Editor’s note: This is the first article in a series on law firms’ efforts to secure client data.
Forget client service or rate flexibility. If a law firm wants to get, or even keep, business, data security plans are often now the price of admission.
Corporate America is increasingly looking to ensure its outside counsel are handling client data just as securely as the clients themselves do.
“As an industry, we are being challenged in ways that we have historically not been by some of our clients and, most notably, our financial services clients,” said Kelley Drye & Warren Chief Information Officer Judi Flournoy, who serves as head of the International Legal Technology Association’s security group LegalSEC.
While data security is important to all clients, Flournoy said those in the financial services industry, for example, are regulated to ensure their vendors are following proper data-security protocols.
Reed Smith Chief Information Officer Gary Becker said many clients in the financial services and health care industry are mandated under federal law to continually review their data security initiatives.
“We’re now regulated by our clients,” Becker said.
Many of those clients have done annual audits of a firm’s security policies for years now, but they are starting to increase that review to include quarterly discussions on security policies, Becker said. And it isn’t just current clients doing the asking. Many requests for proposals for new matters include “extensive” sections on security and data protection, Becker said.
“It’s really taking off and taking a lot of time, but it’s all for a good purpose, obviously,” Becker said.
Flournoy said her team increasingly works with her firm’s marketing department to answer the security portions of RFPs. Many of those RFPs ask whether the firm does personnel background checks and background checks of the vendors the law firm uses, she said.
“The reach of this is impacting this industry in a way that I don’t think any of us could have anticipated a few years ago,” Flournoy said.
While the RFPs may require detailed responses on complicated security issues, there is also the pressure for the attorneys to get the RFP responses back in short order to get the business, she said.
As part of security audits, existing clients will identify problems and rate them in terms of how critical they are to fix in a certain timeframe, Becker said. He said clients are pretty clear about their expectations in this area.
“They do audits and if you don’t fix the problems … [clients say they] will have no choice but to withhold work from you,” Becker said.
While audits have always been complex, Flournoy said they are becoming increasingly targeted and are following ISO 27000 protocols, which are standardization procedures for the information-technology industry. Three years ago, a firm may have had a half-dozen security procedures or capabilities it needed to implement, with the goal of finishing those projects in two or three years, Flournoy said. Now things are done on a much more accelerated pace, she said, forcing her firm and others to handle more projects than it typically would in a calendar year.
“Security assessment and auditing has taken on a much more significant role … in our business environment in 2013, 2014 and going forward,” Flournoy said.
Every audit is different, as every company has different security requirements, Flournoy said. And ISO procedures aren’t forgiving when it comes to an attorney’s customary method of practicing.
Flournoy said the average attorney who has at least 10 years under his or her belt has become accustomed to practicing in a way that is efficient for him or her. Often that might mean emailing documents with a client. But now, instead of email, some clients want to use encryption technology or a secured file-sharing system to communicate with outside vendors, Flournoy said.
“This has created what I’ll call friction, if you will, between attorneys practicing and those of us who are responsible for implementing these” new systems, Flournoy said.
These new systems also come at a cost to the firms, particularly on the personnel and technology side.
Flournoy said the security threats have become much more advanced and they require firms to have highly skilled people on staff to spend all or most of their time managing those threats.
Ballard Spahr General Counsel William Slaughter said his firm has had systems in place to ensure client data is secure, but in the past few years has seen more client requests for procedures specific to the clients. That has required the firm to occasionally have to add certain capabilities, such as encryption of email.
“You obviously have to invest in giving yourself the capability, but it’s not necessarily important or desirable to, for example, [implement] email encryption” firmwide, Slaughter said. “That has all sorts of side issues which would not make that an appropriate measure for all of the millions of emails we send and receive everyday. But for particular projects and particular clients, sometimes that is appropriate.”
Modern technology has created a double-edged sword for firms.
Slaughter said one of the biggest security worries is the remote access to information attorneys and staff now have.
“We are very, very cognizant of the increased risks to security that the whole remote access entails, but you can’t run the kind of business that we run without smartphones and Citrix and other things that I think may well expose us,” Slaughter said.
Perhaps unlike other vendors, however, law firms have always operated in a world that “demands confidentiality,” Slaughter said.
But for corporations, law firms are no different than any other vendor.
Highmark Chief Legal Officer Thomas L. VanKirk said his company holds law firms to the same requirements related to data security as it does all of its vendors.
The legal department knows “that [law firms] sign the agreement and our audit and compliance department periodically audits various of the firms on a random basis,” VanKirk said. “In our company, it comes under the auspices of our privacy department, which in our case reports to legal, and also our audit and compliance department.”
VanKirk said the increase in regulatory requirements under the Health Insurance Portability and Accountability Act and other laws geared toward insurance companies has meant a keener focus on data security than those companies had five or six years ago.
While data security at law firms is certainly a growing topic of concern, Highmark is an example of how every company’s needs are different. VanKirk said law firms are not going to be the vendors that have quite as much of the confidential information Highmark has to keep safe, such as individual patient information and Social Security numbers. But on the whole, VanKirk said he feels very comfortable that law firms are doing what they need to do to keep data safe.
Law firms with clients in critical infrastructure industries like financial services, telecommunications and power have to be paying close attention to their security posture, Flournoy said. But even firms without clients in those industries have to address security concerns given a client might do a business deal with an entity that is in one of those sectors or may do business in China where data security threats are quite real, she said.
John Mullen, head of Lewis Brisbois Bisgaard & Smith’s data privacy and network security practice, said he has represented a number of law firms when it comes to data security issues. And he said firms do get breached. Firms aren’t doing enough to protect data, Mullen said.
“The short version is, law firms generally speaking don’t have the budget and don’t have the focus and don’t make the allocations to truly protect the data they have,” Mullen said.
The next installment of the series will examine the greatest threats to law firm data security.