When asked about how law firms should store their information, Brad Biren, a senior associate at Johnston Martineau Des Moines Injury Law, answered with the best case scenario.

“All data should be stored the same way–as securely as possible,” Biren said.

About two-thirds of law firms reported a cyber breach in 2016-2017–and all respondents were targeted, according to a June LogicForce report. Of the 200 US firms surveyed, 95% didn’t follow their own cyber policies, and none met their clients’ policy standards. A little over half didn’t have a breach response plan at all, the report said.

Firms can fall victim to multiple hack forms, including bitlocker scams and phishing, with potentially vulnerable data depending on a firm’s specialization.

“If one of these attacks was successful, the attacker might be able to gain access to information like emails, private records and other sensitive client documents,” said Kristy Rodd, a partner at Honsa Rodd Landry.

An attack’s impact can extend past client security. In December 2016, three Chinese citizens were charged by federal prosecutors after they made $4 million through insider trading after hacking into at least two New York law firms.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” Preet Bharara, then-US attorney in Manhattan, said in a statement after the indictment was unsealed. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”

SEE: Job description: Security architect (Tech Pro Research)

Tackling the problem with technology

Now, lawyers are taking more precautions to protect themselves from an attack, often using technology to do it.

“Lawyers are becoming more and more aware of their professional responsibility to encrypt and secure client communications,” said Jennifer DeTrani, general counsel at Wickr, a secure communications company.

“The challenge with protecting data is making it accessible to all the right people while making it unobtainable to the wrong people,” Biren said.

The way law firms store and protect data varies, according to business attorney Andrew Legrand of the New Orleans-based Spera Law Group, LLC. Many smaller firms store files on the cloud using services like Google Drive, with the most secure firms requiring 20-character passwords and two-factor authentication.

“Firms can protect themselves by having backups in place of all the data to third party servers, by installing antivirus software, and by educating their staffers on not clicking suspicious links,” Legrand said.

More Software as a Service (SaaS) options are available to help affordably protect data, meaning smaller firms are beginning to be able to outsource some of their cybersecurity needs.

For example, Authentic8 Silo runs the browser as a service for more than 30% of the top 50 law firms in the US, according to CEO Scott Petry. Users remotely control a browser based on Authentic8’s servers, allowing firms to use the browser normally without risk of malware or data loss, Petry said. Once the user is finished, the browser and any cookies or trackers are destroyed.

“Silo allows them to outsource their risk to us,” Petry said.

But as businesses shift to cloud-based systems, new potential security weaknesses emerge. Once used only for storage, these data sharing platforms are now used for client communication and sharing information with other attorneys, according to Biren.

Legrand’s law firm is paperless, instead using multiple cloud-based apps, with every employee needing password-protected access to each app. Employees can be the weakest point in a security plan, so using a password manager helps create, share, and store strong passwords securely, he said.

The rise of BYOD

A digital shift may also lead to a BYOD policy, which allows users to access what they need where they need it, whether that’s the office or the courtroom. But it also means more devices and platforms to protect.

“Information needs to be accessible regardless of location, but also needs to be protected,” said Ed Carroll, the CIO for Dinsmore & Shohl LLP. “Keeping data accessible, yet safe is the number one challenge. Striking a reasonable balance between security and convenience is a challenge faced by all law firms.”

Seattle-based law firm Perkins Coie, which has a 100% BYOD policy, uses MobileIron Access to secure devices. The software only lets employees access data through trusted devices, apps, and cloud services, with the access levels selected by the firm’s IT administrators.

Some firms use iManage Extract, which uses artificial intelligence (AI) to read unstructured data in legal documents and then store the important information in the cloud. The software means less human time combing through documents, but it also means fewer paper print-outs that could get lost and compromise client data.

Fewer papers means fewer papers to sign, with companies like DocuSign offering software focused on safe digital signatures, with non-repudiation audit trails, bank-level encryption, tamper-proof sealed certificates, and multi-factor authentication, according to the company’s general counsel Reggie Davis.

“The quicker we get the needed paperwork signed, the quicker we can represent them against very aggressive creditors,” said Garrett Charity, an attorney at the Los Angeles-based McCarthy Law. McCarthy said he uses DocuSign to keep client data secure while expediting debt cases.

But technology does not provide the most secure path for data. For the most sensitive of information, Biren recommends an air-gap protection, which places a physical gap between data and the internet. One example of this is keeping a timestamped physical document secure, so any other copy can only be authenticated by comparing it to the original.

“There is no way to overcome [that level of security] technologically yet,” Biren said.