Though the entire ABA 2020 Legal Technology Survey Report is out, first up online were the stats related to Technology Basics and Security. Respondents were asked a total of 262 questions, with 21 questions focused on security. The attorneys who responded were in private practice and here is the breakdown of participants: solos (26%); firms of 2-9 attorneys (30%); firms of 10-49 attorneys (17%); firms of 50-99 attorneys (5%); firms of 100-499 attorneys (10%), and firms of 500+ attorneys (12%).
The answers came in between March and May 2020 so they do reflect the initial impacts of COVID-19, particularly the work-from-home movement.
43% of respondents use file encryption, 39% use email encryption, 26% use whole/full disk encryption. Other security tools used by less than 50% of respondents - have two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%). By in large, this indicates that lawyers are not taking cybersecurity as seriously as they should be.
How are firms doing with cyber insurance? Firms ranging in size from 10-49 attorneys are most likely to have cyber liability insurance (40%), followed by firms of 100+ attorneys (38%). One notable trend is the increase in the number of smaller firms with such coverage, with firms of 2-9 attorneys (36%) and solo attorneys (33%) up respectively from 27% and 19% since 2017. I am happy to see those numbers but they also reflect that we still have a long way to go. And sometimes, insurance companies deny coverage. There are a lot of exclusions and there have been more than a few court battles. Cyber insurance is great and certainly helps fill the risk gap, but it won't protect you from having to deal with a data breach and you have to be darn sure to understand the coverage you have.
I was not surprised that the new survey shows that 29% of respondents have suffered a data breach (compared to 26% in 2019). I have always thought it likely that this stat is low – in many firms, especially large firms, attorneys may never learn of a breach unless it becomes public.
This is borne out by 21% of respondents reporting that they do not know whether their firm has ever experienced a security breach, with big firms representing the highest percentage of that number at 62% for firms with more than 100 lawyers.
34% of respondents have an incident response plan (IRP), compared to 31% in 2019. Progress there seems very slow to me. Unsurprisingly, 77% of respondents from firms of 100+ attorneys said that their firms had an IRP.
Suggestion for the laggards: Read ABA Formal Opinion 483 – and then start drafting.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson