For cybersecurity professionals, law and the nonprofit sector do not immediately come to mind as high-risk industries for data security. Finance, health care, manufacturing, utilities, and consumer privacy perennially top the “most threatened industries” lists. However, because law firms and nonprofits handle highly sensitive personal data, as well as confidential client and donor information, they face unique security threats. The overlap of law and nonprofits creates a specific set of cybersecurity risks for legal aid organizations and their professionals, as well as opportunities for data security managers.
A Double Set of Exposures for an Essential Service
Legal aid organizations occupy a unique spot on the spectrum of professional organizations. They consist of both paid and volunteer legal professionals who assist clients with issues such as family law, housing, and consumer matters. Law firms and legal aid offices handle sensitive, confidential personal data to support their clients’ cases, such as medical and financial information. However, unlike traditional law firms, their clients often lack access to legal representation, and they cannot afford private counsel.
Most legal aid organizations are nonprofits, receiving funding from donations, grants, Congress, and pro bono support. Like other nonprofits, legal aid offices are often resource-restricted and must seek out cost-effective data management tools and external providers to best serve their clients.
Legal Aid’s Legacy Risk Profiles
Law has traditionally been slow to change its data security posture. The profession is run by lawyers who, quite naturally, focus on practicing law. Law is also a relatively conservative industry, leery of and slower to implement unproven technologies. The profession, however, is target-rich for bad actors. All data related to cases and clients is vulnerable, including financial transactions, private communications, account balances, health information, intellectual property, privileged information, sensitive family matters, and criminal histories. A firm’s business communications and operations are equally at risk.
We are seeing some state and local bar associations understand the threat of cyber intrusion. In 2016, Florida became the first state bar to require lawyers to receive continuing education in technology. But a few hours of general technology education or training on cyber threats isn’t enough to combat the rapidly evolving landscape of bad actors.
Nonprofits are notoriously underfunded and sometimes struggle to access adequate resources for many non-mission-critical programs, including information technology. Sensitive donor data can reveal net worth, estate plans, account details, and financial holdings, among other information. Grant data (both public and private) often outlines salaries, job qualifications, and other sensitive employment information. As for nonprofits, operations and finances must have a higher degree of transparency, reducing many of the protections afforded to private corporations.
link