Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

<i><b>Online Extra</b></i><br> Are Law Departments Letting Law Firms Off the Hook When it Comes to Cybersecurity?

By Daniella Isaacson
April 02, 2017

It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.

Law departments: If you haven't already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.

According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.

isaacson fig 1_500
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016

Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.

A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:

  • In 2015, we found that law firms were an obvious cybersecurity target and noted that, despite a dearth of evidence on law firm data breaches, it was ludicrous to think (as so many law firms did) that it just “can't happen to me.” We concluded that the industry was playing catch-up, and those on the leading edge would win the battle for clients.
  • In 2016, we found “the façade of denial” was starting to crack, and hard evidence existed that law firms were “arguably more vulnerable to cyber attacks than many other industry sectors.” Data breaches targeting Am Law firms such as Cravath and Weil Gotshal; a surfeit of firms listed in the Panama Papers; and the first data security class action against a law firm (Johnson & Bell) drove the point home.
  • In early 2017, despite continued warnings and a plethora of serious data breaches, it seems as though law firms are still not being held to task, while law departments are bearing the brunt of the fallout from data breaches.

In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell's departure from the company, for example.

News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo's legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.

In stark contrast, in the class-action lawsuit against Johnson & Bell for lax data security, a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.

This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.

It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.

Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.

To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”

*****
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.

It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.

Law departments: If you haven't already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.

According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.

isaacson fig 1_500
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016

Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.

A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:

  • In 2015, we found that law firms were an obvious cybersecurity target and noted that, despite a dearth of evidence on law firm data breaches, it was ludicrous to think (as so many law firms did) that it just “can't happen to me.” We concluded that the industry was playing catch-up, and those on the leading edge would win the battle for clients.
  • In 2016, we found “the façade of denial” was starting to crack, and hard evidence existed that law firms were “arguably more vulnerable to cyber attacks than many other industry sectors.” Data breaches targeting Am Law firms such as Cravath and Weil Gotshal; a surfeit of firms listed in the Panama Papers; and the first data security class action against a law firm (Johnson & Bell) drove the point home.
  • In early 2017, despite continued warnings and a plethora of serious data breaches, it seems as though law firms are still not being held to task, while law departments are bearing the brunt of the fallout from data breaches.

In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell's departure from the company, for example.

News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo's legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.

In stark contrast, in the class-action lawsuit against Johnson & Bell for lax data security, a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.

This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.

It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.

Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.

To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”

*****
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.