How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections
In light of the rise in cybercrimes, many corporate clients are now demanding that law firms respond to exhaustive requests for proposals and describe the data security programs and preventive tools they have in place on the condition of retention.
According to a 2014 article in the New York Times, Wall Street banks are now requiring outside law firms to demonstrate their computer systems are employing top-tier technologies to detect and deter cyberattacks. Additionally, the Wall Street Journal reported that J.P. Morgan Chase & Co., Morgan Stanley, Bank of America Corp., and UBS AG have subjected outside law firms to greater scrutiny regarding their cybersecurity.
In fact, some financial institutions are asking law firms to fill out 60-page questionnaires that detail their cybersecurity measures, while others are performing on-site inspections.
Furthermore, an increasing number of organizations are bound by governmental regulations that dictate what security measures you should have in place and how they should be audited. The Health Insurance Portability and Accountability Act, GDPR, Payment Card Industry Data Security Standard, Federal Information Security Management Act, Sarbanes-Oxley Act and Gramm-Leach-Bliley Act all dictate how to secure different types of data and the systems that manage it. They also require regular security posture assessments, although they vary on specific requirements and time frames.
As a result, in-house counsels are starting to push their outside law firms to follow certain cybersecurity protocols. “In-house lawyers need to think of outside counsel as an extension of the company,” says Miller of Marketo Inc. Any requirements you have internally regarding the protection of company data, including training protocols and incident response/business continuity plans, must be imposed on outside law firms, as well. These are table stakes.”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
steps to cyber safety
First, in-house counsels should ensure their outside counsels have conducted a security assessment and gap analysis, have written cybersecurity policies and procedures, and have an incident response plan and team. Preparing in advance for an incident will allow the enterprise to limit its liability, reduce potential damage to reputation, and resume operations as quickly as possible.
Second, in-house counsels should demand their outside law firms regularly conduct security awareness training with all management and employees to be aware of the firm’s cybersecurity protocols, as well as spot phishing emails or other types of malicious attacks. According to Verizon’s 2018 Data Breach Investigations Report, companies are nearly three times more likely to be breached because of social attacks than technical failures—with almost all of these attacks coming via email.
Lastly, all 50 states now have a breach notification law triggered when sensitive and confidential information is accessed or acquired in an unauthorized fashion. Responding to a breach is a costly endeavor and can easily add up to hundreds of thousands of dollars. Thus, in-house counsels should demand that outside law firms have adequate cyber liability insurance to help cover breach notification costs, as well as qualified legal and forensic vendors who specialize in responding to breach incidents negotiated into the policy.
Furthermore, new ABA ethics opinions emphasize that to be competent, lawyers must understand technology and maintain the security of clients’ electronic confidential information. These developments are forcing in-house counsels and their outside law firms to be cognizant of the very real and significant risks they face in the 21st century and to acquire the technology sufficient to keep abreast of their clients’ cybersecurity needs. nRead more about how to avoid falling victim to social engineering cyberattacks at ABAJournal.com.
Karen Painter Randall is a partner and certified civil trial attorney in the Roseland, New Jersey, office of Connell Foley, where she’s chair of the firm’s cybersecurity and data privacy practice group. Steven Kroll is a partner at the firm and works with businesses regarding the ever-evolving issues related to cybersecurity and data protection. He provides awareness training for employees on issues related to cybersecurity.
This article was published in the August 2018 ABA Journal magazine with the title "The customer is always right: How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections."