A Lawyer’s Honest Take on Cybersecurity
Now I want to tell you something that has been on my mind. Day in and day out, I go to my desk and see all the files of my clients, emails, case notes…all this incredibly sensitive material that people have entrusted in me. And honestly? I’m terrified.
Perhaps I exaggerate. The thing is, I hear these stories. There is a company downtown that was hit with ransomware last month. Before that, a lawyer in Chicago had his client database stolen since he used the same password on everything he had. “That can never happen to me, part of me says. But another voice says, “You are next.”
The Email Thing Really Gets to Me
I already have an email system that I have used over the years. It does work, you see? However, I read about end-to-end encryption and a secure client portal, and it feels like I am just doing arson. This discussion continues in the American Bar Association, and then that little voice in the back of my mind suggests I ought to be using Clio or at least encrypted cloud storage.
I often find myself in the middle of an email typing the data of a case, and I stop. What happens when somebody is watching? What happens to this interception? I then shake it off and click send. Old habits.
The Password Problem I Don’t Want to Admit
This is what I shamefully confess to you: I was likely using the same three passwords everywhere. I know, I know–I should be smarter than this. The multi-factor authentication we hear about, the second layer of security, your phone or your token you add. When they talk about it, it seems so easy.
And then I remember the fuss. Another action is whenever I need to check my email or case files. Will I remember? Will it hinder my progress when I am already behind schedule? Nevertheless, discovering that MFA mitigates most stolen password attacks makes me a fool who had not done this before.
The Encryption Conversation I Have with Myself
AES-256 encryption sounds cool, right? As in a spy film. However, it would seem that this is what I need to be protecting everything on my devices. The thought of losing my laptop and having the team unable to access all the client files.
I have examined it. The technology is there. It is not even that complex. However, it has this odd mental block of, I am a lawyer and not a tech person. But honestly? Poor excuse, nowadays, isn’t it not?
When I Think About My Team
This is what keeps me up at night: the majority of data breaches occur due to the error made by a team member. Not evil, simply… human. One of the team members clicks on a strange link in a message. Good people, intelligent people, who are not spending every day thinking about cybersecurity as I am now.
I recognize that I should be engaging in routine training, conducting phishing exercises, ensuring that everyone is aware of the importance of having good passwords, and treating data properly. Scheduling, organizing, getting it to happen–all this seems so overwhelming. What would they say if I do not trust them? What will happen in case it is clumsy?
The Control Thing That Bothers Me
Necessity does not require everyone to need everything. Does that make sense? Role-based access control restricts what people can do, according to what they actually need in their work. Revise it frequently. Minimize insider threats.
However, some part of me is concerned that I appear paranoid or a control freak. These individuals collaborate with me daily. They are not threats. Except… What happens when an account is compromised? What happens when they depart in bad blood? It has this awkward mix of trust and protection that I am still trying to figure out.
The Nightmare Scenario I Can’t Stop Thinking About
Imagine this: I get into the office Monday morning, and everything is going wrong. Files are encrypted. Systems are falling. I have a ransom note onscreen. Customers are dialing in, in a tizzy over their information. The story gets on the local news.
This is the reason I would lie awake in bed contemplating alternatives. Encrypted backups, off-site storage, and incident response procedures. My steps should be clear: detect the breach, contain it, inform affected clients, and recover systems. I would test these plans frequently.
I have none of this yet arranged. I am making myself physically ill when I consider making phone calls to clients, informing them about the possibility of a breach of their own information. The court costs, the penalties, and the possible punitive actions it is too realistic.
The Insurance Conversation I Keep Delaying
Cyber insurance is available to pay breach expenses, attorney expenses, client notification, and regulatory fines. It is a lifeline. Red Rock Technology and others also endorse it. Savvy attorneys purchase it.
But why haven’t I? Perhaps since purchasing cyber insurance is like I am acknowledging that I am a target. Such as recognizing that despite my best efforts, I might still get bad things. It is an ugly fact.
The Rules I’m Supposed to Follow
I must be competent, and in this day and age, that means being competent in technology, and concerned with confidentiality, safeguarding client information. It is enforced.
Courts require reasonable efforts to safeguard confidentiality. GDPR, CCPA, all these regulations have teeth. Failure is not only a case of professional humiliation but also sanctions, fines, loss of credibility, and possibly even my license.
All my hesitation sounds rather stupid when I say so. Generative AI for Lawyers: Document Automation, Research & More
The Bottom Line
This is what I keep returning to: my clients trust me with the most sensitive material. Divorce proceedings, or criminal cases, or business deals–things that would so destroy their lives, had they been known. They are relying on me to take care of it.
I did not choose to become a lawyer to become a cybersecurity expert. This is the world in which we are living. Technology is no longer optional. Security is no longer optional. Unlock Legal Efficiency: AI Drafting & Research Tools
I have the option of being proactive with this, or I can wait until something negative occurs, and then run around trying to repair it. When stated that way, my decision seems clear.
