It is no secret that law firms hold sensitive client data, including attorney-client privileged information. Moreover, law firms often have weak cyber defenses. For instance, in 2015, Citigroup issued an internal report warning that “digital security at many law firms, despite improvements, generally remains below the standards for other industries.” As a result, firms are often among of the most vulnerable targets to cyber-attacks because they are often unguarded treasure troves of valuable electronic data.
Law Firms and Clients Lack Regulatory Checks and Balances
Despite this reality, law firms have no regulatory body governing the security of their privileged information. Moreover, many clients are not pushing their law firms to protect their data. For instance, Altman Weil’s 2016 Chief Legal Officer Survey found that two-thirds of the general counsels surveyed admitted that they do not require their top 10 firms to comply with specific data security measures. Only 15.9 percent of those general counsels surveyed imposed security measures on all 10 of their most relied upon firms.
However, these trends may change as law firms are attacked more frequently, and reputational fear becomes a real issue. For instance, this year the Panamanian law firm of Mossack Fonseca suffered a cataclysmic data breach. According to current estimates, this breach involved over 11.5 million attorney-client privileged documents of more than 214,488 offshore entities, and this breach incident has even served as the genesis of a dedicated website.
Law firms may also take cyber security more seriously as the result of increasing litigation. In May 2016, the class-action plaintiff’s law firm, Edelson P.C., filed a federal class-action against the Chicago law firm of Johnson & Bell alleging that “the law firm’s clients have, for decades, been overpaying for legal services because they have been paying, in part, to keep their data secure — and the law firm hasn’t been keeping up with their end of the bargain.”
The New Age of NYDFS Cyber Security Regulations
While these reputational, legal, and client pressures may be compelling law firms to take cyber security more seriously, it appears that the immediate motivator for law firms working with New York banks and financial services will likely come from the New York State Department of Financial Services (NYDFS). Beginning January 1, 2017, these firms will be subject to NYDFS’ “Cyber Security Requirements for Financial Services Companies.”
As I previously discussed in a blog about how these requirements impact small and mid-sized businesses, the NYDFS will impose significant cyber security regulations on covered entities operating within the financial industry. Relevant to law firms, Section 500.11 of 23 NYCRR 500 (Third Party Information Security Policy) requires every financial institution or any covered entity to “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Covered Entity.”
In sum, Section 500.11 requires a bank or financial institution to have a Third-Party Information Security Policy which addresses the identification of all third-party vendors, their cyber security practices, and any related cyber risk posed by these third-party vendors.
Section 500.11 will also require third-party vendor firms, by contract, to have use technical safeguards such as encryption and multi-factor authentication.
Most striking, firms must also guarantee that “the service or product provided to the Covered Entity is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information.” In other words, New York law firms doing work with New banks and financial services could be required to certify in their retainer agreements that their own networks are free of malicious software.
For a while, banking and financial institutions have been industry leaders in cyber security. Now, they may be responsible for compelling the legal industry to get up to speed.
To gain more insights into critical cyber security best practices to protect privileged information, check out our white paper about threats to client confidentiality.