Crossroads Blog | CYBER SECURITY LAW AND POLICY

Cybersecurity, Data Breaches, Data Security

Data Privacy and Law Firms

BigLaw In Crosshairs As Firm Plans Data Breach Litigation (Law360): A recent article in Law360 by Aebra Coe indicates that two large law firms, Swaine & Moore LLP, and Weil Goshal & Manges LLP may be facing class action malpractice litigation as a result of their recent data breaches.  In this article, Coe reports that Jay Edelson’s law firm, Edelson PC, assembled a team of forensic engineers and attorneys with technology and privacy expertise to build a lab designed to identify key vulnerabilities in the corporate world.[1]  According to the article, based on the team’s research, Edelson’s firm reportedly told law firms that they are attractive targets to hackers for the following reasons:  (1) law firms often have critical and confidential client information on their internal systems; (2) law firms are often behind the curve on technology, and therefore have relatively insecure data security and network protocols and processes; (3) even where firms have security measures in place, getting the more-seasoned partners to follow these practices is often a non-starter.  The full text of the article is here.


 

Commentary:

As society in general and the legal sector specifically continues to adopt, and embrace technology, privacy issues will continue to be an important concern.  While this article specifically addresses BigLaw firms, this problem faces firms of all sizes including the solo practitioners.  When we lived in the purely physical world of paper and files, we could touch and feel information and it was almost intuitive to address security.  A locked briefcase, a locked filing cabinet, a document retention policy coupled with a secure shredding service and a lawyer was good to go.  As we move to an increasingly virtual world with the ability to store thousands of pages of documents on miniature thumb drives, or in the cloud, on our laptops, our smartphones, suddenly sensitive client data has gone from a piece of paper and perhaps a copy or two to documents seemingly everywhere.

Having worked previously in the technology sector I would argue that only the very biggest Law firms can, or should have the in-house expertise to handle data privacy and to manage their information security.  However, even for the largest law firms this is still going to represent a cost-center which is somewhat antithetical to the whole concept of billable-hours and viewing things in a binary fashion (is this a source of revenue for the firm?  If not, it is a cost).  That being said, until attorneys begin to view cybersecurity and data privacy as necessities, no different from liability insurance or any other recurring overhead expense, they will continue to put their clients and themselves at risk.  Attorneys need to consider the ethical considerations related to the retention and use of confidential client data and if they fail to do so they risk the loss of trust as well as potential litigation.  Here, I would argue that outsourcing makes a great deal of sense for all but the largest law-firms. Let the specialists perform an audit, create a baseline and then move your firm to a state of “reasonable” data security and overall cybersecurity.


 

[1] Edelson is founder and CEO of the law firm, Edelson PC.  For several months, Edelson’s firm has been looking into potential class action litigation against unnamed firms with respect to data breaches.  Edelson’s lab arrived at the conclusion that the legal industry and the health care sectors are some of the most likely to be targeted by hackers, according to the Law360 article.

Leave a Reply