A cybersecurity scare at Foley & Lardner has drawn new attention to a debate over data security at top law firms, and some clients and outside organizations are taking matters into their own hands.

The incident last month, described by a firm spokeswoman only as “a cyber event that caused a disruption to our IT systems,” comes as general counsels’ offices express renewed concern about whether even the biggest law firms are adequately protecting highly sensitive data.

“I don’t believe that all firms have given this issue the thought they need to, or put into place the best practices that are needed,” Rob Whipple, associate general counsel for DHL Supply Chain Americas, told Bloomberg Law.

“The access to information at firms now is just too easy,” said Gary Tully, head of legal operations at biopharmaceutical company Gilead Sciences.

Can Be Devastating

Cyberthreats are a growing issue in Big Law. They can be devastating to large organizations, including law firms that house vast amounts of often confidential client data.

A range of top firms have been hit in recent years, including DLA Piper, and according to news reports, Cravath, Swaine & Moore, and Weil, Gotshal & Manges.

In recognition of the threat, Whipple said his company last year revised its outside counsel guidelines to include added cyber protections. This includes giving the company the right to conduct its own audit of outside law firms’ cyber defenses.

At stake, he said, is the sensitive DHL information that can include everything from employee pay rates and product pricing to personally identifiable information.

Incidents Up

Cyber incursions into law firms clearly appear to be on the rise. According to a December 2017 American Bar Association legal technology report, just over a third of law firms with between 10 and 49 attorneys reported experiencing some sort of data-related security breach in the previous 12 months.

Two weeks ago, the ABA issued a report detailing lawyers’ data security obligations, including responsibilities to clients after breaches or cyber attacks have occurred.

“(L)awyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data,” the report concluded.

When breaches occur that include a substantial likelihood of involving material client information, “lawyers have a duty to notify clients of the breach,” it said.

The report also reiterated the notion that firms have an ethical responsibility to try to maintain privacy when communicating client confidential information via the Internet.

The Association of Corporate Counsel, one of the top professional organizations for those working in legal departments, issued a report last year that noted growing concerns from members about the safety of their data with law firms.

‘Latest Example’

When clients ask their firms what certifications they’ve obtained to show that they’re working to protect company data, firms can tell them they’ve adopted any of a number of information security management standards.

This can include one published by the International Organization for Standardization and the International Electrotechnical Commission, or another promulgated by the National Institute of Standards and Technology.

But firms and their clients would benefit greatly by a standardized set of assessment questions, Tully said.

“We’re interested in seeing cyber incidents reduced, and Foley is just the latest example,” said Tully.

Foley said the October “cyber event” disrupted its IT systems. But the firm said it had security safeguards in place and confirmed no unauthorized access to client data. Foley declined to offer details on the type of incident or the scope of disruption.

Tully and Gilead, along with the Corporate Legal Operations Consortium (CLOC), a group of legal ops professionals, are working on an initiative to create standardized legal security assessments.

CLOC’s Cybersecurity Initiative Steering Committee includes several law firm and in-house leaders, such as Baker McKenzie Global CIO Daniel Surowiec, Greenberg Traurig CIO Jay Nogle, and Google Legal Operations Manager Marika Daggett, group officials confirm.

“It’s evolved into such a big initiative with so much interest,” said CLOC President and CEO Connie Brenton, who is also senior director of legal ops at NetApp.

Lagging Behind?

Law firms also sometimes opt to retain cyber consultants, who can bolster protections and guide them through the certification process.

Tully and other experts agree that firms generally need to come to grips with the notion that to get the best protections for their clients, they’ll often need to spend more than they are now.

“Sadly, in any industry, most breaches trace back to choices that have been made to choose profits over effective security,” Jeffrey Ritter, founding chair of the ABA’s cyberspace law committee and an external lecturer for the computer science department at the University of Oxford, said in a written statement.

Firms should concentrate on three main fixes when it comes to protecting client data, Larry Ponemon, founder of the Ponemon Institute, a think tank dedicated to advancing privacy and data protection practices, told Bloomberg Law.

They need to maintain strict access governance to limit the number of people who have access to client data at any time, he said. Stronger encryption is also key, he said, as is improved training.

Ponemon said he understands the concerns of some corporate counsel. Professional service firms, including law firms, historically have been “laggards” when it comes to cybersecurity, he said. “Some firms are doing a very good job now, but others are still behind the times.