Follow ACC Docket Online:  

Cybersecurity: The Achilles Heel of Today’s Global Law Departments

The relationship with outside counsel and fear of shareholder lawsuits tend to dissuade corporations from pursuing viable cybersecurity-related malpractice claims against their law firms. However, as global enterprises are increasingly harmed by cyberattacks against their outside counsel, they may become less likely to accept such losses as a cost of doing business.

As corporations globalize, so do law firms, which are asked to provide legal advice across multiple national jurisdictions. They must work with foreign colleagues they barely know, and whose level of cyber-awareness and sophistication may contribute to cyber-vulnerability. Despite their claims to the contrary, law firms, by and large, continue to organize their services by practice area and geography.

Chances are, unless operating in a technology-savvy environment, in-house counsel’s focus when engaging law firms is on getting prompt advice at an acceptable billing rate. Given time pressure and budget constraints, outside counsel’s cybersecurity hygiene is a secondary concern.

Further, large multinational enterprises have “preferred counsel” or “approved counsel” programs that are negotiated at headquarters; financial considerations are paramount. Once in place, their use is effectively automated, meaning, practically, only an adverse event will prompt scrutiny of a law firm’s security practices.

Law firms have been deemed by one general counsel as the “underbelly” of cybersecurity. Lawyers are prime targets for cyberattacks because they collect and share clients’ sensitive data, value their professional autonomy, work on short deadlines, and tend not to be technologically sophisticated. In addition, for various reasons, lawyers will often not to comply with cybersecurity procedures established by IT professionals.

Survey data indicate that law firms are spending more on cybersecurity. The added-challenge for law firms is how to pass to their clients the costs of more robust cybersecurity. Personnel, equipment, and ongoing expertise sourced from consultants are fixed costs that in-house counsel will assume to be included in the agreed billing rate. Given the competition for legal work, there will be little flexibility on rates. Every additional dollar spent on cybersecurity adversely affects a firm’s profitability.

Only about one third of law firms have cyber-insurance; the majority of law firms do not regard the cyber-insurance policies available in the marketplace as offering adequate amounts and types of coverage. They prefer to self-insure against the most common cyber threats and develop their cyber-defenses without the assistance of insurance companies, except when they are acting in an advisory role.

The capital structure of most global law firms makes it unlikely that, unless compelled — by events or regulation — to do so, they will make cybersecurity a priority. Their ability to compensate clients for cyber-claims will suffer accordingly. This will not only harm their clients but can have a massive ripple effect on other businesses. Computer viruses can also infect courts, governmental bodies, and non-governmental organizations.

The World Economic Forum recently issued its Regional Risks for Doing Business 2019, which identified cybersecurity as the most significant threat corporate executives face in Europe and North America. Among these cyber-risks are a business interruption, corporate espionage, data theft, and ransomware. Appropriately, corporations are investing more resources in cybersecurity (e.g., hardware, software, training) and collaborating more with law enforcement and one another. However, there is no guarantee that these defenses will be enough.

Back in 2016, the US Council of Economic Advisers estimated that the cost of malicious cyber activity to the US economy was between US$57 billion and US$109 billion (i.e., roughly 0.35 percent to 0.67 percent). This loss was roughly comparable to the loss of Hurricane Irma at the low end and Hurricane Maria at the upper end. The Center for Security and International Studies estimates this figure at more than US$600 billion.

Cyberattacks are seldom immediately identified and addressed. Thus, law firms whose cyber-defenses are breached are at risk of sequential attacks. According to one Dark Reading article,

“Studies conducted by incident response service providers or endpoint detection and response vendors suggest an average of 78 to over 100 days [to respond to an attack], while survey respondents that are highly familiar users of deception technology reported dwell times as low as 5.5 days. Seventy percent of respondents highly familiar with and currently using deception technology rated their organizations as highly effective as compared to 49 percent reported from the aggregate of all users, including deception technology users.”

Perhaps this is why some law firms have been successful in developing niche practices advising law firms on how to establish sound cybersecurity practices, evaluate their possible needs for cyber insurance, and manage all aspects of their response to cyberattacks — lawyers are likely to listen to other lawyers.

