The Best Defense . . .

By Dennis Boone

Is indeed a good offense, especially when it comes to data security. It’s a lesson that some larger law firm executives have already mastered. But a lot more are at risk of getting schooled.

Back when most current managing partners were starting their careers, top legal executives had plenty to worry about, but their to-do lists didn’t include IT budgeting, Big Data (and, by extension, Big Data breaches), cloud-vs.-SAAS analyses, e-mail retention policies or any of about a hundred other technology-related headaches crowding their schedules today.

The big headline-grabbers of 2015 involve data breaches at health-care giants, Anthem and Carefirst Blue Cross, the federal government, with leaks from the Office of Personnel Management and Army National Guard, and even IT companies themselves, with data losses at password-management company LastPass and the unfortunately named Hacking Team.

But as much as any clients or employees of those organizations stand to lose from a data dump, law firms stand to see as much harm done with potential leaks of their clients’ financial and legal documentation. On top of that is the risk of harm to the firm itself, to cases it may be prosecuting or defending, and to other law firms and organizations who might be sharing that data.

It’s a threat Mark Hinderks knows well. “We have always had a very robust banking and financial institution practice, and that is ground zero for regulatory requirements regarding information security,” says the Kansas City managing partner for Stinson Leonard Street. “That’s in addition to health care, which we also have exposure to. The major banks, the big buildings everybody thinks about, have technical and operational requirements that run into the hundreds of pages that they have sent the firms who represent them to be implemented. We’ve been very focused on making sure we’re ahead of the curve on that.”

That includes creation last year of a new executive position—chief risk officer, a more threat-focused spin on the traditional role of a chief information officer. “Some of that motivation for that was our own need to protect client information,” Hinderks said. “It’s a combination of a technical person security-savvy staff at a chief level position. This is something that is entirely new within the last five years, but really has come to play in very big way.”

Jeff Simon is feeling the same forces at work as managing partner at Husch Blackwell’s Kansas City office. “We’re facing the same challenges as everybody else, including our clients, and giving a lot of advice to our clients that we’re implementing ourselves,” he said. “It creates a lot of empathy for our clients when our own business side is facing the same challenges theirs do.”

So far, law firms haven’t been making the news as cyber-targets, but that won’t last forever, executives say. “I don’t know any law firms at the top of the list” of recent breaches, Simon said, but considering they have the type of information stored at firms in bet-the-company litigation or potential multi-million-dollar cases, there is certainly a financial incentive for on-line pilfering.

“That’s why the industry is becoming more and more aware of the threat,” Simon said. “It’s certainly something you have to plan for; IT is always a very significant part of any budget.” But more broadly, he said, “one of the pressures the law industry has been under since 2008 is the need to become more and more efficient. Clients are more sophisticated about how efficiently services are being delivered, and IT competence is a big influence on which firms clients select—you can’t talk efficiency without talking IT, and firms that have not made the investment in IT are really beginning to pay the price in terms of their ability to deliver services.”

Another firm that has invested significantly is Shook, Hardy & Bacon, where chairman John Murphy is taking an extra measure of pride this year over demonstrable improvements to data security.

“We accomplished our ISO 27001 certification this year, a third-party validation of data security guidelines and policies that says we meet best practices,” Murphy said. “That’s really important, because any general counsel you talk to, one of the things keeping them up at night is data security.”
And it’s also important, he said, in an age where data-sharing is growing with collaborative efforts among firms.

“Regardless of what practices you have as a firm, if there is data released to other firms during litigation, your security is only as strong as that firm’s security,” Murphy said. “I don’t have up-to-date figures, but at the time we received our certification, I think only 12 firms in the world held it, six of those in the U.S. and six in the United Kingdom. It’s a time-consuming, expensive process.”

It’s another example of the  changing the nature of law firm administration.

“Any RFP now where there’s a competitive process with selective firms, there’s invariably some type of question asking about security measures we have in place,” Murphy said.

Litigators, in particular, are sensitive to this issue; much rides on the outcomes of cases they’re arguing. Nonetheless, law firm surveys indicate that, outside the biggest firms, many others have failed to take even the simplest steps.

Part of that is the potentially prohibitive cost and scope of the challenge. Only the largest firms have the resources to address the biggest data-security fundamentals. Experts say the vast majority of firms don’t have the staffing, mechanisms or budget to inspecting all on-line traffic, identify and defeat anything that’s malicious, determine whether questionable traffic could pose a hidden threat and move quickly to repair any damage and plug holes in the dike.

Surprisingly, experts say, among the biggest mistakes many law firms make, especially smaller ones, is failing to take one of the most basic, simplest and cheapest steps needed for data security: a formal, written and specific e-mail retention policy. Whether that means immediate deletion of all e-mail after it’s been read and addressed, or retained for years, firms put themselves at risk without having a consistent policy, and sticking to it religiously.

Another risk is failure to look outward when viewing security needs. Various studies have pegged the risks of third-party data breaches as high as 80 percent, so effective strategies must incorporate an understanding of exposure from a firm’s third-party providers and even their providers.
But there are plenty of opportunities for things to get into circulation, even with data-management best practices.

“Two things: For the electronic data, the volume is not as significant as making sure you have the tech infrastructure organized in a way that’s adequately protective. The volume then fits within that structure,” Hinderks said. “But it’s not just tech protection: People tend to print things out. One of the things they audit your practice for is whether you leave things on your desk at night, or you’re secure, shredding things.

“There are all sorts of human operational things to consider, too, so that means you have to be very diligent about training and compliance. You basically have to do your own looks to make sure everyone is complying. The best-intended policy doesn’t mean anything if you’re not enforcing it.”

The real pressure behind data-security professionals, executives say, is that even if you win today, the sun will come up tomorrow, and it starts all over again.

“You’re really constantly playing defense; you don’t ever win the battle,” said Hinderks. “The game is about not losing. If you do lose, clients will not regard you as secure enough to justify their trust in you. We’re absolutely obsessed with doing everything we can to protect this information.”