Law firms are investing more money in information security these days because their clients are effectively demanding it.
More than 2 in 5 lawyers (41 percent) recently interviewed by Robert Half Legal were planning to spend more on information security-related tools and services in the next 12 months.
This new spending can be painful for IT personnel who have to answer for both their firm’s rising technology budget and for any security breaches that happen.
Information security now accounts for about 35 percent of the annual IT budget (and equates to one percent of revenue) at the New Jersey firm Norris, McLaughlin & Marcus, according to the New Jersey Law Journal. “It was tough in the law firm to sell the litigators who have traditionally run the firm,” said Mike Blumel, the firm’s information technology director. “That took a few months of back and forth,” he added, and, in some cases, “arms getting twisted by our clients.”
Audits, RFPs and checklists
One way for a client to twist arms is with an unexpected audit of their law firm’s security program. If it happens to you, don’t be too surprised: 97 percent of security leaders at businesses formally evaluate the security practices of their vendors, partners, law firms, and third parties that interact with their data, according to a survey by Ari Kaplan Advisors and Ankura.
As one of those often-evaluated parties ourselves, we support the scrutiny. In fact, we recommend that corporate legal departments and law firms employ strong RFPs (and audit checklists) that interrogate vendors on the nitty-gritty details of their security policies, plans, practices and technologies. Areas to look at include:
Law firms might also “consider hiring subject matter experts to help them navigate the complexity and challenges of cyber threats and regulatory changes to minimize risk to the organization,” recommends Robert Half Legal’s executive director, Jamy Sullivan.
One major change to the regulatory landscape is European Union’s General Data Protection Regulation (GDPR), which significantly strengthens individuals’ data privacy rights. GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location. The penalties for failing to do so can be staggering – up to €20M or 4 percent of global revenue for an upper level infringement.
Relationships between legal and information security professionals appear to be forming with some frequency, manifesting as partnerships in go-to-market strategies that enhance risk-management practices and targets’ information security controls.
For example, The American Lawyer reported in April on a trend of law firms partnering with information security vendors to cross-sell security services into legal clients. One information security company, FireEye Inc., has set up formal and informal partnerships with 25 law firms in the past few years, including five Am Law 100 firms, the publication reported: “Since it started the partner program, and as a direct result of it, FireEye has boosted its annual revenue by double-digit millions,” Kukoda said. “The company’s revenue grew to $751.1 million in 2017, a 5 percent increase from the previous year.”
With GDPR going into effect in May 25, 2018, and the rising cost of breach, information security vendors can expect plenty of lucrative work for the foreseeable future. One measure of the need for such services is LOGICFORCE’s Law Firm Cyber Security Scorecard, which recently evaluated the health of information security practices in the legal industry. The score was just 42 out of 100.1
The respondents were no strangers to audits. Nearly half of the 300 studied firms (48 percent) had their data security practices audited by at least one corporate client in the past year – a 41 percent increase over similar activity in the previous six months.
If auditors had asked the right questions, they would have discovered, as LOGICFORCE did, that nearly two-thirds of the firms (62 percent) had no designated information security professional. Only 41 percent had formally documented cyber security policies, incident response plans, backup, and restoration procedures.
The consultancy compared security investments to the client-driven demand for alternative fee arrangements, saying, “These corporate audits will continue to increase in volume and complexity, basically leaving law firms with no choice but to comply or lose their business.”
1 “The scoring system is designed to illustrate how well law firms are implementing the 12 most critical systems and data security mediation methods according to LOGICFORCE Cyber Security Standards for a secure law firm.”