Law Libraries and Cybersecurity

    •   

Caroline Young
Associate Director for Public Services,
The Center for Law and Justice Library
Rutgers Law School
Author, Legal Research and Law Library Management

On the heels of the recent indictment of three Chinese nationals for hacking into two U.S. law firms to obtain insider information, Legal Research and Law Library Management introduces a new chapter on cybersecurity. This chapter includes an analysis of best practices for law libraries, an outline of the role of law librarians in bolstering cybersecurity, and a cybersecurity preparedness checklist.

For years, the Federal Bureau of Investigation has been cautioning law firms that they are specifically subject to attack because they have sensitive data that if released could be devastating to clients that the firms represent.  The specific risk to law firms draws from their size. They have much larger bank accounts than individual consumers yet they are much smaller than most large companies and do not spend the money or do not have the infrastructure to put all of the right security measures into place. However, there is no doubt that breaches at law firms happen, and they occur much more than generally appreciated, although they are often not reported. In fact, one study found that 25% of law firms with more than 100 attorneys have had a security breach. Shockingly, the bulk of attorneys say that their firm has no data-breach response plan.

Understanding why cyberattacks attacks occur begins with understanding what hackers are looking for. The most common scenario is that hackers are not trying to find any specific piece of information. Rather, they randomly retrieve an enormous amount of data and then examine it to see what information is potentially valuable.

Since law firms, law libraries, and other organizations depend on their capacity to collect, access, and process huge amounts of electronic data (aggregated data) for operational efficacy, law firms and other organizations have taken on significant risks and responsibilities. For example, most law firms electronically store large amounts of extremely sensitive client information, employee records, and sensitive financial information about the firm, which makes them particularly vulnerable to hackers, causing serious financial, legal, and operational costs to the firm. 

With the dangers associated with holding huge amounts of electronic information come novel opportunities and security solutions. There are numerous potential roles for law librarians and legal information professionals in their institution’s cybersecurity plans that will allow them to partner with IT staff and other stakeholders. Some of the areas where law librarians and legal information professionals may be especially helpful are working with third-party vendors, educating and training other employees, and researching security options (e.g., software solutions, cybersecurity insurance, and the like).

Law librarians and legal information professionals are particularly well suited to aiding in the battle against cybersecurity threats in the following ways:
    • Upholding third-party vendor compliance with
       cybersecurity policies
    • Educating users about multiple devices and data access
    • Pinpointing the data that is most likely to be
       targeted or damaging if it is breached
    • Educating users about data encryption
    • Supporting and protecting password practices
       (research and software support)
    • Fine-tuning employee behavior policies
    • Training on cybersecurity rules
    • Researching cybersecurity liability insurance (research)
    • New threats: ransomware (ongoing research)

Click here to view product information about Legal Research and Law Library Management. Register and download Chapter 1 for free.

Additionally, Law Journal Press offers two related reference solutions, Information Security Law: Control of Digital Assets and Privacy Law. Not a subscriber? Take 15% off a new subscription to any of these 3 titles using promo code 510467. Promotion valid through December 31, 2017.

 

Comments are closed