The American Bar Association released its 2015 Legal Technology Survey last week with one of the main takeaways being that companies and their law firm partners need closer cooperation to improve information security.
It is required by GLBA, PCI DSS (Payment Card Industry Data Security Standards), HIPAA, and most recognized security standards, namely that covered entities should carefully vet and work with third party vendors to assure the use of sufficient information security controls. Yet, as a survey from the ABA reveals, most companies are not doing so and many law firms do not see the need.
Approximately 52 percent of respondents from firms with 100 or more attorneys said they did not know whether a client had ever requested a security audit or asked their firm to verify security practices. Moreover, according to the survey, an even larger number of respondents were unaware of whether their firm had ever had a full security assessment conducted by an independent third party.
The survey also showed that few attorneys are concerned about cyber security. For example, more than 80 percent of the survey respondents from firms with more than 100 attorneys said they were unaware of whether their firm had cyber liability insurance. Overall, only 11.4 percent of participating attorneys said their firm had cyber liability insurance.
However, the need is real. In a report issued by Citibank earlier this year, Citibank warned that it was “reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies.” The ABA survey results indicated that firms with more than 100 lawyers experienced a significant jump in reported breaches. The survey defines “breaches” as everything from a lost or stolen smartphone to a break-in or website exploitation.
Approximately 880 lawyers participated in the survey between January and May 2015. The report is over 700 pages and contains numerous data points about technology and security. The survey indicated that more than 75 percent of law firms with 100 or more attorneys have a chief information security officer or a staff person with responsibility for data security.
Sound cybersecurity depends on a holistic-team based approach, which includes the active participation of all parties which store, use, transfer or disclose confidential information. Whether it is sensitive personal information or trade secrets, it is important for companies to assure themselves that all participants have adequate information security controls, including their law firm partners.