In a profession defined by zealous representation of clients, it’s no surprise that clients are starting to push their outside counsels to beef up cybersecurity.
“The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers,” says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. “Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large.”
These aren’t just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity.
According to the Association for Corporate Counsel’s 2018 cybersecurity report, one in three in-house counsels have experienced a data breach—a significant increase from the previous year, when only 15 percent reported a breach. As such, companies are expending more manpower and money on keeping their data safe. The study found that two-thirds of respondents expected their legal department’s role in cybersecurity would increase over the following 12 months, compared with 55 percent in the 2015 survey.
Further, 63 percent predict that their company’s cyber-security budget will increase this year, an 8 percentage point increase over two years ago. Additionally, more than 70 percent of responding companies stated they were somewhat confident in their outside counsels’ protection of their data, while 9 percent were “not at all confident.”
Thus, the question becomes what should a corporate legal department do to ensure the data collected, used and stored by outside counsels is protected? For one, in-house counsels must ensure that their outside law firms—the hired gun—are not the weak link in the company’s cyberdefense.
Law firms that represent European clients face greater scrutiny for cybersecurity and privacy. The European Union’s General Data Protection Regulation, which went into effect in May, requires, among other things, law firms based in the EU and those that have EU clients to disclose data breaches to regulators and affected clients within 72 hours of becoming aware of the breach, regardless of whether the investigation is complete.
The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011.
As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017, only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans.
A top priority for many in-house counsels now is to make sure their outside law firms are in compliance with the rigid requirements of the GDPR. As alluded to already, the GDPR extends existing regulations to any enterprise processing data about EU citizens; and failure to meet these requirements risks fines of 20 million euros or 4 percent of a company’s annual global turnover, whichever is greater. Thus, companies are understandably focusing a lot of attention on ensuring their outside law firms are up to speed in their cybersecurity protocols.
However, it is not just the GDPR that in-house counsels should be thinking about, as one of the “sleeper issues” of 2018 is Chinese cybersecurity rules. China has been rolling out rigorous cybersecurity regulations (some have already taken effect and others will later this year), and some of these obligations include an analysis of cybersecurity programs, assessment of data transfers out of China, and a requirement that certain companies share information about cybersecurity with the Chinese government.
Karen Painter Randall is a partner and certified civil trial attorney in the Roseland, New Jersey, office of Connell Foley, where she’s chair of the firm’s cybersecurity and data privacy practice group. Steven Kroll is a partner at the firm and works with businesses regarding the ever-evolving issues related to cybersecurity and data protection. He provides awareness training for employees on issues related to cybersecurity.
This article was published in the August 2018 ABA Journal magazine with the title “The customer is always right: How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections.”