Lawyers are not good at everything simply by virtue of having attended law school. That passing the bar constitutes a limited certification should be a banal observation. Yet, we are shocked anew whenever lawyers do no prove immediately adept in some facet of business or technology. Lawyers are so good in their domain and have such high social status that they are often afforded a presumption of competence in areas where they are not expert. This presumption, and the effects of its puncturing, has been in evidence as clients discover that their law firms are the soft underbelly of cybersecurity.
Cybersecurity has been much in the news given the events at Sony, Target, J.P. Morgan Chase, Home Depot, et al. I recently attended a conference and was addressed by a lawyer with a well-deserved reputation on the topic of data security. who recommended, among other things, that the assembled in-house lawyers take steps to ensure that corporate employees were not using personal Dropbox accounts to move sensitive files from work computers to personal devices. That is sound advice worth heeding. But it is also easier said than done.
Despite this lawyer knowing more about the relevant laws than I ever will, I possessed some inconvenient facts of which he was unaware. Specifically, I knew that there were more than 1,200 personal Dropbox accounts associated with his law firm’s domain. That is, the lawyer’s firm was doing with client data precisely what the lawyer was advising clients to prohibit. The cobbler’s children had no shoes.
Despite the snarky observation that law school is a refuge for rich kids who don’t like math (or science or technology), it is unsurprising that law firms should struggle with the very real challenge of securing data. Welcome to the club. Every sizeable organization faces the problematic tradeoffs, competing considerations, and unintended consequences of trying to damn the river of sensitive information. Implementing comprehensive data security protocols is genuinely hard, demands distinct domain expertise, and, with the ceaseless advancement of technology, is a job that is never done.
The real surprise is the failure of law firms to follow their own advice. Indeed, despite many of their CIO’s publicly calling for a more pro-active approach, law firms did not seem take cybersecurity seriously until clients started conducting data security audits. The audit results were disastrous and disconcerting. After all, it was law firms who had first advised the clients that it was necessary to conduct third-party data security audits. And it was law firms who simultaneously argued—successfully, for many years—that they themselves should be exempt from such audits because, well, you know, they’re the lawyers.
Part of the trouble is that incentives work. As long as clients didn’t care about law firm security then law firms didn’t care to the point of expending real, not-directly-recoupable resources to address the issue. Moreover, in failing to introduce enterprise-wide controls, the law firms likely succumbed to the same type of presumptions that long kept clients from auditing their law firms. As organizations, the firm did not consider it necessary to force their individual lawyers to behave in certain manner when the lawyers should already know better. But, again, knowing better and doing better are not the same thing. And cybersecurity is an area where the individual tradeoff calculus diverges from the decisions that are defensible at the enterprise level. On a personal level, most people are inclined to trade security for convenience. And lawyers are people. Dropbox and similar services are popular because they make certain tasks easier. Taking away easier is not easy.
We increasingly rely on lawyers for more than their legal acumen. We rely on their capacity to accurately assess large volumes of corporate data (e.g., due diligence, e-discovery), their ability to secure that data, and their facility to leverage technology to get through those large data volumes in a cost-effective manner. We ask our lawyers to excel in areas in which they are not formally trained. With respect to the nonlegal aspects of lawyering, the presumption of competence is rightly giving way to a different dynamic: trust, but verify.
