1. THOMSON REUTERS LEGAL EXECUTIVE INSTITUTE
ENHANCING CYBERSECURITY AND AVOIDING
DATA BREACHES: WHAT CAN LAW FIRMS DO?
Law Firms Counsel Patience, But GCs and Clients Want Assurances
By Gregg Wirth
Abstract: The news of recent high-profile law firm data breaches may have
left corporate legal team leaders with fears of data breaches by hackers,
especially at their outside law firms. This white paper examines what law
firms can do to reassure clients and what actions corporate clients will want,
beyond assurances.
2. 2
ENHANCING CYBERSECURITY AND AVOIDING DATA BREACHES
The news of recent high-profile law firm data breaches – long suspected and feared, but
seldom confirmed – may have left corporate legal team leaders with their heads in a spin.
In recent months, fear of cybersecurity issues and data breaches by hackers has greatly
increased among corporate legal teams, especially over the vulnerability of their outside
law firms and the third-party vendors those firms may employ.
Within a period of several days in late March and early April, news broke that hackers had
breached security at law firm giants Cravath, Swaine & Moore and Weil, Gotshal & Manges
in search of nonpublic M&A deal information that could be used for illegal trading. Cravath
admitted a “limited breach of its IT systems,” which occurred last summer, while Weil has
thus far declined to comment.
CYBERSECURITY NOW “TOP OF MIND”
One General Counsel at a major Fortune 500 company suggested that because of these
recent breaches, cybersecurity issues at outside law firms would be foremost on the minds
of corporate counsel, especially if it wasn’t in the past. “It is going to be a focus for all
companies now,” the GC said, asking not to be identified. “If it wasn’t at the top of mind
before, it will be now.”
The news about Cravath and Weil followed similar news reports about a Russian cyber-
hacker who had sought to break into computer systems at 48 top law firms – many in
the Am Law 100. The hacker also was looking for deal information he could use to profit
in the stock market.
Finally, the big shoe dropped this week when Panamanian law firm Mossack Fonseca
suffered a massive data breach when more than 11.5 million documents were leaked from
the firm and shared worldwide by a group of investigative journalists. The International
Consortium of Investigative Journalists (ICIJ) had been working with the leaked documents
for more than a year as they sought to expose government corruption and tax evasion by
individuals and companies that had taken advantage of Mossack Fonseca’s specialty of
setting up anonymous offshore companies.
While there may have been different – and some would argue altruistic – reasons for the
Mossack Fonseca breach, a data hack is still a hack. Indeed, one that may leave general
counsels wondering if anything out there is hacker-proof and asking themselves what, if
anything, can be done to make sure their outside law firms don’t give criminals a back door
into their corporate secrets.
GCS UNNERVED BY HACK ATTACKS
“I think general counsels are unnerved about these attacks, especially if they are in an
industry, like the banks or pharma, that hold the kind of information that is of great value to
hackers, or, in the Panama Papers case, a firm that may be targeted by ‘hacktivists,’”said
Philip N. Yannella, a leader of the Privacy and Data Security Group at Ballard Spahr LLP.
Yannella said he has heard anecdotally that more corporate legal teams are checking with
their law firms in recent days to ensure that proper cybersecurity measures are in place,
especially if the client was involved in M&A or trafficked in other valuable information.
“Cybersecurity has been on corporate counsel’s radar for a while,” he said. “But I think
after this news, you’ll have a lot more companies reaching out to their law firms and asking
about security, requiring audits and tests, and asking to be walked through what the firms
are doing in terms of protection.”
This situation forces corporate clients to treat their law firms like vendors – which of course
they are, but that is not a role in which law firms like to see themselves. “And if a law firm
doesn’t comply or is slow to comply, the client could threaten to pull the work,” Yannella
said, adding that is a situation no law firm wants to face.
Many GCs have already admitted
their companies have experienced a
data breach, according to a report
last year from the Association of
Corporate Counsel Foundation.
3. 3
ENHANCING CYBERSECURITY AND AVOIDING DATA BREACHES
However, it hasn’t yet come to that – at least on a large scale – and there is evidence that
both law firms and their clients realize they are in this together. Indeed, several legal experts
advised that blaming outside law firms or wanting firms alone to “fix” this problem is not
the solution for companies. In fact, many GCs have already admitted that their companies
have experienced a data breach, according to a report last year from the Association of
Corporate Counsel (ACC) Foundation, which supports the mission of ACC, a global legal
association representing more than 40,000 in-house counsel in 85 countries.
Rather, experts advise that corporate legal teams should work closely with their law firms to
determine if there are any cybersecurity issues to be concerned about and what to do about
data breaches if they should occur.
Kimberly Leach Johnson, Chair and Managing Partner of Quarles & Brady, wrote a previous
blog post supporting industry standards for law firms and their corporate clients that would
allow clients to determine law firms’ cybersecurity preparedness. “[I]t would be terrific if the
major industries requiring security audits could agree upon best practices and develop a
standard template – we devote a tremendous amount of resources to responding to these
audits, including tying up our technology department for weeks providing the information,”
Johnson wrote. “We understand their importance, but the legal industry needs a more
efficient response to client concerns.”
Yannella, whose firm has underwritten the ACC’s survey, said that most clients and law firms
know that working together is the best way to be prepared for any hack attack. “But they
also have to remember that a truly motivated bad actor, given enough time, usually cannot
be stopped completely,” he said. “There really is no way to have absolute security.”
And that thought may have corporate legal teams’ heads spinning again.
ONE THING LAW FIRMS ARE DOING …
HIRING OUTSIDE CYBER-EXPERTS
By Erin Arvelund
Are law firms hiring nonlawyers in the C-suite? Apparently, it’s a trend,
particularly in cybersecurity. So why now?
Two reasons: The Federal Trade Commission (FTC) has waded into regulation of public
companies in cyber- and data-privacy matters, and many law firms need the technological
expertise of an outsider to meet their clients’ needs in risk management.
Ari Schwartz is Exhibit A in this trend. He was hired by Venable LLP in Washington, D.C.,
and was quickly followed by John Banghart, Venable’s Senior Director for Technology Risk
Management. Both men have decades of federal government and private-sector
experience in cybersecurity.
Now Venable’s Managing Director of Cybersecurity Services, Schwartz worked in government
as a top White House National Security Council official. Working together in the White
House, Schwartz and Banghart had experience in risk management, government policy,
standards and regulatory compliance, and incident management. They’re helping address
cybersecurity issues within major government programs and institutions. Prior to joining
Venable, Banghart was Senior Director for Trusted Engineering for Microsoft®. He coordinated
teams to oversee strategy for government adoption of Microsoft’s Azure cloud services.
Part of the implementation involved meeting strict federal and U.S. Defense Department
compliance requirements.
“There are a lot of companies that need some help. They need a better understanding of
what’s expected of them in cybersecurity and how to prioritize,” said Schwartz. “That’s really
the discussion we’re having now, how to do risk management in this space.”