Legal BlackBook

TM

AUGUST 2018
After a series of breaches at big firms, has anything changed?
By David Hechler
WHEN THE SUBJECT IS DATA BREACHES, most of the time we’re reading reports about big companies. Occasionally the targets that make news are government agencies or institutions. One of the big fears, of course, is that we may soon be reading about infrastructure like trains or electric grids.
  But a longstanding concern of in-house lawyers is that their outside counsel will be victimized and their company’s confidential data will be stolen. It’s a frightening thought, and it’s not merely hypothetical.
  Several prominent firms have been hit. The one that received the most attention was DLA Piper, which was victimized by the widespread Petya malware attack last year. A ransomware demand added to the turmoil and cost the firm additional time and money. Before that, Cravath Swaine & Moore and Weil Gotshal & Manges were breached, though the attacks were less severe.
  Surveys before and after these events have pointed out the vulnerabilities of law firms of all sizes. Some soul-searching has certainly resulted from the high-profile attacks, and many more firms seem to be taking cybersecurity seriously—and endeavoring to shore up their defenses.
  Can general counsel breathe a sigh of relief?
  Not yet, says LogicForce. The business and technology advisers to the legal industry published a law firm cybersecurity “scorecard” rating more than 300 law firms during last year’s fourth quarter. The company found much to criticize. Surprisingly few firms have hired information security officers, Logicforce said—only 39 percent of their sample. And only 31 percent have formal cybersecurity training programs.
  The statistic the company seemed to find the most troubling was the huge jump in the number of audits imposed on the firms. “One of the most telling statistics in the report highlights the exponential increase in the amount of IT systems, cyber security and data management audits imposed on law firms by their corporate clients as a precursor to doing business together,” the introductory section of the report said. In 2016, the number that LogicForce reported was 7 percent. Last year that skyrocketed to 48 percent.
  LogicForce’s sample did not include any of the biggest firms. Fully 62 percent of the firms it studied employed fewer than 150 attorneys and 83 percent fewer than 250. Only 5 percent employed more than 450 lawyers. That may have had something to do with their failure to hire an information security officer. Still, what LogicForce found could not have eased the minds of the companies that employ these firms.
  Yet, other observers note marked changes in attitude and signs of genuine progress. Moreover, collaboration between law firms and their clients doesn’t strike them as part of the problem; more likely they’re part of a potential solution, these people say.
  Law firms have made “a substantial investment of time and effort, and there’s a very heightened level of awareness of the threat and the consequences” of data breaches, says Peter Zeughauser, founder of the Zeughauser Group legal consultancy.  “And law firms have made progress.”
  Firms have brought more expertise in-house, Zeughauser says. But many larger firms also like to hire outside specialists. “If you have someone in-house and you don’t have a data breach for some time,” he notes, “then that person is not going to be quite as familiar as people who are dealing with breaches for a living.”
  But the strongest pressures on the firms are brought to bear by their client companies, Zeughauser adds. The greatest pressure comes when the general counsel tells the client relationship partner, “You either make progress on this, or we’re done.” The partner, in turn, applies “unrelenting pressure” on the firm’s leadership, Zeughauser says. And “knowing a lot of the chairs [of the firms], it’s their worst nightmare that they have a data breach. It’s reputational damage. These people have fiduciary, confidential relationships with clients, and that’s the stock and trade of the firm.”
  Another way that companies influence their law firms is through audits. And rather than see these as indications of the firms’ abject failures, as LogicForce seems to, Zeughauser sees them as signs of cooperation between business partners. The financial institutions in particular have led the way, Zeughauser says. They’ve been doing “spot-auditing,” he says, with “extensive questionnaires about what protections firms have put in place. And the firms have been responsive to that.
  “What the banks have done has been healthy,” he says, “particularly when it’s all coordinated across an industry sector so that there’s a single set of common protocols.”
  Chris Colvin also sees the utility of law firms collaborating with their corporate clients. The founder of the membership organization In The House, Colvin used to work at Kramer Levin Naftalis & Frankel and he knows that firms sometimes feel more pressure to focus on profits than to solve workaday problems. Colvin also encourages law firms and their clients to work together on cybersecurity without resorting to assigning blame. Like Zeughauser, he doesn’t see such efforts as signs of a breakdown.
  “I would encourage in-house legal departments not to look for law firms to blame for problems” he urged. “Knowledge sharing needs to happen. Part of the mission should be having these tough conversations, like how do we achieve the best cybersecurity we can as a unified legal community, whether it’s in a corporate legal department or at a law firm? How do we work together to avoid the problems?”

Are company audits of their law firms proof that there’s a problem—or part of the solution?
RETURN TO AUGUST HOME PAGE