The American Bar Association just issued its ABA 2017 TECHREPORT, and the section on cybersecurity identifies several trends.
According to the report, an increasing number of businesses are demanding their law firms have independent third-party security assessments. It's part of the reason a record number of law firms are having outside cybersecurity evaluations. See the chart:
"The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises generally. Law firms have been slow to adopt this security tool, with only 27% of law firms overall reporting that they had a full assessment, but it did increase from 18% last year."
This is a positive note in the law firm security report.
Have you asked your outside counsel about InfoSec practices? You might want to after seeing the next cybersecurity trend at law firms.
Security and cybersecurity incidents increasing at law firms"The 2017 Survey reveals that about 22% of respondents overall reported that their firms had “ever” experienced a security breach at some point (note: not limited to the past year). A breach broadly includes incidents such as a lost/stolen computer or smartphone, hacker, break-in, or website exploit... an 8% increase after being basically steady from 2013 through 2016."
Here at SecureWorld we have certainly covered prominent security breaches during 2017, suchas as this offshore firm.
But get this: a disturbing number of law firms do not have an incident response plan for handling a hack or breach that could involve your data.
"A high of 66% of firms with 500+ attorneys report having an incident response plan to address a security breach, followed by 51% in firms of 100-499, 43% of firms of 50-99, 31% of firms of 10-49, 14% of firms of 2-9 attorneys, and 10% of solos."
In other words, a third of the largest law firms in the U.S. do not have an incident response plan, and that number grows as you look at smaller firms.
Here's the question: what does your firm require from your outside counsel to show that cybersecurity is actually being practiced?