Cybersecurity and personal privacy are real and compelling concerns. Whether we know it or not, virtually everyone has been victimized by data breach. Lawyers are tempting targets to hackers because, lawyers and law firms hold petabytes of sensitive and confidential data. Lawyers bear this heady responsibility despite being far behind the curve of information technology and arrogant in dismissing their need to be more technically astute. Cloaked in privilege and the arcana of law, litigators have proven obstinate when it comes to adapting discovery practice to changing times and threats, rendering them easy prey for hackers and data thieves.
Corporate clients better appreciate the operational, regulatory and reputational risks posed by lackluster cybersecurity. Big companies have been burned to the point that, when we hear names like Sony, Target or Anthem, we may think “data breach” before “electronics,” “retail” or “health care.” The largest corporations operate worldwide, so are subject to stricter data privacy laws. In the United States, we assume if a company owns the system, it owns the data. Not so abroad, where people have a right to dictate how and when their personal information is shared.
Headlines have forced corporate clients to clean up their acts respecting data protection, and they’ve begun dragging their lawyers along, demanding that outside counsel do more than pay lip service to protecting, e.g., personally-identifiable information (PII), protected health information (PHI), privileged information and, above all, information lending support to those who would sue the company for malfeasance or regulators who would impose fines or penalties.
Corporate clients are making outside counsel undergo security audits and requiring their lawyers institute operational and technical measures to protect company confidential information. These measures include encryption in transit, encryption at rest, access controls, extensive physical security, incident response capabilities, cyber liability insurance, industry (i.e., ISO) certifications and compulsory breach reporting. For examples of emerging ‘standards,’ look at the Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information lately promulgated by the Association of Corporate Counsel.
Forcing outside counsel to harden their data bulwarks is important and overdue; but, it’s also disruptive and costly. Many small firms will find it more difficult to compete with legal behemoths. Savvier small firms, nimbler in their ability to embrace cybersecurity, will frame it as a market differentiator. At the end of the day, firms big and small must up their game in terms of protecting sensitive data.
Enhanced cybersecurity is a rising tide that floats all boats.
Well, maybe not all boats. Let me share who’s likely to get swamped by this rising tide: requesting parties (or, as corporations call them “plaintiffs’ lawyers”), and their experts and litigation support providers. Requesting parties and others in the same boat will find themselves grossly unprepared to supply the rigorous cybersecurity and privacy protection made a condition of e-discovery. Continue reading