Follow Us

Law.com Subscribers SAVE 30%

Call 855-808-4530 or email GroupSales@alm.com to receive your discount on a new subscription.

Cybersecurity General Counsel and In House Counsel Technology Media and Telecom

Online Extra
Are Law Departments Letting Law Firms Off the Hook When it Comes to Cybersecurity?

It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.

Print
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.

Law departments: If you haven’t already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.

According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.

isaacson fig 1_500
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016

Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.

A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:

In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell’s departure from the company, for example.

News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo’s legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.

In stark contrast, in the class-action lawsuit against Johnson & Bell for lax data security, a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.

This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.

It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.

Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.

To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”

*****
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next