It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.
Law departments: If you haven’t already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.
According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.
Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.
A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:
- In 2015, we found that law firms were an obvious cybersecurity target and noted that, despite a dearth of evidence on law firm data breaches, it was ludicrous to think (as so many law firms did) that it just “can’t happen to me.” We concluded that the industry was playing catch-up, and those on the leading edge would win the battle for clients.
- In 2016, we found “the façade of denial” was starting to crack, and hard evidence existed that law firms were “arguably more vulnerable to cyber attacks than many other industry sectors.” Data breaches targeting Am Law firms such as Cravath and Weil Gotshal; a surfeit of firms listed in the Panama Papers; and the first data security class action against a law firm (Johnson & Bell) drove the point home.
- In early 2017, despite continued warnings and a plethora of serious data breaches, it seems as though law firms are still not being held to task, while law departments are bearing the brunt of the fallout from data breaches.
In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell’s departure from the company, for example.
News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo’s legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.
In stark contrast, in the class-action lawsuit against Johnson & Bell for lax data security, a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.
This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.
It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.
Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.
To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.