Law firms, both big and small, are increasingly vulnerable to the menace of cybercrime.  Recent news reports of the devastating attack on the global law firm DLA Piper have heightened concerns. The hackers prevented DLA Piper, and many of their clients, from conducting any business by taking them completely off-line.  It has been reported that the attack could cost them millions to fully recover.

In the case of a data breach like DLA Piper’s, firms are legally responsible to notify every client and former client who may have been affected. With direct costs (such consulting with legal counsel, hiring forensic experts, notifying and offering restitution to victims) averaging $158 per record, a breach can be costly. Firms should take the necessary precautions to protect themselves and their clients from cyber threats.

Risk Mitigation Recommendations

There are many fairly simple ways to help minimize cyber threats at your firm. Take these steps to help prevent the headaches and costs associated with a cyber-attack:

Enforce a Password Policy

Password policies are the simplest and least costly way to protect sensitive data and decrease risk.  All firm members and employees should adhere to these password requirements, which include: a combination of letters, numbers and symbols; a minimum of 12 characters; and upper and lower case letters. Passwords should be changed on a regular schedule and not be repeated.

Staff Education

Most people know to avoid suspicious email, but educating staff routinely on cyber security awareness can be very beneficial. Provide an extensive list of “do’s and don’ts”, and publish formal policies on acceptable internet and social media usage.  Many studies have shown that regular awareness training can pay dividends.

BYOD Policies

Bring Your Own Device (BYOD) policies can be risky unless appropriate security measures are taken.  If personal devices are allowed, be sure to:

  • Encrypt and password protect company data on personal devices
  • Install mobile device management software that remotely wipes the employee’s device if the employee leaves the firm
  • Limit unsecured Wi-Fi practices

If these measures are difficult to enforce, consider banning BYOD.


Lost or stolen laptops/devices are a leading cause of law firm data breaches.  With simple file, email and full-disk encryption on all devices, information is better protected if misfortune occurs.

Cloud Service Caution

It is becoming increasingly common to use cloud providers for data and network storage. When utilizing this capability, ask the following questions:

  • Will my information be encrypted?
  • Have my clients provided their written consent to place information in the cloud?
  • Does the cloud provider employ adequate security measures to protect the data?
  • Will the data be stored outside of the U.S.? If not, would it be subject to search and seizure?

Other Measures to Consider

Cyber criminals are smart, and even firms that take all preventive measures can still find themselves vulnerable to a determined hacker. This is why many lawyers are buying cyber liability insurance policies.

Whether you purchase your cyber insurance through the bar program or another provider, it provides valuable protection against the costs incurred in the event of a cyber-breach, such as privacy breach notifications, loss of income, recovery of network infrastructure, potential litigation and regulatory fines/penalties. Lockton’s policies can cost as little as $300, with $1 million in coverage.

The carriers offering cyber insurance have also built extensive networks of providers that can help identify cyber security shortcomings, deal with the public relations backlash if a breach becomes public and handle the ministerial duties of the client notifications required by the law.


To learn more about your cyber insurance options, consult your insurance agent, or contact Lockton at 844.307.5960 or review insurance products on our website.