to something of value, regardless of how small. Many hackers simply cast a large net and gather mass amounts of information, regardless of its value, and then analyze it later to determine whether the information has any val- ue at all.
Hackers utilize a variety of attack methods. For example, ransomware can encrypt a  rm’s client  les from  rm access or shutdown telephone or email systems. Every minute a  rm is unable to access a client  le or use the  rm’s email is a direct  nancial loss. Spyware and phishing attacks, on the other hand, are the practice of send- ing fraudulent communications with the goal of stealing con dential data. Additional methods include “man in the middle attacks” or eavesdropping attacks, where hackers place them- selves in between a two-party transac- tion, receiving all of the information one party is sending to the other. Un- secured networks, such as public wi ’s at airports, leave many people open to these attacks.
WHAT DO I DO NOW?
Regardless of how sophisticated hackers become, the easiest cyber- attack on any organization is through unsuspecting employees. Malware, phishing, and man in the middle at- tacks are exponentially more e ective when targeting untrained employ- ees—opening suspicious emails and visiting unsafe websites. Educating and training sta  and attorneys on cybersecurity is the least expensive and most e ective resource for any law  rm.
ESTABLISH CYBERSECURITY POLICIES FOR ALL EMPLOYEES (INCLUDE IN EMPLOYEE HANDBOOK)
• Regarding social media and simi- lar activities permitted in the  rm
• Regarding employees’ use of per-
sonal electronic devices to re- ceive and send email. If allowed, employees should be required to maintain security protocols on their personal devices and a pro- tocol should be established for re- porting suspicious emails received by an employee.
• Develop protocols regarding pass-
• •
words/utilization of a secure pass- word wallet program to access con dential client  les
Establish guidelines for employees utilizing public wi  systems
IT procedures upon termination of employment, such as revoking
“entials
A data breach is a data event where (1) significant confidential client information
is misappropriated, destroyed or otherwise compromised, or (2) an attorney’s ability to execute the legal services for which they are hired is impaired.”
consuming, but it is fundamental to minimizing risk.
Failure to make a reasonable e ort to safeguard client information is not only a great way to lose clients, but an unfortunate means to  nd yourself facing an ethics rule violation.  e American Bar Association and Texas State Bar ethics rules require attor- neys to safeguard client information competently and within a reasonable measure.
In addition to the rules of profes- sional conduct, there are state regu- lations you must comply with if per- sonal information of your clients is compromised. In Texas, you must im- mediately report a breach of personal information to clients as soon as it occurs or when you become aware of the breach. In Texas personal infor- mation includes: name ( rst and last or  rst initial and last); social secu- rity number; date of birth; maternal data, such as mother’s maiden name; government-issued identi cations; biometric data; unique computerized identi cation; routing codes, or ad- dresses;  nancial account informa- tion; credit card or debit card (as well as all passwords and PINs); personal information relating to physical or mental health; and healthcare pay- ment history. Delays in the noti ca- tion are only permitted if law enforce- ment determines that the notice will hinder a criminal investigation. If you fail to properly notify a client of a data breach involving their personal in- formation, you may be liable for state penalties from $2,000 to $50,000 per violation. Prompt noti cation is key because every day that goes by with- out taking reasonable action to notify a ected clients may incur a penalty of $100 per day.
No one thinks they will fall for the scam—not the mega Washington, D.C. law  rm that lost millions of dol- lars when its IT system was attacked by a ransomware attack, and not the small ten-attorney law  rm in Rhode Island who fell prey to over $700,000 in lost business due to hackers en- crypting their client  les. Train your employees, implement the policies, and ensure compliance. In this case, the best defense truly is the best of- fense.
network cred
ESTABLISH CYBERSECURITY
POLICIES IN THE EVENT OF A
BREACH
• Proper protocol if an employee is confronted with a possible data breach
• Create incident response plans so employees understand their re- sponsibilities before a breach oc- curs
• Ensure backup and restoration procedures are in place
• Your  les should be copied and stored o -site to provide access in the event of a cyber-attack/data breach.
To many, these steps may seem like overkill. But as lawyers, we protect our clients’ rights and property every day by planning ahead.
DO YOU REALLY HAVE A CHOICE?
Anticipating a hacker’s motives or thought processes is nearly impos- sible. Although no system is ever perfect, when required policies, pro- cedures, and frameworks are fol- lowed, con dential information is more secure, and the chances are sig- ni cantly reduced that an employee will unwittingly release information. Implementing protocols and proce- dures may seem daunting and time
11