The current information security environment is hostile to organizations seeking to ensure information integrity of the confidential legal content their law firms hold and generate. Hackers see professional services firms such as law firms and CPAs as the number one industry to target with ransomware attacks. In fact, professional services firms experience more than twice the number of attacks than the second-highest industries: Healthcare and the Public Sector. Consequently, the cybersecurity environment is getting worse for law firms every day. As proof, we have seen numerous legal industry companies – firms and vendors – suffer severe attacks in the past 18 months. 

Cybersecurity is currently the number one concern of Chief Legal Officers, according to the 2021 ACC CLO Survey. And while no defense is perfect, legal operations and law departments must ensure that their law firms maintain confidential information integrity and secure the organization’s data to the maximum extent possible.

While no defense in perfect, legal operations and law departments must ensure their law firms secure the organization's data to the maximum extent possible.

In part one of this series, we discussed why law firms are soft targets for cybercriminals, identified gaps in organizations’ current approach to evaluate vendor security, and explored five fundamental questions to ask when vetting law firm cybersecurity practices. Now, let’s dive into the steps chief legal officers and general counsel can take to evaluate their law firms’ information security readiness, ensure confidential information integrity, and lower the organization’s risk of cyberattacks.

Law Firm Engagement Agreement and Guidelines

The first step is to review your agreements with your firms. Your Confidentiality provision and provisions on information/data security should clearly state the standard of evaluation for the firm and the expectations of performance regarding the above questions. And while it might go without saying, the information security requirements for your law firms should be at least as strict as your organization’s internal standards. So, it would be good practice to reach across your organization to the department that oversees information security to confirm that the provisions are consistent with corporate policies.

Your engagement letter or law firm guidelines likely contain language outlining the organization’s expectations in terms of confidentiality and level of care, as well as a right to audit or review of the firm’s practices. However, we strongly suggest adding specific requirements for compliance and certification. Standards like ISO 27001 or frameworks like NIST CSF or NIST 800-171 create and enforce a “best practices” mentality at your law firm. Certification from an outside auditor adds confidence that the law firm has implemented the policies and procedures necessary to maximize information security readiness. Implementing these frameworks helps the firm as well: certain states, such as Utah and Ohio, are establishing “safe harbor” provisions for organizations that can verify they meet ISO or NIST requirements.

Certain states, such as Utah and Ohio, are establishing "safe harbor" provisions for organizations that meet ISO or NIST requirements.

Assessing Information Integrity at Law Firms

The next step is to assess your organization’s current knowledge of the law firms’ infosec posture and policies. This very standard evaluation is most likely part of your internal IT/IS risk assessment procedures. It is the best first step in evaluating your law firms. Legal operations should work with IT/IS to confirm the extent of firms’ evaluations and understand the relevance and applicability to Legal Operations. One point to make is that if your organization only performs information security evaluations on a sampling of its vendors, a best practice approach strongly recommends you conduct a vendor assessment of every one of your law firms. As we have emphasized throughout this series, the data your law firm has – both direct and derivative – is fundamentally different from your supply chain vendors. As such, you should confirm that every law firm housing any of your data has completed an assessment.

The data your law firm has - both directly provided and derivative - is fundamentally different from your supply chain vendors.

Answers to standard IT cyber risk evaluation questions can be a good starting point for law firm assessments. However, those answers only tell you what plans, technologies, and protocols the firm put in place to protect against cyber threats. The evaluation data doesn’t allow you to validate that those controls are actually being used and followed in day-to-day operations.

Based on the insights you glean from the IT risk assessment, you may decide that a more intensive vendor risk assessment, specific to law firms and legal data, is needed. Further, an assessment is just that. Legal departments should also understand what documentation has been provided, such as a certificate of compliance or an internal audit report. Based on that documentation, you can decide if an audit is needed.

Triage Your Firms’ Information Confidentiality Risk

Not every one of your law firms will have the same risk profile. And if your panel includes dozens of firms, it may be impracticable to do comprehensive evaluations on all of them. Consequently, you should “triage” your firms to establish which firms require the most attention. The triage formula is relatively simple: you assess the level of risk against the cost of exposure. High risk and high exposure require immediate attention.

