In 2015, an anonymous hacker released over 11 million of law firm Mossack Fonseca’s documents in a leak known widely as The Panama Papers. It was a huge breach — the largest in history by a long shot. Mossack Fonseca is the world’s fourth largest offshore law firm; data related to over 200,000 companies that it worked with were revealed internationally. Yet somehow, the Panama Papers still weren’t a wake-up call with regards to information security for law firms — or at least not enough of one.
It’s well-known that legal teams, like few other groups in the organization, deal with high volumes of incredibly sensitive information, ranging from patent documents to litigation strategy to merger and acquisition details. In theory, you’d think that access to such highly sensitive information would mean they are required to follow especially strict security protocols — non-negotiable rules on how to share, send, and store that data, especially with outside partners. In reality, outsized risk doesn’t spur outsized protections. Far too often, corporate legal departments (CLDs) and the law firms they work with, which in essence becomes a virtual extension of the CLD, don’t have particularly secure workflows when it comes to data exchange as do other business units.
Last year, global law firm DLA Piper and Bermuda-based law firm Appleby both admitted to security breaches. The year before, The Wall Street Journal reported that up to 48 law firms in the United States were compromised in a cyber attack, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. The American Bar Association said that 26% of law firms experienced a breach in 2016, while a LogicForce survey showed that 40% of law firms that were breached between 2016 and 2017 didn’t even know that a breach took place.
While CLDs in large organizations are more often well versed with their corporation’s security plans, that certainly is not universal and is often not the case with smaller corporations and law firms. Indeed, according to a recent survey on law firm security, only 40 percent of respondents noted that their legal departments are involved in security assessments. In these smaller organizations, legal teams are often isolated from their organizations' detailed security plans. It’s often assumed that they are educated on and are taking the appropriate steps to protect their data, even though that may not be the case.
In reality, while teams understand the importance of data protection, many do not have the time or expertise to implement the appropriate security measures. Unfortunately, a lot can go wrong if the right processes are not put in place — as the aforementioned examples show.
Even more concerning is the fact that CLDs regularly work with law firms that have even less sophisticated information security. One reason is size. CLDs aren’t working predominantly with law firms like Mossack Fonseca but with firms composed of somewhere between a handful and a few hundred people. And if Mossack Fonseca wasn’t up-to-date with security, how do you think the smaller firms with fewer resources are doing? Those smaller firms are likely highly susceptible to worst case scenarios that can put data at risk.
Therefore, it’s the responsibility of corporate legal — in collaboration with their IT department — to communicate regularly with the law firms they work with in order to ensure their security protocols are up to par. However, a recent survey by Gartner and Wolters Kluwer's ELM Solutions found only a third of corporate legal departments at mid- to large-size companies across the globe had data security guidelines for outside counsel.
Of course, realizing data security guidelines are needed for outside firms is one thing; actually implementing those guidelines and monitoring compliance are another. To get started, it’s useful to convert internal security policy to external policy.
A questionnaire is a great way to start. For instance, let’s say your corporate legal department has an asset management protocol where all physical devices are inventoried. How do you want this policy to translate to law firms, and how can you check whether they adhere to those guidelines? It’s also important to convert policy around data flows and access into questions that outside law firms are required to answer. These are questions legal and IT teams should be working on together. It may include asking: Can you provide an inventory of data from work with our company? What is your retention policy for data and hard copy records? How do you manage data? What is the environment like? What penetration testing do you use?
These surveys should be sent to law firms periodically so CLDs have a clear record of what law firms have what data and how they are protecting it. Ongoing communication is essential to the relationship; a change in security status shouldn’t wait for a new assessment but should be communicated immediately. Open the channels so security becomes a part of the relationship and, thus, a part of the ongoing conversation. On a similar note, it can be useful to audit law firms — especially the ones with the most sensitive information — periodically to make sure they’re practicing acceptable security policies.
Yet another option is to not give law firms a CLD’s most sensitive information in the first place and instead store sensitive data with a third-party storage repository. Offsite storage repositories likely have more robust information security policies in place than law firms. The law firm can access data as necessary via the repository, and the CLD can rest easy knowing that their information is kept secure.
While these actions may sound somewhat overwhelming, the good news is that advances in technology aren’t just helping hackers with their offense but also are helping law firms with their defense. For example, tools like Wolters Kluwer's ELM Solutions’ new Cybersecurity Risk Assessment application allow legal teams to automate the creation and dissemination of questionnaires for law firm partners. Information compiled through those surveys is then aggregated into dashboards, which let the legal department sort firms by category and risk-level, thus better understanding the security of their entire law firm population. Ideally, they share this information with their own IT and security teams to make sure they are involved in security conversations.
The bottom line is that having the correct security protocols in place is important for both corporate legal departments and law firms. Law firms are especially ripe for cyber attacks, as hackers realize that getting into just one firm’s documents can unveil highly sensitive information about a large number of clients. The risk has grown since hackers have improved their techniques and technology, while clients are also sharing an increasing amount of information with their outside counsel.
When patents, litigation strategies, information pertaining to mergers and acquisitions, and other sensitive data is leaked, it doesn’t just generate bad press for the law firm and company involved; it can actually hurt the company’s bottom line, affect litigation in progress, and torpedo pending merger and acquisition transactions, leading to regulatory fines and investigations. The release of sensitive documents can shave away a company’s competitive advantage and, thanks to GDPR’s new mandates, necessitate fines.
CLDs need to help their law firm partners abide by data security protocols. CLDs’ information is on the line, and ultimately, it is their responsibility to protect that information.