Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.
Law departments: If you haven't already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.
According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016
Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.
A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:
In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell's departure from the company, for example.
News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo's legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.
In stark contrast, in the class-action lawsuit against Johnson & Bell for lax data security, a federal judge ruled that claims against the firm must be arbitrated individually and not as a class action, finding that the security gaps at the firm had allegedly been addressed and clients lacked concrete proof of injury, as there was no evidence that their personal data had been stolen.
This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.
It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.
Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.
To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”
*****
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.
It is time for a reality check on cybersecurity. Our research has focused on the threat that data breaches present to law firms and law departments independently, but the interplay between cybersecurity at law firms and law departments is increasingly impossible to ignore.
Law departments: If you haven't already been doing so, monitoring law firm cybersecurity practices and ensuring compliance with your top standards is your mandate and it is critical. Since our original report over two years ago, there is little to no indication that law firm cybersecurity has meaningfully improved. That fault does not just lie with law firms.
According to our recent report on cybersecurity and law firms, law firms are failing on the most fundamental level: basic preparation. As seen in the graph below, there are three fundamental stages of data security: assessment, planning, and testing. These stages involve understanding data security needs and risk-profiling the data accordingly; implementing solutions based on needs and profile; and testing to ensure an effective response in case of breach. These stages are intrinsically interconnected. Without testing, the prior two stages of assessment and planning are rendered incomplete. Furthermore, it is important to note that the mere act of implementing a stage does not mean that there was a rigorous process involved.
Source: ALM Intelligence Survey, Cybersecurity & Law Firms, 2016
Interviews with law firm and law department leaders in the preparation of our research revealed that law departments often wanted law firms to check the boxes and did not routinely ask for a more detailed assessment or test of firm practices.
A brief history of cybersecurity at law firms over the past two years confirms that law firms are still playing catch-up when it comes to cybersecurity:
In fact, in our predictions for 2016, we anticipated that cybersecurity would create liability in the boardroom. While we were a few months off the mark, it seems that we predicted rightly. What we did not anticipate directly is that the liability would fall squarely on the shoulders of the general counsel. The Yahoo data breach is rumored to be behind former GC Ron Bell's departure from the company, for example.
News reports pegged Bell as a “fall guy” for the massive 2014 data breach, to which Yahoo's legal department failed to appropriately respond according to filings by the U.S. Securities and Exchange Commission last month. Tellingly, Bell received no severance package upon his departure.
In stark contrast, in the class-action lawsuit against
This decision can only be seen as a massive setback in the effort to hold law firms to task for cybersecurity issues. There is concrete evidence of faulty security practices potentially resulting in the leakage of confidential client information, but law firms have yet to pay the price.
It is striking that in a single month, a law firm and law department had outcomes on the opposite ends of the spectrum with regard to their cybersecurity practices. It seems likely that this result is one we will see again.
Corporate data security breaches continue to play out in the news, while it is much more difficult to ascertain details around law firm data breaches. At the end of the day, law firms are part of the law department supply chain, and therefore the general counsel is responsible in the same way other corporate functions are responsible for vendor security.
To GCs letting firms off easy: You may wish you were more proactive when the inevitable breach occurs, lest you find yourself the next Ron Bell. As John F. Kennedy once noted: “The time to repair the roof is when the sun is shining.”
*****
Daniella Isaacson, Esq., is a senior analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.