Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
For a solo or small firm, the obligations involved with maintaining a law office are just vast as those at larger firms.
That includes addressing cybersecurity needs and securing data and confidential client information.
Cari Sheehan, a professor at Indiana University’s Kelley School of Business and a conflicts attorney at Scopelitis, Garvin, Light, Hanson & Feary, said one of the big challenges with data security is keeping in compliance with the Indiana Rules of Professional Conduct, specifically Rule 1.6, which deals with confidentiality of information in the attorney-client relationship.
Sheehan, who is also an adjunct professor at the IU McKinney School of Law, said if attorneys don’t have proper security, they may need to think about options like email encryption and other security measures.
Most law firms, regardless of size, do budget for data security, Sheehan said. She said the amount budgeted can vary from solo to large firms.
“But you do need something in place,” Sheehan said.
A section of Rule 1.6 notes that “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”
Sheehan said that prior to the COVID pandemic she felt it was easier for attorneys and firms to maintain security over and protect client information and data, even though email communications were always a risk.
Post-pandemic, data security has been more difficult, Sheehan conceded.
“I think the pandemic amplified it. But I think AI amplified it too,” Sheehan said.
In general, attorneys are more cognizant of data security and risks to watch out for, Sheehan noted, with bar associations offering continuing legal education seminars on the subject.
It’s something attorneys and firms have to be aware of, Sheehan said.
“There’s been a lot more (data) breaches happen,” Sheehan said.
Margaret Knight, an Evansville-based solo immigration attorney, said cybersecurity pops up in just about every continuing legal education event she attends.
She said she’s heard at some of these CLE events that solo and small firms get a substantial amount of phishing attacks because cybercriminals feel those firms don’t have the resources available to fend off those attacks.
An attorney since 2017, Knight started her solo practice in 2020 during the pandemic.
For data security, Knight said the first thing she does involves getting to know her software products, like the LawPay she uses for debit and credit card payments or encrypted software to collect sensitive client data and documents.
She backs up client data and files on an external hard drive as another safeguard against ransomware attacks.
“I think the more I learn about data security as an attorney, I think everybody needs to know about it,” Knight said.
A lot of the systems and services she uses have built-in cybersecurity software features, Knight said.
Knight, who also maintains a Carmel office, hasn’t considered using an IT contractor because, as a solo practitioner, she wants to keep her office overhead costs low.
Cyber insurance recommended for attorneys
The American Bar Association’s most recent Profile of the Legal Profession, drawing from the ABA’s 2022 Legal Technology Survey Report, reported nearly half of all lawyers (46%) said their firms have cyber liability insurance to help protect them in the event of a security breach.
Also, more than one in 4 lawyers (27%) said their firm had suffered a computer security breach.
Patrick Olmstead, a solo practitioner with Patrick Olmstead Law LLC, described his day as “super busy” when he had someone attempt to breach his email system while he was sitting at his desk in July 2023.
He saw an anomaly in his email and discovered someone had hijacked his Outlook. Olmstead immediately put his incident response plan in place and shut down his email system.
He quickly made a call to his cyber insurer, with all of this taking place within a 10-minute period, Olmstead said.
Next, Olmstead spent time trying to figure out exactly what happened and whether any private data had been accessed by the attacker.
He hired a forensic examiner, who looked at Olmstead’s system and told the attorney that none of his clients’ personal data had been compromised.
“I was lucky,” Olmstead said.
Olmstead said he also witnessed a security breach when he had been sitting in another law firm’s office with one of its partners and suddenly that firm experienced a ransomware attack.
He and the firm’s partner went to a server room and “pulled the plug,” Olmstead said.
“The key in the end is to be reasonable. That’s the duty of the lawyer, to take reasonable measures,” Olmstead said.
Olmstead said he knows some attorneys that don’t use email communications and are probably the only lawyers not at risk of a security breach.
As part of his efforts to improve security, Olmstead uses the latest enterprise version of Dropbox.
He’s found that it’s important for each attorney and firm to have an incident response plan. That involves thinking on the front end about what systems are being used, who is the firm’s email provider and what documents are being secured.
Olmstead acknowledged that, unfortunately, ransomware attacks are getting more sophisticated.
He said he was one of the first solo attorneys in the state to get a cyber insurance policy.
“My broker said I was the ‘tip of the spear,’” Olmstead said.
Olmstead said attorneys need to have insurance in the event there’s a security breach they can’t stop.
Seth Wilson is an attorney with Adler Attorneys in Noblesville and helps manage the day-to-day technology operations of the firm.
Data security and how to get a handle on information is definitely a growing concern with attorneys, Wilson said, with the COVID pandemic accelerating the acceptance of virtual meetings among attorneys and clients.
Insurance costs vary
Like Olmstead, Wilson thinks most firms, regardless of size, should have cyber insurance.
He said the cyber insurance industry has set out minimum requirements for law firms before they’ll issue an insurance policy.
Wilson said, in general, the cost of cyber insurance has gone up over the past few years.
“As long as you have good data security, I don’t think it’s out of sight,” Wilson said of the costs.
On its website, the business insurance company Embroker says average cyber insurance cost can hover around $1,500 per year for $1 million in coverage, with a $10,000 deductible.
The company acknowledged that different firms can pay more or less for their coverage depending on several key factors, including the size of the firm, annual revenue, risk management practices, policy terms and amount of sensitive data involved.
Olmstead said his annual premium started at around $1,000 per year and has risen steadily in price over the past decade.
Knight said a lot of malpractice insurers include cybersecurity coverage at a small added cost.
Some firms also may need a formal IT vendor to monitor their systems, Wilson said.
“You’ve got to factor in those costs into your business operations,” Wilson said.
He said, in his experience, smaller or solo firms may use a friend that knows network administration.
However firms address their needs, Wilson said, data security needs to be top-of-mind for Indiana attorneys, with the profession’s model rules of professional conduct advising lawyers to stay abreast of technology changes as it relates to law.•
Please enable JavaScript to view this content.