Today’s computer hackers are helping themselves to the privileged information that has been a core covenant of the attorney-client relationship for hundreds of years. Hackers know the value of sensitive information that is exchanged and retained between a business and its law firms. According to the most recent information from the American Bar Association, 23 percent of law firms experienced a cyber attack or data breach in 2018.
There has been widespread response to breaches from the largest businesses and law firms, who were initially hit the hardest; they have been working to lock down their data and information. Small- and mid-sized companies and their law firms have also grown serious about cybersecurity. Cybersecurity has become a top priority for legal departments and their service providers.
To assess progress and continue to find ways to increase security, it is critical to take inventory across the chain of information exchange and storage, ensuring all law firms working for the company, regardless of their size and location, reach consistently high levels of compliance with cybersecurity standards. That is because every link in the chain of information is a potentially vulnerable junction for compromise.
Here are questions to ask to help you better understand the risks and opportunities for strengthening every link in your cybersecurity chain:
Are there consistencies in cybersecurity between large, mid-sized, and small law firms?
Larger law firms assessed their security measures after the now-infamous DLA Piper data breach and subsequent shutdown of the firm in 2017. Clients began to require their firms to complete extensive cybersecurity surveys to demonstrate readiness in the event of a potential hack. Clients wanted to know their exposure given their firms’ cybersecurity sophistication, or lack thereof.
Smaller firms moved into action as well, many working with consultants who assessed their processes and formulated plans to achieve a higher state of security. The partners of small and mid-sized firms have been able to enact change as they have closer management oversight of their IT systems and were likely involved in the development of the IT department and decisions on selected tech programs from the beginning. They have intimate knowledge of their current processes and practices and, in the end, these partners are ultimately responsible for the safeguarding of all client relationships and the sustainability of the firm over the long term, given their names are on the door.
All law firms should now have cybersecurity plans in place. The key indicator to understand, however, is their capacity to take action on the plan to make enhancements as soon as the environment changes. Many times, scaling cybersecurity best practices across smaller firms can happen more quickly. That is not to say that it is easy—the most effective cybersecurity assessment and enhancements should be rigorous for any firm.
Are there cybersecurity variances across law firms in different jurisdictions and geographies?
Data privacy and protection regulations are constantly changing across states and countries. If a company does business across jurisdictions and regions, it is important that its law firms stay current on changes in all of those markets and proactively advise on how they affect the overall cybersecurity of the clients’ information and their legal obligations.
The EU’s recent implementation of the General Data Protection Regulation (GDPR) is only the latest (albeit most sweeping) development in this crucial area of law. Outside the EU, however, there is little uniformity in how different countries protect data.
- For example, personal information protection does not have a long history in the Chinese legal system, but it is now one of the hottest legal topics in China. Chinese legislation contains broad, confusing definitions of protection and involves stringent regulations and severe legal penalties. The Chinese government is still exploring a feasible way to implement the relevant legal requirements. This has delayed the process of issuing the rules.
- In contrast, Taiwan recognized the importance of data protection and put information protections in place more than 20 years ago. The most current personal data protection law in Taiwan was enacted in 2010 and implemented in stages. The law is now fully in effect and, among other changes, removes the data user-registration requirement and expands data protection obligations to all industries in Taiwan and to all methods of processing. All business entities in Taiwan that collect, process, or use data must comply with this law, but it does not extend to non-Taiwan business entities that collect, process, or use data of Taiwan resident “protected parties” outside Taiwan.
- In Singapore, the mandatory protection of personal data came into force only in 2014 and is meant to address growing concerns from individuals about how their personal data is used, maintain the trust of individuals in organizations that manage data, and strengthen Singapore’s position as a trusted business hub.
- Australian privacy law has national significance and contains 13 principles, which have the force of law by virtue of the country’s Privacy Act of 1988. The federal privacy regulator is the Australian Information Commissioner.
These are just a few of the differences that exist by region. If a company does business in multiple jurisdictions, it should expect its law firms to not only intimately understand the data rules of their market, but proactively share their knowledge. An example of this is a recent guide published by a global network of legal firms.
What should the cybersecurity culture be at my law firm(s)?
The cybersecurity culture at your law firm should be proactive and integrated into everyday practice, prioritized and lead by those at the partner level. Cybersecurity should be a top focus of upper management, not relegated to IT staff or firm administration. Many major breeches have occurred because of employee or vendor error, and are not directly controlled by the IT department. Partners should play or share the role of chief compliance officer and chief information security officer to keep cybersecurity at the forefront of their practice.
With what standards should my law firm(s) comply?
Having a current information security plan, and reporting to demonstrate ongoing progress against that plan, are critical indicators of the cybersecurity strength of a law firm. All law firms should be able to report high levels of standards in these areas:
- management’s demonstrative commitment to cybersecurity
- ongoing risk assessments
- technical safeguards
- physical safeguards
- employee training
- third-party risk management
- business continuity
- breach response
- frequent reviews and updates
Significant progress has been made in boosting cybersecurity in the legal industry. In 2018, the American Bar Association reported just a 1 percent increase in law firms that have experienced an attack, much improved over the 8 percent increase from 2016 to 2017. While it will never be possible to completely eliminate breeches, the hard work law firms are doing to reduce the risk is clearly making a difference.