In the United States, the practice of law is regulated at the state level, but in general, state bar associations or other regulatory authorities lack the expertise to establish cybersecurity norms, preferring that law firms’ clients establish the relevant rules and procedures on an individual basis typically set out in retainer agreements.

As there are no uniform guidelines on cybersecurity for US lawyers, the American Bar Association (ABA) Cybersecurity Legal Task Force has sought to fill this space in part by issuing advisory opinions, organizing conferences and events, publishing books, and producing a vendor contracting cybersecurity checklist that could be adapted for law firm use.

Of course, as a private membership organization representing only a minority of the legal profession, the ABA’s influence is limited. Furthermore, the ABA has no authority to impose cybersecurity norms on its members, nor does it want to develop a high hurdle for them.

The absence of clear cybersecurity standards for law firms presents the issue of what standard of care can clients expect from their lawyers. In 2017, ACC released a document containing model controls to aid in-house counsel in setting expectations concerning the types of data security protections their vendors, including lawyers, should observe.

Often the rules governing cybersecurity for many law firms arise from their clients’ must comply with federal (e.g., the Securities and Exchange Commission) or state (e.g., the New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies) regulations.

Lawyers are expected to follow “reasonable” cybersecurity practices. Reasonable people will disagree about what this means. Cybersecurity specialists advocate for the use of risk-based cybersecurity frameworks such as the NIST, COBIT, or ISO 2700, in contrast to using rule-based approaches. Lawyers and their law firms may be unable or unwilling to develop and put into force a universally high standard of cybersecurity for all its personnel in all its officers or at least one comparable to that their clients have.

It is unrealistic to expect corporate clients to acquire the means to effectively monitor their outside counsel’s cybersecurity 24/7, in part because this may be unacceptable to their other clients. Perhaps to resolve this predicament, corporate clients who believe their cybersecurity is superior to that of their outside law firm should be encouraged to “in-source” cybersecurity since they are likely to believe that their outside counsel will not always follow best practices.

Most large multinational corporations have a high degree of confidence in their own security policies, processes, and personnel. The issue of how much effort corporations put (or should be required) into ensuring that their outside counsel meets acceptable cybersecurity standards may thus be possibly bypassed.

These corporate clients should require their outside counsel to work entirely on client-controlled premises and not allow data to migrate outside the clients’ IT and communications systems. This action would shift a considerable share of law firm cyber-risk to their clients.

Further, law firms should grant to particular clients the right to conduct cyber audits and perform due diligence on their outside counsel and staff to reduce concerns about the risk of “insider threats” (accidental or intentional), provided precautions are taken to protect other clients’ confidential data.

It is a major challenge for management at large international, multi-office law firms to maintain a uniformly high level of cybersecurity. This situation is unlikely to change.

Law firms must develop and observe viable cybersecurity protocols for working with and sharing information internally and with their clients to reduce their vulnerability to cyberattacks and the likelihood of disputes with their clients resulting from such attacks when they occur. The failure to do so will lead to complex and expensive arbitration and litigation where neither side can be fully confident of prevailing on the merits and being made whole.

Practical considerations: 5 cybersecurity questions to ask outside counsel
  1. To what degree do outside counsel’s actions conform to the controls identified in ACC’s Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (the “controls”)?
  2. Has outside counsel used a cybersecurity technical auditing firm to design its operations to conform to the control’s requirements with the aim of effectively managing risk, if not describe the process by which this occurred? Would outside counsel object if the general counsel offered to hire such a firm to perform this task?
  3. Does the content of outside counsel’s information security policies, standards, procedures, and guidelines (“compliance documents”) conform to the relevant requirements?
  4. Does the law firm have a system for monitoring to what degree its behavior conforms to the requirements set out in compliance documents and correcting for deviations? To what extent may general counsel participate in this monitoring process?
  5. Is it viable for general counsel to require certain of outside counsel’s operations to take place on premises controlled by the corporation with the corporation providing all cybersecurity functions itself or outsource these functions to a third party?

About the Authors

Geoffrey K. James is an in-house counsel at AT&T’s International Law Group.

Ethan S. Burger is a Washington, DC-based legal counsel and educator with a background in cybersecurity, professional responsibility, and Russian-legal matters. He is currently an adjunct professor at the Institute of World Politics.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.