The cyberattacks on the Democratic National Committee and the breaches at Yahoo have brought cybersecurity concerns into sharp focus, and law firm clients are taking a new look at how firms safeguard client information. Those who would attack law firms for client or firm information have found new and more efficient ways to invade firms’ information systems. Clients in highly regulated areas are increasingly auditing law firms to assess the strength of the firms’ information safeguards and have pulled work from or denied work to firms that haven’t met applicable cybersecurity regulation standards, or the client’s vendor management guidelines (yes, they still consider lawyers “vendors”). On March 1, 2017, the New York State Department of Financial Services cybersecurity regulations (23 NYCRR 500 et. seq., (Dec. 28, 2016). will impose even greater information safeguard regulations on lawyers through the regulations’ requirement for due diligence into the security infrastructure of firms that access Nonpublic Information of their Covered Entity Clients. To put a fine point on it, those firms that can meet the regulatory and client expectations for cybersecurity will get or retain the business, and those who don’t, won’t.
And these are just the business considerations. Law firms are increasingly subject to regulatory proceedings, professional liability claims and other litigation if they fail to adequately protect client or firm information. In December 2014, we wrote about the business, ethical and legal challenges faced by law firms in their role as stewards of client electronic information.1 Events such as the attacks on the law firms Weil Gotshal & Manges and Cravath, Swaine & Moore2 and the attack on the “Panama Papers” law firm Mossack Fonseca3 have placed the issue of law firm cybersecurity squarely in the eye of the public but also the eyes of state bar associations with regard to ethics opinions and attorney disciplinary rules and regulators in financial services and health care. In this update to our December 2014 article, we explore new threats to law firms from increased regulatory scrutiny and risk exposure (at the federal and state levels), professional liability litigation stemming from data breaches by the firm or its third-party vendors and inadvertent disclosure of protected and privileged information. Following the maxim that it’s better to light a candle than to curse the darkness, we will also suggest practices for law firms to mitigate these risks.
