9 steps to prevent a cybersecurity breach

By Steve Couch, president and CEO of the Ohio Bar Liability Insurance Company

The words “cyber,” “cyber breach,” “data breach” or “cyber terrorism” should resonate with the typical Ohio legal practitioner. The highly publicized data breaches affecting Sony Pictures Entertainment (corporate network comprised), Target (40 million records), Adobe (2.9 million records), or Schnucks grocery store (2.4 million records) should cause attorneys to consider the security of their firms’ records and data. If you haven’t considered the risk these threats pose and taken the steps necessary to reduce that risk, your oversight may prove costly.

Computer hackerIn addition to obtaining insurance protection against a loss, law firms can and should take the following steps to help prevent a security breach.

1. Develop a comprehensive information security plan designed to prevent data breaches. A great resource is the ABA Cybersecurity Handbook.

2. Conduct a risk assessment, which often can be aided by the services of knowledgeable, objective, independent IT vendors.

3. Use appropriate encryption technology on servers, desktops, laptops and all mobile devices.

4. Limit access to computer systems, email and directories only to known and trusted users, and implement and follow appropriate password policies.

5. Develop and follow a data retention and destruction policy, so that personal data is not at risk. It is important to sanitize and eliminate personal information that is no longer needed, and frankly, to avoid collecting personal data that is not essential. Law firms should carefully analyze where such data is kept, and limit the number of places where such data is retained.

6. Keep anti-virus and security software up​ to date, regularly applying recommended patches.

7. Educate employees about appropriate handling and protection of sensitive data and use and protection of passwords.

8. Implement and follow a written Internet security protocol (WISP) to explain in detail how Internet access and usage should be conducted on firm computers, and specifically, the limits on such usage. Not only is this employee education process important, but management of this exposure should also continue through employee exit strategies, realizing that unhappy former employees pose a significant risk for a potential data breach.

9. Finally, develop a comprehensive breach preparedness plan, to enable decisive action and avoid operational paralysis when a data breach occurs. This will allow a firm to timely respond to a breach incident, perhaps limiting the scope of the breach and potential damages to those whose information has already been compromised, as well as limiting the amount of lost productivity and negative publicity that might result from a data breach.

With careful thought and planning, law firms can significantly lower their exposure to a potential data breach and have a road map in place when and if such event occurs.



Staff Directory

Contact Information


8 A.M. - 5 P.M.
Monday - Friday