As fears mount that external law firms could be targets for hackers, in-house counsel are wondering just how secure the connection is to their outside advisers. In the last year or so, the FBI and other authorities have identified law firms as the weak links in the confidential information chain.
A story in the American Bar Association Journal in January cited an incident in which three Chinese citizens allegedly hacked into the systems of two prominent law firms and made US$4 million trading on stolen information.
Lyndsay Wasser, co-chairwoman of the privacy and data protection group and a partner at McMillan LLP, advises clients on what they should be looking for from service providers. She is writing a book on cybersecurity law and a section of the book specifically addresses law firms.
“Some breaches in the U.S. brought attention to the fact law firms can be a target, and in this day and age any law firm can be a target,” says Wasser. “I have read a lot of articles that say law firms are the weak link and I think that was probably true in the past, but I do think, especially with the breaches that happened last year, that law firms are very quickly coming up to speed.”
Lawyers and law firms have always had a duty in terms of confidentiality with client information, but companies are becoming more sophisticated in knowing they need to build contractual protections into their agreements with their service providers and that includes their outside law firms.
“I think when talking about service providers there is a two-step approach — contractual protection, which can help you in the event of a breach, and allocating liability, but also nobody wants to have that breach to start with. I think the first step is to do some due diligence and ask questions to make sure a service provider is taking the steps necessary to secure information the best they can.”
The problem, too, says Wasser, is that in many instances breaches are not being perpetrated by the people you are entrusting the information to — many are as a result of outside intrusions and cyberattacks.
“I think a lot of organizations are asking their service providers including their law firms what are your processes and getting the information they need about whether further steps need to be taken to protect the information before they get to the contract stage,” she says.
This spring, the Association of Corporate Counsel issued guidelines for law firm cybersecurity. The push for guidelines has been driven largely by one of the most regulated sectors law firms deal with, says Amar Sarwal, ACC vice president and chief legal strategist.
“It’s been driven largely by the financial services industry, particularly the banks as they have been getting pressure for a number of years from the regulators who are pushing them to closely monitor and audit their entire supply chain,” says Sarwal. “There was definitely a push by the big banks, but the goal of the ACC is to give guidance to in-house departments writ large, not just one particular industry.”
The ACC’s safety guideline for outside counsel who have access to sensitive company data as part of their engagements with corporate law departments is called “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information” and serves as a benchmark for law firm cybersecurity practices.
Encompassing information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening and cyber-liability insurance, the model requirements are based on ACC members’ experience, past data security audits and learned best practices in ensuring that sensitive client data remains confidential.
“We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” says Sarwal. “With these Model Information Protection and Security Controls, the in-house bar, with the help of outside counsel, is taking the lead on sharing established best practices to promote data security.”
A number of ACC members worked together to draft the guidelines, receiving input from several law firms on the standards. The guidelines are being issued on the heels of the “ACC Chief Legal Officers (CLO) 2017 Survey” finding that information privacy and data breaches/protection of corporate data were ranked as “very” or “extremely” important by two-thirds of CLOs and general counsel. Since 2014, the percentage of GCs and CLOs expressing data breaches as “extremely” important rose to 26 per cent this year from 19 per cent.
“The trust between a law firm and a client is fundamental to a productive attorney-client relationship. A vital way for law firms to gain client trust is to protect the confidential information provided to them by their clients from cyber-threats,” said Brennan Torregrossa, vice president, associate general counsel and head of the global external legal relations team at GlaxoSmithKline, whose law department assisted in developing the guidelines. “These model controls should be extremely valuable to ACC legal departments and law firms alike to ensure that adequate tools and processes are in place to provide cyber-protection and to take agreed-upon steps in the event of a breach. In a time of rapidly developing risks and threats, clients and law firms need to respond in unison with speed and clarity.”
Many corporate law departments conduct data security audits when they retain a new law firm, a responsibility increasingly held by corporate legal operations professionals that manage outside counsel relationships. According to the “ACC Foundation: The State of Cybersecurity Report,” more than one quarter of in-house counsel are “not confident” or “not sure” regarding their law firms’ data security. The ACC guidelines will give companies a benchmark when creating their own requirements for outside counsel or when initiating a security audit.
Sarwal says large law firms have done a better job nailing down protocols because they have been under pressure from their clients for some time now to address the issue.
He thinks the largest firms in Canada have been more proactive on a wide array of issues. “They aren’t perfect and there’s more work to be done, but they’ve been more collaborative,” he says.
The mid-size firms on both sides of the border are the intended targets of the ACC’s model.
In the context of law firm mergers, Sarwal says that, in some cases, the in-house counsel have taken a hard look at the merged firm and wondered do they have the same information security protocols that they agreed to with the acquirer firm?
“It does require some ingenuity on the part of in-house counsel and the outside lawyer to think about the particular circumstances and say what works and what do we need to add? This is just not check the box kind of stuff. This really goes to the heart of being a lawyer — being discrete and safeguarding your clients’ confidences,” he says.
Robert Percival, partner, technology and innovation at Norton Rose Fulbright Canada LLP, advises clients on security terms and conditions for their contracts with suppliers. He has seen requests to conduct security assessments as one would in any large commercial transaction.
“That could include doing a survey with the IT department on information security practices and procedures and technologies in place to protect confidential information and client files, network security infrastructure — those kinds of things,” he says.
The good news is, says Percival, that there are plenty of standards around information security that larger organizations will employ. The question is whether the law firm is current on those industry practices and standards for information security.
“It’s increasingly incumbent on firms because information security is relevant to anybody but more so the larger firms that tend to be dealing with larger corporate clients, engaging and developing policies and procedures consistent with what’s happening in the industry,” says Percival.
“If you’re entering into a [law firm] panel arrangement, you will often then enter into an engagement letter that the client would require of the firm — these are the terms of conditions on how you will work together.”
Increasingly, he says, law firm engagement letters have terms of conditions around the protection of confidential information and as lawyers they are obliged to protect the information of clients, but now clients are asking for commercial terms and conditions around information security that one tends to see in more commercial agreements — requirements around information security practices the firm is going to need to agree to and adhere to such as encryption and physical security/logical security such as password complexity, all designed to speak to better information security management practices.