Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Brenna Goth
Companies go to great lengths to protect their data, but they may be ignoring a security soft spot—the information they provide to outside legal counsel.
A group of corporate legal executives is trying to mitigate the risk of future data breaches. Gary Tully, director of legal operations for Gilead Sciences, is one of those leading the initiative.
The first step is adopting an assessment tool that will score a law firm’s security while giving companies a common baseline for comparison. Widespread use could make the rating as valuable as a FICO score for credit, Tully said.
In-house legal departments have an ad-hoc approach to addressing the cybersecurity of outside firms—if they do at all. Some companies trust that the law firms they use are protecting their data while others implement a time-consuming review process, Tully told Bloomberg Law.
“We really need to make a difference here,” he said. “We need to move quickly.”
Tully and other leaders with the Corporate Legal Operations Consortium, or CLOC, are pushing a new initiative to boost the cybersecurity of law firms while pushing in-house legal departments to more closely consider their vendors. Heads of the group, which has members from nearly 700 companies representing more than a quarter of Fortune 500 companies, say they aim to create a new industry standard.
Law firms hired by a company can have that organization’s most sensitive data, said Connie Brenton, president and CEO of CLOC and senior director of legal operations at NetApp Inc.
Assessing how law firms protect that data can be difficult. Companies may send to firms questionnaires, which can be laborious and inefficient. A one-time assessment can take months. Firms that self-evaluate may need audits.
But the consequences of not checking security practices can be huge.
Imran Jaswal, managing director of Duff and Phelps’ CyberClarity360 tool, said even if a company’s data isn’t compromised by an outside law firm, its business could be disrupted in the case of an attack. Jaswal spoke during a panel discussion at the CLOC Institute in Las Vegas the week of April 23.
CLOC is endorsing the CyberClarity product as a common cybersecurity assessment tool for companies.
A firm’s operation could shut down for a few weeks after an attack or, in some cases, may not recover. “This is something that’s highly impactful to your organization,” Jaswal said.
Law firms, though, are also burdened by cybersecurity reviews, said Justin Hectus, the chief information officer and chief information security officer of Keesal, Young and Logan, said at a CLOC institute panel. Firms that are already stretched thin may have to fill out numerous questionnaires on the same topic from different companies.
The paperwork problem needs streamlining, Hectus said, particularly considering that the number of companies seeking assessments is rising.
“You can see the possibility of this thing just exploding,” he said.
The range of concerns led CLOC to push a new approach that leaders hope will lift cybersecurity efforts throughout the industry.
A corporation can ask a law firm to take the assessment, which gives it a score and remediation advice. Companies have a score they can use to compare competitors while law firms can take one assessment and release it to multiple corporations.
A widespread solution has to be cost-effective, quick, and easy, Tully said. It also has to be fluid enough to react to changing threats.
The remediation advice aims to improve security across the entire industry over time, Jaswal said, as law firms respond to their assessments.
Companies need to create a culture of security and not just check a box once, said David Shonka, acting general counsel of the Federal Trade Commission, during a CLOC panel. Federal law requires reasonable efforts on that front.
“The answer is to think ahead of time,” Shonka said. “Plan things.”
The CLOC initiative comes out of meetings among corporate legal departments, law firms, educators, and vendors who are vetting it, Brenton said. Otherwise, the solution won’t work, she told Bloomberg Law.
“As an industry standard, it better be bulletproof,” she said.
Still, there’s resistance to change, Tully said, as cybersecurity protection can be particularly sensitive to talk about. But leaders are optimistic the idea will take hold as people talk about the benefits and share the tool with colleagues.
Law firms would have a way to show they’re protecting clients. General counsels have incentive to avoid going to their boards after a data breach.
Tully hopes the initiative moves beyond a questionnaire. He envisions a marketplace developing around the security score and room for other product vendors to get involved.
It’s a concept that can gain steam outside the legal industry, Tully said. Legal professionals are working on a proof of concept before it spreads to the rest of their companies, he said.
“Our industry is going to lead our corporations,” Tully said.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)