Learn about common cyber threats to law firms, how to create a cybersecurity policy, and the eight best digital protection strategies for personal injury law firms.
Law firms are increasingly being targeted by hackers—criminals who access digital files illegally for personal gain. They may demand a ransom from the law firm or sell sensitive client information to other bad actors.
Cybersecurity is the set of practices that protect networks and computing devices from these digital attacks, also known as cyberattacks. This cybersecurity guide shares critical information for preventing unauthorized access to your law firm's confidential data. We will cover common cyber threats to law firms, how to create a cybersecurity policy for law firms, and the eight best digital protection strategies every personal injury firm should implement.
Personal injury law firms store clients’ medical information as well as financial and identity details. Allowing this data into the wrong hands can be expensive and embarrassing—for both the firm and its clients. The incident could create HIPAA (Health Insurance Portability and Accountability Act) violations, prompt client lawsuits, undermine the firm's reputation, and stifle business expansion.
Eric Buhrendorf, technology and information security leader at The Cigna Group, says law firms of all sizes should recognize and manage cyber risks. “Cybersecurity is something that everyone from a solo practitioner to a large law firm should be engaged in,” Buhrendorf explains.
Annual survey data from the American Bar Association (ABA) confirms that more firms are experiencing security breaches, including hacks and digital exploits. In 2021, 25% of survey respondents admitted to a security breach at their firm. The number rose to 27% in 2022 and 29% in 2023.
Law firm cyberattacks can be ambitious and destructive. In 2024, Florida business law firm Gunster agreed to pay $8.5 million to settle a class-action lawsuit prompted by a cyberattack. As reported by Reuters, the incident exposed the personal information of nearly 10,000 people. Gunster reported that the stolen data "varied by individual and included name and one or more of the following: date of birth, Social Security number, driver's license number, passport number, government-issued identification number, financial account information, and medical information."
Gunster did not share how hackers retrieved the information. However, law firm cyberattacks can take several forms. Three common ones are phishing attacks, ransomware, and insider threats.
Lawyers must protect client data under Rule 1.6: Confidentiality of Information in the ABA's Model Rules of Professional Conduct. Under the rule, lawyers cannot share client information without informed consent or mitigating circumstances, such as the risk of death. The rule also states, "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
Cybersecurity protocols fall under "reasonable efforts." Poor digital security practices can result in hefty fines and reputation damage. In the HPMB attack, the firm had failed to install an available security patch that would have prevented the breach. The judge who fined HPMB cited "poor data security" as a factor.
Larger hacks have prompted class-action lawsuits with larger settlements. Gunster's $85 million settlement is an example. Another U.S. law firm, Orrick, Herrington & Sutcliffe, agreed to an $8 million settlement in 2024 after a data breach.
There is no generic cybersecurity policy for law firms. Personal injury firms that don't have a cybersecurity policy must design one that fits their situation. To get started in this process, follow the four steps outlined below.
To start, create a cybersecurity team. Define who oversees the firm's cybersecurity program and which team members play supporting roles. Be sure to also create a reporting structure for handling threats and breaches.
Next, analyze the data your firm stores alongside the firm's organizational chart. Data should be available to your team members on a "need-to-know" basis. For example, lawyers only need full access to the case files they manage. Administrative team members may not need access to sensitive data, including client medical information.
Design and implement a data access hierarchy. You can enforce the hierarchy with unique logins, multi-factor authentication (MFA), and encryption on stored and transmitted data, including passwords.
An incident response plan is a primary component of cybersecurity for law firms. The response plan defines the steps for handling cyber threats plus the triggers that activate different phases of the plan. Phases might include internal reporting, containment, recovery, and external reporting.
Software vendors must comply with your firm's cybersecurity protocols. They can do so by supporting unique logins, MFA, and encryption on stored and transmitted data. Vendors must also have a proactive security approach. Cyber threats are evolving, and law firm cybersecurity best practices must adapt.
In this environment, your firm requires vendors with a security-first mindset who care deeply about being trusted partners. If you detect a threat or a security gap, you want your vendors to work quickly to keep the firm's data safe.
If you already have a cybersecurity policy, review it against the following personal injury law firm cybersecurity best practices. These action items can improve data safety and your team's ability to handle threats.
Personal injury firms need formal incident response plans to enable quick, decisive action after a threat is detected. A well-documented plan can limit financial and reputational consequences for the firm and its clients.
The plan outlines actions, roles responsible for actions, and triggers. Cybersecurity firm Crowdstrike also recommends including metrics to measure the plan's effectiveness. Metrics could include response timing, incident frequency, and the number of incidents that escalate through each phase of the plan.
Every team member, from technology managers to summer interns, can participate in the firm's cybersecurity program. Anyone who sees or experiences a potential cyber threat should feel empowered to report it.
Training programs support this goal. Training can cover the types of law firm information security issues employees may see, steps to verify the legitimacy of emails and other communications, and how to report suspected vulnerabilities.
MFA adds a layer of user verification after the password. For example, MFA may require users to log in with a code sent via text or email. Buherndorf says, "Two-factor authentication is the best thing you can do to secure your accounts.” You can learn more about cybersecurity for law firms from Buherndorf in this webinar.
Cyber liability insurance helps cover the costs of digital attacks. Depending on the carrier and policy, the coverage could pay for lost income, data recovery, customer communications, technology repair, and litigation expenses. Some insurers also provide education and other resources to round out your team's cyber defense skills.
A cybersecurity risk audit evaluates your firm's digital security measures to identify weaknesses. The audit should review security practices, procedures, case and matter management software, hardware, and systems to identify vulnerabilities and threats.
Plan on auditing your cyber risk at least once annually. Large personal injury firms with complex systems and vast client bases may need to audit risk two to four times annually.
A misplaced smartphone is a law firm information security breach if that device can access client information. A dedicated, secure client communication portal replaces text messaging, thus limiting data shared to smartphones. These portals also prevent overheard conversations and hide messages from home screens where wandering eyes can see them.
Is the cloud safe for law firms? The answer is yes. Cloud providers are security experts. They employ professionals dedicated to identifying and implementing the most effective protocols in the current threat environment. Cloud storage for law firms with encryption and automatic backups is generally more secure than physical servers. Physical servers typically don’t have the security protocols deployed on the cloud. Physical servers can also be picked up and carried away, causing immediate and possibly permanent data loss.
The quality of your firm's case management software directly influences your cyber protection level. A reliable case management application like CASEpeer will comply with law firm security requirements and incorporate role-based access, audit logs, and intraday backups. These necessary security features keep your clients' sensitive data protected.
CASEpeer is the #1 trusted partner for personal injury firms, and the CASEpeer team takes that responsibility seriously—in part by implementing leading security features and protocols.
Hackers increasingly target law firms to access sensitive and potentially damaging client information. Personal injury firms are particularly at risk because medical records are prevalent within their case files.
CASEpeer can strengthen your digital security defenses with the following law firm security requirements:
To learn more about CASEpeer features that protect critical business and client information, schedule a demo today.
We’ve all heard that law firms are targeted by hackers. According to the American Bar Association, hundreds of law firms experience a cybersecurity...
All law firms are keepers of privileged information. From social security numbers to medical records, clients trust you with their private data....
Efficient medical records management processes are vital for personal injury law firms. Learn how to organize, secure, and streamline records.