A recent survey of law firms found that nearly one-third of the respondents didn’t know who was responsible for risk management within their organization. What will their corporate clients make of that?

According to the research reviewed for this post, client cybersecurity audits are becoming the new normal for law firms. Many companies are no longer willing to entrust their legal matters to firms without subjecting them to a client audit first.

The same holds true when Big Law is looking to partner with smaller practices in local markets. Potential partners who cannot demonstrate that and how they protect sensitive client information against data breaches will lose valuable business and connections to a competitor in the region who can.

For this post, we have collected resources that provide up-to-date insights and guidance that help law firms with their cybersecurity planning and client audit preparation:


1. Why Are So Many Law Firms Unaware That They Suffered a Data Breach?

The second edition of LogicForce’s 2017 Law Firm Cybersecurity Scorecard [PDF], detailing the cyber vulnerabilities of U.S.-based law firms, raises a troubling question.

With the pressure mounting from their corporate clients, why are most of the surveyed law firms still not up to the task of effectively protecting their clients’ data?

Based on survey data from more than 300 law firms, three major findings stand out in this new law firm cybersecurity report:

  • 48% of law firms underwent at least one client data security audit over the past year.
  • Many law firms lack leadership when it comes to IT security.
  • The number of corporate IT and data security audits is increasing.

In its first edition of this Law Firm Cybersecurity Scorecard, the company had pointed out that 40% of firms experienced data breaches without knowing it in 2016. The company has also predicted that the share of audited law practices will rise to 60% by the end of 2018.

Our take:

More clients are becoming increasingly aware of the risks that law firm data breaches pose to their trade secrets, intellectual property and other critical and confidential information. Firms that are not ready to prove that they are keeping client data safe risk losing their business.

It’s up to law firm CISOs and IT teams now to identify and vet reliable IT security partners who can help them ace the next client data security audit without increasing the firm’s overhead.


LogicForce: Law Firm Cyber Security Scorecard 2017 Q4 [PDF]


2. Cloud-Based Security: Common Sense for Law Firms

Attorneys handle their clients’ most valuable documents and data, like divorce settlements, intellectual property, witness depositions, tax returns, M&A meeting transcripts or due diligence reports. If such confidential information gets compromised in a data breach, the potential damage to both client and law firm can be irreparable.

So it’s not exactly surprising that many lawyers look at cloud services with apprehension. They find comfort in knowing that their essential data are kept on one of the magic boxes in the firm’s server room, where Larry from IT has an eye on it. Much more secure that way, or is it?

In its whitepaper Is the Cloud More Secure Than You Think?, the Legal Executive Institute (Thomson Reuters) provides law firm IT managers with facts and insights that will help them dispel myths with facts and appropriately address the partners’ concerns.

“[W]hile about 90% of Fortune 500 companies are using the cloud today, many law firms remain holdouts,” the authors report. Moving to the cloud, they stress, will likely be a “necessary move at some point. Indeed, one that’s likely to be demanded by clients.”

Not because “everybody is doing it,” but because it will help most firms attain the level of IT security their clients are expecting. The takeaway of this whitepaper? The authors fit their conclusion in one short sentence. Spoiler alert - here goes:

“Cloud computing offers far more extensive security than any law firm could provide on its own.”

Our take:

We agree. Call us biased - Authentic8 built its secure Browser-as-a-Service based on the idea that most thin-stretched in-house IT teams and outside consultancies have nothing on a dedicated IT security service in the cloud that is centrally managed by specialized professionals.

Authentic8’s secure remote browser Silo, for example, shifts the attack surface from the local IT to the cloud, where all content is processed securely in an isolated container.

When users access a website through Silo, no code - no matter if benign or malicious - can find its way onto the local computer.

In this example, the Authentic8 cloud assures isolation and neutralization of any web-borne threats, without exception. Only a visual representation of the page (pixels) is transmitted back to the endpoint, via a fast encrypted connection.


Legal Executive Institute (Thomson Reuters): Is the Cloud More Secure Than You Think? [PDF] Whitepaper


3. Checklist: Cybersecurity for Law Firms

Inspired by a talk Bob Ambrogi gave on IT security for law firms, practice management software company Merus came up with a useful checklist for IT managers in small and medium-sized law firms.

