The New York State Department of Financial Services proposed new rules earlier this month that would require annual assessments of companies’ third-party vendors—including law firms and solo practitioners—to ensure their compliance with cybersecurity rules.
At a panel discussion in New York on Tuesday, law firm data experts described the unique challenges that small and medium-sized firms face in combating cyberattacks. They also discussed how firms can show security assessors and clients that they have adequate defenses in place.
Reports of hackers targeting large firms have increased over the past years, and the leak of millions of files from Panamanian firm Mossack Fonseca & Co. offered a reminder of the stakes all firms face.
The nature of law firm partnerships, an evolving regulatory landscape around data protection and the pace of technology all make law firms particularly vulnerable to cybersecurity breaches, said Kermit Wallace, chief information officer at Stroock & Stroock & Lavan.
Wallace said smaller firms, with their smaller budgets, need to be especially proactive in demonstrating to current and potential clients that they can keep their data safe.
At the most basic level, Wallace told an audience at ALM’s cyberSecure conference, firms need to be able to show cybersecurity assessors that they have up-to-date data security policies in place. (In June, a prominent Los Angeles divorce lawyer cited cybersecurity concerns as a reason for folding her small firm into Blank Rome.)
Firms also need to demonstrate technology controls that range from data encryption and data loss prevention to business continuity and disaster recovery plans, Wallace said.
Tuesday’s panelists agreed that staff training—and ensuring that all personnel at all levels within the firm are adhering to security policies—can’t be overemphasized.
“You have to have everybody understand that they’re going to be held accountable,” said Justin Hectus, director of information at Keesal, Young & Logan. “Nothing makes lawyers pay attention more than telling them this is something that the client is demanding, and this is something that’s going to put us out of business if you don’t if you don’t understand and comply with this element.”
Wallace acknowledged that perfect security may be unattainable, but he said firms have a duty to make the hackers’ job as difficult as possible.
“You’re probably not going to keep everyone out, but if you’re likely to keep them at bay, they’re probably going to go somewhere else,” he said.