted phishing email. There is no technology which can provide a silver bullet solution, so your best defense is both technology and training.

Prepare, practice, and revise your Incident Response Plan regularly. As writer/financial advisor Howard Ruff once wryly noted, “It wasn’t raining when Noah built the ark.”


Sharon D. Nelson (snelson@senseient.com) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.

John W. Simek (jsimek@senseient.com) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.

Michael C. Maschke (mmaschke@senseient.com) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.



Click to Read Original Article

Previous Post

Federal appeals courts go remote amid COVID-19 surge

Next Post

As Omicron Spikes, States Roll Dice With In-Person Bar Exams

Daily Legal Briefing

Daily Legal Briefing

Related Posts

Lawyers Who Used ChatGPT To Fake Opinions Are In Real Trouble
Legal Tech

Lawyers Who Used ChatGPT To Fake Opinions Are In Real Trouble

by Daily Legal Briefing
June 3, 2023
Maryland Cops Can’t Seem To Understand Why Marijuana Legalization Means They Can’t Search Cars Just Because They Smell Marijuana
Legal Tech

Maryland Cops Can’t Seem To Understand Why Marijuana Legalization Means They Can’t Search Cars Just Because They Smell Marijuana

by Daily Legal Briefing
June 2, 2023
Exclusive: In A First For E-Discovery, Tech Company Nextpoint Is Launching A ‘Data-Driven’ Law Firm Under Arizona’s Liberalized Ownership Rules
Legal Tech

Exclusive: In A First For E-Discovery, Tech Company Nextpoint Is Launching A ‘Data-Driven’ Law Firm Under Arizona’s Liberalized Ownership Rules

by Daily Legal Briefing
June 1, 2023
When Is AI Good Enough?
Legal Tech

Law Firms Need To Get Lawyers Off ChatGPT And Onto Artificial Intelligence That The Firm Can Monitor

by Daily Legal Briefing
June 1, 2023
Introducing The ‘Reference Manual Of Legal Tech Lists’!
Legal Tech

‘Legal Tech Lists’: 5 Lawyer Tropes Upended By Legal Tech (Remote Litigation Edition)

by Daily Legal Briefing
June 1, 2023
Next Post
As Omicron Spikes, States Roll Dice With In-Person Bar Exams

As Omicron Spikes, States Roll Dice With In-Person Bar Exams

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Premium Content

4 Reasons a Tax Lawyer is Important When Starting a Business in Fort Worth

4 Reasons a Tax Lawyer is Important When Starting a Business in Fort Worth

April 5, 2023
Why The Burnout Crisis Is A Defining Issue And What Your Business Should Do About It

Everyone Should Have Had The Day Off On January 2nd

January 5, 2023
Joshua Shirley Is A First-Generation Lawyer Who Went From Farm To Firm To First-Rate Legal Recruiter

Joshua Shirley Is A First-Generation Lawyer Who Went From Farm To Firm To First-Rate Legal Recruiter

July 27, 2022

Browse by Category

  • Big Law
  • Breaking
  • Business
  • Hot Topics
  • Law School
  • Legal Tech
  • Small Law

About US

Breaking Legal News & Current Law Headlines | Daily Legal Briefing.
Online coverage of breaking legal news and current law headlines from around the US. Top stories, videos, insight, and in-depth analysis.

Categories

  • Big Law
  • Breaking
  • Business
  • Hot Topics
  • Law School
  • Legal Tech
  • Small Law

Recent Updates

  • Lawyers Who Used ChatGPT To Fake Opinions Are In Real Trouble
  • Clients Should Try Not To Contact Lawyers During Odd Hours
  • Jonathan Turley Rewrites Constitution To Include ‘Congressional Backsies’ Clause

© 2021 Daily Legal Briefing | Breaking Legal News & Current Law Headlines

No Result
View All Result
  • Contact Us
  • Home

© 2021 Daily Legal Briefing | Breaking Legal News & Current Law Headlines

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?