As an article in yesterday's New York Times underscored, clients are increasingly demanding that law firms step up their cybersecurity efforts.
Some financial institutions, including Wall Street banks, are asking law firms to fill out 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.
Clients are asking law firms to stop putting files on portable thumb drives, e-mailing them to nonsecure iPads or working on computers linked to a shared network in countries like China and Russia where hacking is prevalent. They are threatening to pull legal work without such measures being taken and/or requesting that firms add insurance coverage for data breaches to their malpractice policies.
In 2012, Mandiant, a security consulting firm since acquired by FireEye, put out a report estimating that 80 percent of the 100 largest American law firms had some malicious computer breach in 2011. Representatives for several large law firms, all of whom declined to discuss the topic publicly, said privately that the threat assessments from the FBI and consulting firms were overstated. The law firm representatives said hacker attacks were usually e-mail “phishing” schemes seeking to access personal information or account passwords, the kind of intrusions that have become commonplace and (they say) are easily contained.
Clearly, they are in denial. I am glad to see the push from clients who will no doubt drag their law firms grudgingly into 21st century cybersecurity.
E-mail: firstname.lastname@example.org Phone: 703-359-0700