Addressing Data Security Risks with Proactive Strategies and Collaboration


With the growing number of well-publicized data breaches during recent months and a steady stream of media reports about serious cybersecurity threats, security planning and management has become a top priority among legal managers, according to research conducted for Robert Half Legal’s ongoing Future Law Office project.

The ABA estimates that approximately 80 percent of the 100 largest U.S. law firms have been successfully hacked during recent years. And in its 2015 law firm white paper, the Shared Assessments Program reviews the potential risks of law firms as service providers and the vulnerabilities that financial institutions are attempting to address.

Law firms now find themselves in an environment of increasing scrutiny; regulators demand that law firms provide the same data security controls as any other service provider with access to confidential information or systems.

The traditional framework, with law firms treated as trusted third-party providers that intrinsically employ attorney-client privilege to prevent disclosure of confidential information, was developed when protecting privileged information went no further than being discreet in conversations and scrupulously maintaining paper files. Today, protecting confidential client information means developing and maintaining robust IT and cybersecurity controls to prevent unintentional or unauthorized access to data, metadata and document records.

What responsibilities do legal leaders have in developing and implementing cybersecurity policies within their law firm or company? What actions should legal organizations be taking to proactively mitigate the risk of cyberattacks?

To answer these questions and learn more about the critical role that legal professionals play in data security planning and management, we talked with two leaders well versed in the security field—Frank Wu, global managing director of Robert Half Legal’s consulting solutions practice, and Rocco Grillo, managing director, Cybersecurity & Privacy Services at Protiviti, Inc. They share their insights on effective data security and incident response strategies here.

What particular security risks do legal organizations face?

Wu: Law firms and legal departments are prime targets for cybercriminals due to high volumes of privileged and confidential information they maintain. A single data breach can be costly to the firm, causing significant damage not only to its brand, reputation and overall performance, but to its clients’ or company’s business concerns as well. Legal organizations must be sensitive to myriad legal requirements relating to the privacy, compliance and security of the data they possess and help identify risks and security protection and detection strategies.

It’s expected that legal professionals collaborate with IT experts in security planning. What other stakeholders should participate in developing and managing security concerns within a law firm or company?

Wu: Depending on the security risk exposure and risk appetite within an organization, legal and IT might work with a number of other internal stakeholders on security planning, including executive management, board directors, privacy and compliance professionals (if they’re separate from legal), human resources, public relations and crisis management specialists, and business partners.

Grillo: Additionally, external stakeholders may include outside counsel, cybersecurity and response experts and law enforcement. And when a breach occurs, others may need to be engaged, including vendors, notification and credit monitoring firms, clients, private investigators, and incident response specialists.

And as legal professionals participate on data security planning teams, it’s critical they establish up front the appropriate channels to notify if a data breach does occur, such as State Attorney Generals, regulators and/or other entities. This is essential to meet obligations required by law and by banks and other financial services organizations if credit card data is part of the potential compromise. It’s important to identify in advance the parties who need to be involved, how to contact them, in what order, and at what time. Equally important is having channels of communication established for business partners and clients, whether notifications need to be conducted due to contractual obligations or even reputational purposes.

How important is it for IT security and legal professionals to partner on incident response investigations and other sensitive matters?

Wu: Legal representatives on a security team are in a unique position to identify and convey where confidential and proprietary information is stored within an organization, whether on internal servers, networks or in the cloud. As well, legal should be knowledgeable about the local and international laws and regulations and compliance requirements governing the protection of such data. Legal’s participation on security management teams is therefore a critical component of the overall planning process. And while it is not legal’s role to enforce security policies nor typically to implement incident response plans, legal team participants are accountable for identifying potential legal liabilities, helping to navigate the legal and regulatory maze inherent in security management and providing appropriate guidance to help deter, detect and mitigate potential risks. Effective data security relies on the integration of substantial technical knowledge, often provided by IT staff, with legal knowledge, interpretation and strategic risk management understanding.

Grillo: Legal professionals also offer valuable input for incident response plans. One of the key decisions when a breach is identified is to determine when legal needs to be involved. Company data breach investigations should be conducted under attorney privilege to protect the findings of the investigation. Not all incidents result in a compromise or require legal’s involvement; however, protocols should be established in advance to govern various incident scenarios. In many instances, companies are establishing privilege with proactive response efforts, such as testing the incident response plan during tabletop exercises and even during penetration testing efforts, in some instance due to the possibility of identifying a compromise.

How can law firms and legal departments keep current on the broad range of cyber risks that can impact their organizations?

Wu: The first thing to recognize is that legal leaders nor IT experts will ever be able to recognize the full scope of security risks that can impact the business environment, given today’s global dynamics. But it’s important for legal to collaborate with their IT colleagues who typically research and monitor the security landscape on a regular basis. Incidents of cybercrime are on the rise, and the sophistication of attacks continues to evolve.

Grillo: It’s important that legal managers work with their chief information and chief information security officers, as well as other C-suite officials, to ensure they have a mature response plan that is tested and able to respond effectively when the company is attacked. Everyone involved needs to not only be aware that they are part of the process but also know their particular roles and responsibilities within the response plan. In parallel, legal professionals need to work with their internal business partners to identify critical assets and evaluate the response plan’s effectiveness in protecting those high-value resources. Determine the risks and likelihood that sensitive data will be compromised. Analyze how well response protocols can mitigate the impact of an attack so the company can quickly restore normal business operations. Networking with external entities, including industry peers and law enforcement agencies, is another avenue to stay current. For example, the U.S. Secret Service and the FBI currently provide threat intelligence through organizations that have been established for this very reason. 

What key components should a comprehensive cybersecurity defense plan include?

Grillo: When it comes to data security, being proactive and prepared may be an organization’s best defense. Becoming “compromise ready” in the context of cybersecurity requires focusing on a variety of issues, including network security, employee training and mobile device management, threat information gathering, ongoing monitoring of where sensitive assets and data are located, proactive planning for third-party data compromises, retainer agreements with law firms and incident response and forensics investigators, among other things. Established procedures and committed resources are essential to security planning and equally important to being able to take appropriate action quickly in the event of a breach.

A layered approach to cybersecurity protection and detection is also key—having multiple types of controls in place that address different elements of the overall risk landscape. Other components include proactively developing incident response plans, testing them regularly through tabletop exercises that simulate attacks, and conducting simulated forensics investigations to uncover vulnerabilities; establishing play books and protocols and conducting incident response drills to reinforce team members’ roles and responsibilities.

And an important fundamental of being compromise ready is ongoing diligence—it’s critical to continuously monitor emerging threats and regularly evaluate and update, as needed, data security and incident response protocols, ensuring that all appropriate staff members are kept current on the plans.

To learn more about how law firms and corporate legal departments are responding to security challenges as well as other trends impacting the legal profession, download a copy of Robert Half Legal's report Future Law Office 2020: Redefining the Practice of Law.