A recent article in the New York Times underscores the demand clients are requiring of their law firms to step up their cybersecurity. Financial institutions, including some Wall Street banks, are asking their outside counselors to answer questionnaires of up to 60 pages, which probe the firm’s cybersecurity measures. Other types of corporations are also asking their legal firms to allow for internal and/or external Information Technology (IT) firms to do an audit.
Clearly, these institutions are interested in keeping their own secrets and confidential client information safe from the growing threat of Black Hat Hackers. These secrets and confidential information could be used by hackers for their own financial gain or even shared with other organizations.
The corporate auditors want to know if steps are being taken to guard against the potential compromise of sensitive information. This includes: protecting against online intrusions, requiring corporate email encryption, elimination of data walking around on thumb drives, prevention of sending email or documents to unsecure iPads and other mobile devices, and more.
If these companies do not feel that a law firm is taking the appropriate precautions, it would follow, legal work may be withheld from firms which are either unprepared or uninterested in stepping up their cybersecurity. In addition, firms may be required to purchase Cybersecurity insurance in addition to their already existing Errors and Omissions (E&O) or legal malpractice policies.
Research by FireEye, a cybersecurity firm, estimates that 95% of all organizations are vulnerable to attacks. In its report titled: “Law Firm’s Survey 2013 – Executive Summary” FireEye says, “Information Security is a key area of focus across all law firms, but over one-quarter of respondees to our survey have yet to carry out a security risk assessment covering both Information Security and Physical Security.”
Law enforcement is concerned as well about the vulnerability of American law firms to online attacks. The FBI recognizes that law firms are a rich repository of corporate secrets, business strategies and intellectual property. These secrets, once discovered, could be used by potential hackers to manipulate a transaction or to financially gain from a deal before it is announced.
According to reports, the FBI began to meet with the managing partners of top law firms in the United States as early as 2011. The meetings stressed the need for cybersecurity in such large firms. They especially expressed concern for law firms with offices in foreign countries like China and Russia.
The push from corporate clients may just be the catalyst that causes law firms to tighten up their security. It is one thing if law enforcement encourages you to take cybersecurity seriously, it is another if a corporate client indicates that failure to do so will affect your bottom line. Encouragement can also come in the form of an example. One such example is Target’s breach at the end of 2013 when the retailer says that at least 40 million credit and debit card accounts were compromised.
Pressure from the Security and Exchange Commission (SEC) appears to pushing the financial institutions into tightening their security, which in turn is pushing the law firms. SEC financial regulators are requiring banks to make sure the vendors they rely on, such as law firms and other service providers, are vigilant when it comes to dealing with cybersecurity.
“The public and private sectors must be riveted in lockstep in addressing these threats,” Mary Jo White, the Chairwoman of the SEC. She made this comment at a round-table discussion, held in late March 2014, on the obligations of public companies to disclose online attacks.
It is likely that some law firms, like most organizations, have been hacked and don’t know it. It is not unusual for organizations that have had an intrusion to be completely unaware for months or years.
