The Wall Street Journal recently published an interesting article discussing a growing trend among law firms – some firms are promoting their expertise regarding cybersecurity and computer forensics. By partnering with a law firm to investigate data breaches and IP theft, clients receive the benefit of attorney-client privilege and are in a better position to respond to breach-related disclosure laws.
On the face of it, this certainly seems like a good idea for the firm’s clients. Many states have recently enacted laws requiring public disclosure when a data breach occurs, and a law firm is obviously in a good position to interpret these laws and disclose accordingly. And it’s also important to remember that attorney-client privilege does not protect all communication between firm and client – privilege applies to communication that conveys legal advice, so don’t think of improperly using your counsel as a shield against disclosure.
It should also be noted that law firms are also a popular target for hackers – not only do they act as an aggregator for multiple companies’ sensitive data, but they also often have less robust security in place than the companies they represent, making them a more appealing target for attack. As a firm’s client list grows, so does the likelihood the firm will be targeted – an unfortunate circumstance of success.
So from my perspective, I’d take the WSJ’s article with a grain of salt. Because law firms have traditionally been less secure than their clients, and because they collect data from so many different clients, you may want to investigate your firm further before entrusting them with your data. Have they passed a pen test? Have they been breached in the past? Do they participate in regular audits, and how stringent are those audits?
For law firms, security is a risk that should not be taken lightly. If a hacker is able to gain access into a firm’s network, what might they have access to? Obviously there are some things that can be useful to a run-of-the-mill attacker – maybe some financial documents or intellectual property such as client lists or trade secrets. Imagine if an attacker had access to all the documents and coding within a firm’s eDiscovery platform!
Because the size and scope of data is rapidly expanding (IBM estimates that 90 percent of quantifiable data in the world today has been created in the last two years alone), it’s important to keep track of where your data is, and how it is being secured. It’s much easier to spend the time and effort to take the steps to prevent data loss than it is to respond to a breach. And once the data is out of your control, it won’t necessarily matter who your legal counsel is.