The level of risk can be assessed to a great degree from the vendor assessments and supporting documentation, but some indices of lower risk can be:

  • Is the law firm certified by an external auditor in a recognizable standard, such as ISO 27001?
  • Do they have a designated Chief Information Security Officer?
  • Is Information Security a separate function from Information Technology?
  • Do they train every employee on cybersecurity threats at least annually?
  • Do they have a disaster recovery plan?

While not exhaustive, one can easily see the difference in firms who answer “yes” to each one compared to those with five “no” answers.

Indicators of Lower Information Security Risk

One way to think of the cost of exposure can be simply the amount of work a firm does for you. However, we suggest “risk weighting” the type of work; in terms of information security, commercial contract work may be seen differently than human resources litigation or intellectual property work. Each company should make those decisions based on their matter profile. And to be clear, these are judgments. As much as one would like a hard and fast rule about what constitutes “risky,” there is none.

The difficulty with this approach is that you can be lulled into a false sense of security (excuse the pun) with firms that are well prepared or with ambiguous evaluation results. The latter is often used as a reason to avoid difficult conversations with firms that are clearly not prepared. The only certainty is that a conversation after a breach is far worse.

Remediation: Auditing to Boost Law Firm Information Security Posture

There may be firms that pose an unacceptable level of risk. At this point, you have two primary options. The first is to discontinue working with that firm. The second is to insist on a remediation process to meet a level of information security acceptable to you.

Assuming you chose the latter, remediation should be based on the following objectives:

  • Ensuring that the firm fully commits to information security
  • Ensuring that the firm can document the locations/systems where your data is stored
  • Designate a person at the firm who is responsible for data integrity and privacy
  • Implement a straightforward procedure for provisioning access to your data
  • Implement clear rules for retention and deletion of data

Some of this information may come from the vendor assessment done by IT/IS. Uncovering answers to additional questions may require a deeper audit. If you are considering an audit, your process should:

  • Confirm the claims in the vendor assessment,
  • Identify a standard of information security readiness that meets your needs,
  • Identify the gap between where a firm is and where it should be, and
  • Provide an agreed procedure to bridge those gaps and strengthen areas of concern.

A commitment to information security is the most fundamental aspect of the audit and remediation process. It is vital to make sure that the law firm’s leadership takes information security seriously. The managing partner and executive committee set the tone for the firm. If they do not commit to a culture of security, no one else in the firm will.

Effective audits are intrusive. Audits can be expensive. Without a genuine commitment and recognition from the firm’s leadership that ensuring your data is secure is part of their commitment to attorney-client privilege and a necessary part of your relationship, any time and money spent on an audit will be for nothing.

The managing partner and executive committee set the tone for the law firm. If they do not commit to a culture of security, no one else in the firm will.

Summary

In part one of this series, we discussed how the threat against law firms from cybercriminals is deliberate and growing. In addition, we touched on some gaps in the current approach to vendor risk, specifically law firms. In this follow-up post, we outlined areas organizations can assess and recommended certain steps you can take to ensure your outside counsel and legal ecosystem is as secure and maintains the integrity of your confidential information.

Cybersecurity is a multifaceted discipline. Most companies focus on defense – ensuring their systems and data stores are as secure and impenetrable as possible. But while robust endpoint security is a given, organizations should take a page from the consumer privacy playbook. Require that your firms enact policies and procedures to understand and limit data in relation to place (storage), people (access), and time (retention). That way, in the event an attack breaches a firm, exposure is limited.

To limit exposure, require that your firms enact policies and procedures to understand and limit data in relation to place (storage), people (access), and time (retention).

The cost of a breach can be high in terms of money, dislocation, and reputation damage. Thus, risk-rating your law firms must be an integral part of your panel evaluation process. A particular firm may drive good outcomes within budget, but if they do not take information security seriously, everything can come crashing down with a few clicks of a mouse.

Interested in taking the first step in evaluating the information security practices of your law firms? Start with our downloadable worksheet, 20 Fundamental Questions to Ask: Evaluating Information Security Practices.

Download: 20 Questions to Ask When Evaluating Information Security

EXTEND Resources helps organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats — including law firm and vendor risk. Contact us to learn more. 

Steve Henn
shenn@extendresources.com
203.803.2127