San Francisco Attorney Magazine

Fall 2022

Cybersecurity for Solo and Small Law Firms

By Brittny Bottorff and Dorian Peters

 

 

Potential Cybersecurity risks to solo and small firms

You’ve been hacked. These three words can strike fear into the hearts of even the most courageous attorneys.

Most people recognize that major corporations and large institutional law firms need robust cybersecurity. But what about small law firms and solo practitioners — are they really at risk for a cybersecurity breach? Unfortunately, the answer is yes. According to a 2021 ABA technology survey, 25% of the responding law firms had experienced a cyber breach. At this point, no attorney is immune, and no firm is too small to be the subject of a cyber hack or sophisticated phishing scheme.

There are many different ways that a hack can happen. Sometimes, hacks are sophisticated and use highly technical methods. However, in our experience, the bigger cause of hacks are humans who fall victim to social engineering attacks or use poor security practices. For example, one of the most common cybersecurity threats to a law firm is a business email compromise (BEC). BEC attacks are very challenging to identify as a potential threat because hackers are usually using legitimate email addresses belonging to vendors and appearing to be from people who typically deal with financial matters.

Reasons to implement cybersecurity measures for your solo or small firm

A cybersecurity breach can disrupt an attorney’s business, expose clients to unnecessary risk, and can cost a significant amount of money to remediate. In addition, attorneys have an ethical duty to safeguard client information from unauthorized disclosure or destruction and to take “reasonable precautions to ensure that that information remains secure.” See Cal. Bus. & Prof. Code § 6068(e), Cal. Rule of Professional Conduct 1.6, and Cal. State Bar Formal Opn. No. 2020-203. Further, a lawyer’s duty of competence includes “keep[ing] abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology.” See CRPC 1.1, comment  [1].

Recommended measures to increase cybersecurity for solo and small firms

1. Continually update firm software and devices. Keeping your law firm’s computing devices updated is vital to protecting against cybersecurity breaches. Software makers constantly update their software to address potential security issues. If your software is not up to date, it can be vulnerable to cyber attack. Setting up automatic updates is a good idea for most users.

2. Use unique passwords and a password manager. It’s important to not use the same username and password combinations with different online accounts. Cyber breaches occur all the time. Hackers can take the breached username and password and use them to try to access other accounts with the same username and password combinations. One way to generate unique passwords and store them is to use password manager software such as LastPass, Bitwarden, and 1Password.

3. Enable two-factor authentication. If you have ever attempted to log into your bank’s website, you have probably received a text message with a numerical code that has to be entered into the website to complete the login process. If so, you have already used two factor authentication. Our recommendation is to get authentication codes using an application, such as Google Authenticator, Microsoft Authenticator, or Authy.

In conclusion, solo and small law firms can take practical measures to protect against cybersecurity breaches. These measures will help protect confidential client information and ensure compliance with the State Bar’s ethical rules regarding securing electronically stored client information.


Brittny Bottorff conducts workplace investigations as an impartial, third-party attorney investigator.

Dorian Peters works at the California Department of Justice as a Deputy Attorney General in the eCrime Unit where he prosecutes complex cybercrimes.

Ad