<b><i>Online Extra</b></i><br> Law Firms, Legal Departments Predicted to Focus More on IT Risk

Legal departments and law firms are likely to continue to focus more on information technology risk, given a recent projection that global spending on information security services and products will continue to rise.

According to a recent Gartner study, overall global spending in the sector will total $86.4 billion this year, an increase of 7% over last year. Similarly, spending is predicted to jump to $93 billion in 2018, the study said.

“Gartner's latest report about increased spending on security comes as no surprise, given the increase in data breaches, ransomware and the introduction of GDPR [the General Data Protection Regulation] in 2018,” Darren R. Hayes, a professor at Pace University, told our ALM sibling Legaltech News.

“While the liability associated with data breaches in the U.S. may be limited to reputation, the potential fines associated with the introduction of GDPR [in Europe] should be a wake-up call for multinational corporations,” he said. “Google [was] … already fined $2.7 billion by an EU [European Union] antitrust ruling in June of this year so it is clear that the EU will enforce its new draconian cyber-related laws.”

And GDPR compliance is likely to put a strain on legal professionals. In recent years, financial institutions have prioritized regulatory compliance, as regulatory fines have reached an estimated $100 billion annually, Hayes said. Breach response costs are also increasing, and this problem will be exacerbated by GDPR. The Gartner study predicts GDPR will drive 65% of data loss prevention buying decisions through 2018, and security services will continue to be the fastest growing segment in the sector, especially IT consulting, outsourcing and implementation services.

“Legal and compliance departments can expect to focus more on IT risk in the near future, which includes greater scrutiny of third-party IT service providers and their associated service level agreements,” he added.

Commenting on the findings, Perry Carpenter, chief evangelist and strategy officer at KnowBe4, said that: “From a spending perspective, this is really a continuation from previous years. Yes, it is a slight uptick — but the trend has been moving this direction for a while. The trend is consistent with the rise of security spending over the past few years and signals that security programs require ongoing attention and that the security arms race will continue.”

Carpenter also noted that individual technology segments are behind the increase, including: security consulting, testing, data loss prevention (DLP), identity and access management (IAM), secure Web gateways (SWGs), and security outsourcing.

He explained this is being driven by:

• Global regulation, including GDPR preparedness work, and the “continued tide” of other global security and privacy related mandates;
• “Fear” of data breach and/or intellectual property loss; and
• “Shortage” of security expertise within most organizations.

For lawyers, this means that “mandates to protect information exist not only for your clients, but also for legal teams and departments,” he said. “So, don't get caught up in trying to understand how these requirements and trends impact others, but forget to assess how they impact you.”

Carpenter suggests that “prudent” companies “will evaluate their needs and set a budgetary run rate for security that grows at least proportionally with their IT budget.” In addition, he said that “prudent” security programs “will not be solely technology-focused. Rather, they will also embrace the human elements of security.”

“Specifically, they will be aware that the vast majority of data breaches are caused by preventable human errors. As such, ongoing employee training, third-party training and even customer training can be key to establishing a security conscious culture that helps to minimize negative security-related behavioral outcomes,” he added.

Similarly, Joseph Lawlor, managing director of cyber defense at K2 Intelligence, an investigative firm, said that the Gartner report shows how compromises are often the result of highly focused attacks but are just as often due to “targets of opportunity that arise to insecure environments.”

Lawlor noted that the study also “illustrates a change in mindset” from security as the result of “bolting on incomplete solutions” to designing fully systems, networks and applications “with security as a focus in its foundation.”

“Law firms rely heavily on third party software for everything from client communications to billing and case management. They work with data that includes everything from PII [personal identifiable information] to intellectual property and often has attorney client privilege attached. It is paramount that they have a deep understanding and confidence that the systems and software used to enable their day to day work are functioning at the highest levels of security. A law firm's success literally depends on its ability to inspire trust and confidence in its clients and a single breach of that trust and confidence can spell disaster,” he explained.

*****
Ed Silverstein writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.