The 10+ Tips to Improve Your Security on MerusCase.com provide a basic roadmap which necessary steps to take.

Merus Infogrpahic: 10+ Tips to Improve Law Firm Security

Our take:

Re. Tip # 9, “Move to the Cloud” - check out the Authentic8 whitepaper IT vs. Users: How Law Firms Can Maximize Security While Granting Access the Web. It describes in detail why law firms increasingly turn to cloud-based, centrally managed secure browser solutions.

Download the infographic:

For law firms: 10+ Tips to Improve Your Security


4. Data Security Top Concern of Law Firm Clients

84% of the law firms who responded to the Fifth Annual Survey on Trends and Opportunities in Law Firm Outsourcing are making technology investments in response to client pressures around cybersecurity, and 64% report that technology investments are impacted by client demands for digital workflows.

The 2017 edition of the annual survey by consulting firms Williams Lea Tag and Sandpiper Partners captures a watershed moment in law firm innovation. Use of technology as a strategy and for cost savings among the respondents (mostly ALM 150 and large U.K.-based law firms) has skyrocketed over the past five years, from 41% to 64% and 25% to 67% respectively.

2017 also marks the first year of the past five that more respondents (51%) plan to increase support staff, a trend reversion that is driven by the pressure to innovate while strengthening data security for the digital assets of firms and clients.

Headcount increases that are likely to have a direct impact on the cybersecurity posture of law firms were planned for general IT/technology functions by 62% of the respondents and for dedicated cybersecurity and data protection roles by 35% of the polled law firms.

Our take:

Digital transformation and a focus on cybersecurity are no longer optional but mandatory for law firms that want to stay relevant. To those still sitting on the fence, the growth of IT security budgets and cybersecurity recruiting planned by the majority of survey participants sends a clear message. Still, two important questions remain.

First, how are the legal industry’s thriving third-party vendors prepared to protect the client data they are entrusted with? Law firm IT leaders may find these insights from our blog helpful: 5 Vendor Risk Reports Every IT Leader Should Read.

And second, while more law firms are looking for cybersecurity professionals this year, this does not necessarily mean they will actually find them.

Given the limited number of qualified candidates, law firms find themselves competing for scarce IT security talent with other industries willing to pay top dollars. This puts additional pressure on law firm CISOs to maximize security while saving money, for example by deploying a centrally managed remote browser that frees up IT resources for other critical tasks.


Williams Lea Tag / Sandpiper Partners: Fifth Annual Survey on Trends and Opportunities in Law Firm Outsourcing [PDF] Survey


5. Cybersecurity Guidance for Outside Counsel

Does your legal department oversee how sensitive company data is handled by external providers of legal services?

Then we recommend downloading the guidelines published by the Association of Corporate Counsel (ACC) earlier this year on data retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance.

ACC represents more than 42,000 in-house counsel in 85 countries. Its guideline manual, Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information was published to set benchmarks for the safe handling of corporate data by law firms.

Model requirements are based on ACC members' experience, past data security audits, and learned best practices to ensure that sensitive client data remains confidential. ACC issued the guidelines shortly after reporting its Chief Legal Officers (CLO) 2017 Survey findings.

The survey found that information privacy and data breaches/protection of corporate data were ranked as "very" or "extremely" important by two-thirds of Chief Legal Officers (CLOs) and general counsel (GCs).

Since 2014, the percentage of GCs and CLOs who ranked safeguarding against data breaches as "extremely" important rose from 19 percent to 26 percent in 2017. More corporate law departments now conduct data security audits when they retain a new law firm.

The growing number of cybersecurity audits for law firms reflect the rising concerns of more than 25% of in-house lawyers who are - according to ACC research - "not confident" or "not sure" regarding their law firms' data security.

Our take:

The baseline data security measures and controls published by ACC provide companies with a benchmark to draw up their own requirements for outside counsel or when initiating a law firm security audit.

They can help your legal department establish a process and set expectations with external partners how to protect the company‘s confidential information.

Read / download:

ACC: Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information [PDF] Guidelines