Data security was at the top of the agenda when a group of in-house attorneys affiliated with top financial services companies gathered at the Yale Club in New York last month.
As sibling publication Corporate Counsel reported at the time, those on hand for the "Legal Departments Under Pressure" panel discussion on June 19 expressed deep concern that the outside law firms they employ have a Bring Your Own Device (BYOD) problem, meaning they let their attorneys use personal smartphones for work-related communications.
Panelist Lani Quarmby, associate general counsel at Bank of America who oversees outside counsel management, offered a blunt take on how her company would respond if its confidential information were compromised because an outside lawyer wasn't using a secure, firm-issued device. “Can you imagine if a law firm had a breach?” Quarmby asked. “We wouldn’t work with them again."
Jeffrey Isaacs, global chief compliance officer of Goldman Sachs’s legal department, was particularly outspoken on the topic. Isaacs said “everyone on Wall Street” has separate business and personal phones, but that law firms have resisted requiring their attorneys to do so because they fear they will be a "competitive disadvantage" when recruiting talent if they enforce stricter data-security standards for smartphones, tablets, and other devices. Isaacs said he and his counterparts have moved to address the problem by beginning a dialogue with chief information officers and, in some cases, partners at 11 large firms about policies they can adopt to improve data security. Isaacs added that he expects the issue to get more attention at an International Legal Technology Association conference in August.
(The results of The American Lawyer's most recent Am Law Tech survey lend some support to Isaacs's claims. Roughly four out of five of the 83 law firm CIOs and technology executives who responded to the survey said their main concern about allowing attorneys to bring their own devices to work was ensuring data security. At the same time, 70 percent said the biggest benefit would be "more cheerful users.")
Eager to gauge law firm opinions on the issue—and to determine whether firms are prepared to acknowledge that they have a BYOD problem—The Am Law Daily attempted to follow up with attendees of the June 19 event, as well as the legal departments of other Wall Street heavyweights, for specifics about who the security scofflaws are—and which 11 firms are on Isaacs's list. Unfortunately, inquiries directed to Bank of America, BlackRock, Citigroup, Deutsche Bank, Goldman Sachs, Morgan Stanley, and UBS were all met with silence.
Undaunted, The Am Law Daily constructed its own list of 13 firms known as frequent advisers to bankings clients: Cadwalader, Wickersham & Taft; Cleary Gottlieb Steen & Hamilton; Cravath, Swaine & Moore; Davis Polk & Wardwell; Latham & Watkins; Milbank, Tweed, Hadley & McCloy; Paul, Weiss, Rifkind, Wharton & Garrison; Shearman & Sterling; Simpson Thacher & Bartlett; Skadden, Arps, Slate, Meagher & Flom; Sullivan & Cromwell; Wachtell, Lipton, Rosen & Katz; and Weil, Gotshal & Manges. Again, our requests for comment went unreturned across the board.
We did manage to reach CIOs at a handful of Am Law 200 firms to discuss the topic. None seemed to think the potential for data-security breaches via attorneys' personal smartphones poses a serious problem.
Duane Morris CIO John Sroka, for instance, says his firm uses mobile device management software that allows users to separate business and personal information on cell phones and ensures that passwords are being used. Sroka adds that while many large firms use such software, smaller firms may not.
Thompson Coburn CIO Phillip Rightler expressed skepticism at the assertion that attorneys' phones might not be secure simply because they are used for business and personal purposes. "Banks cannot know which contacts and information employees have on their work phones are personal, and which are work-related," Rightler says. "There is no way to know the difference."
He also dismisses the suggestion that attorneys carry separate smartphones for business and personal use: “It would make it more challenging for people to work."