Even in today's sophisticated, technological world, there is never any guarantee that security systems are safe. Richard Levick, Chairman and CEO of Levick, offers his take on the current state of data security and the questions that law firms should be asking themselves.
A more reassuring result would have been surprising. In 2017, the ACC Foundation: The State of Cybersecurity Report found that more than a quarter of in-house counsel are “not confident” or “not sure” about the full integrity of their law firms’ data security. High as that number might seem, it’s hard to imagine it much lower today. After all, we’re being constantly reminded that, as sophisticated as our security systems might be and no matter how many shrewd enhancements we might make, the hackers are never discouraged. It’s a given that, whatever innovations we install, they’ll be up to the challenge.
Of course, the size of the law firms plays into the dynamic. Most large firms have clients in highly regulated industries where specific data security provisions are legally mandated. Obviously, these firms do not have segmented security protocols; the advanced measures they adopt for some client industries are naturally enjoyed by all their clients across the board. It might therefore seem that the reportedly high in-house anxiety is mainly due to the fact that these companies also customarily work with many midsize and small firms which may not represent highly regulated industries and are therefore not obliged to certify the advanced security compliance required of those that do.
Actually, however, companies live in a fool’s paradise if they assume that their large law firms are relatively breach-proof because of the strictures governing highly regulated industries. On the one hand, when banks and insurance companies are themselves so frequently victimized by disastrous breaches, why should in-house counsel assume that the law firms representing them are optimally secure, their compliance with mandated guidelines notwithstanding?
At the same time, in-house counsel need only read the legal trade press to see how vulnerable the behemoth law firms that work with highly regulated industries really are. Recent reports tell of data breaches on the rise among law firms of all sizes, including such large and highly respected firms as Jenner & Block and Proskauer. The multiple causes range from firms’ relationships with third-party vendors to outright theft of hardware, from ransomware attacks to assaults on files that, despite all the guidelines, law firms have simply failed to adequately encrypt.
In an environment where every new headline-grabbing data breach adds to the overall lack of confidence, in-house counsel are well advised to look beyond compliance; to consult resources like the ACC’s Model Controls; and to be constantly asking the right questions of all their law firms, big or small – not only upon retention but periodically afterward as well.
At least four such questions are fundamental, advises Jena Valdetero, who heads up the data breach response team at Bryan Cave Leighton Paisner LLP. The widespread in-house anxiety we’ve noted is only exacerbated when clients fail to ask these questions; when they assume instead that outside counsel have taken the requisite steps required by law to protect both their own information and that of third parties. “It is always fair to ask and never wise to assume,” says Valdetero.
Question #1: Does the law firm have multi-factor user authentication, and not just names and passwords? Importantly, adds Valdetero, do these authentication provisions extend, not just directly to the firm’s network on which it houses confidential client information, but also to the law firms’ email accounts from which hackers can also access sensitive client data?
Question #2: What has the law firm done to document a written information security plan? In-house counsel can ask to see these plans even if, as Valdetero warns, “firms may or may not agree to show them…But at least you can get a sense of whether one exists and how robust it is by engaging the firm in a conversation about their security program.” A flurry of ongoing legislation, especially in the aftermath of the 2018 California Consumer Protection Act (CCPA), will in any event affect what such plans must encompass and the extent to which third parties can insist on access to them. Valdetero cites New York State’s “Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, effective March 21, 2020, as a salient example of how lawmakers are getting ever more aggressive and ever more proactive.
Question #3: Does the firm have a data breach incident response plan and to what extent does the law firm test it? Such testing should typically take the form of tabletop exercises and simulated crises. Ideally they will be conducted by a third party who can bring an objective and disinterested eye to the task. Such drills must be frequent and comprehensive, including checks for phishing scams and inadequate storage practices, among other issues.
Question #4: Does the firm have adequate cyber insurance? At the very least, inquire as to the coverage limits that the firm has in force and the extent to which the policies cover the information of third parties like clients. It is always a struggle to determine how much insurance is enough or what a fair competitive premium would look like. To make those determinations, independent advisors are useful here as well.
We began this article in effect by asking why so many in-house counsel lack confidence in their law firms’ security systems. Maybe that’s the wrong question. At a time when major law firms are getting hacked despite their compliance with advanced and mandatory security procedures, we should recall an FBI report that depicted law firms as a “one-stop shop” allowing hackers to steal both firm-related and client data. Meanwhile, the ABA’s 2018 Cybersecurity Report may have shown a relatively low 6% incidence of client information stolen from firms victimized by hackers but that was still 5% higher than the year before.
Maybe the question should not be, why do 25% of in-house counsel lack confidence? Maybe the question should be, why do 75% have confidence?
Published November 15, 2019.