It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.
Law departments: If you haven’t already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.
According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016
Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.
A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:
In 2015, we found that law firms were an obvious cybersecurity target and noted that, despite a dearth of evidence on law firm data breaches, it was ludicrous to think (as so many law firms did) that it just “can’t happen to me.” We concluded that the industry was playing catch-up, and those on the leading edge would win the battle for clients.
In 2016, we found “the façade of denial” was starting to crack, and hard evidence existed that law firms were “arguably more vulnerable to cyberattacks than many other industry sectors.” Data breaches targeting Am Law firms like Cravath and Weil Gotshal; a surfeit of firms listed in the Panama Papers; and the first data security class action against a law firm (Johnson & Bell) drove the point home.
In early 2017, despite continued warnings and a plethora of serious data breaches, it seems as though law firms are still not being held to task, while law departments are bearing the brunt of the fallout from data breaches.
In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell’s departure from the company, for example.
News reports last week pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo’s legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission earlier this month. Tellingly, Bell received no severance package upon his departure.
In stark contrast, in the class-action lawsuit against a law firm, Johnson & Bell for lax data security — the first of its kind against a law firm— a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.
This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.
It is striking that, in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regards to their cybersecurity practices. It seems likely that this result is one we will see again.
Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.
To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted, “The time to repair the roof is when the sun is shining.”
ALM Intelligence Notes:
- Build or Buy?: Law departments have shifted from cost center mentality to business unit mentality, requiring new models for operating and a corresponding shift in vendor service structure. This transition, while much discussed, is not well understood. Are law departments insourcing more than they are outsourcing? Are they open to non-law-firm service providers? For more information, see the recent ALM Intelligence report Build or Buy The Evolution of Law Department Sourcing;
- Intelligence in Your Inbox: Subscribe to the ALM Intelligence Analysts Brief, featuring the latest thinking from our analysts, delivered directly to your inbox.