Data breaches at law firms have made headlines in recent years. The Panama Papers scandal in 2016 led to the demise of the Mossack Fonseca firm two years later. The 2017 ransomware attack that shut down DLA Piper brought the message home. And the attack last year on New York’s law firm to the stars, Grubman Shire Meiselas & Sacks, seemed to underscore the point.
But law firms have been slow to respond. And perhaps more surprisingly, so have the companies that hire them. A 2019 survey conducted by the Association of Corporate Counsel (ACC) found that 70 percent of the in-house counsel who responded said their companies had not attempted to assess the security of the law firms they’d hired. Many of these companies routinely evaluate the security of their other vendors, but somehow they’d missed the boat on their law firms. Even though these firms possess some of their most sensitive data.
Late last year ACC launched a business to address this security hole. They call it the ACC Data Steward Program (DSP). It’s specifically designed for corporate law departments that want to ensure their firms protect their data—and for law firms that want to showcase their security.
Jim Merklinger, president of the ACC Credentialing Institute, described the new program as a “win-win” for law firms and their clients. The program aims to replace the security questionnaires companies often send vendors. Generic questionnaires have never worked well for law firms, Merklinger said in an interview, because the questions are not designed to apply to their specialized tasks. The result is that many of the questions come back marked “not applicable,” he noted. And often there are hundreds of questions—sometimes more than 1,000. And no two questionnaires seem to be alike, placing a great burden on the firms.
The DSP was designed to streamline the instrument into a standardized, automated format that allows law firms to self-assess their security and make the results available to as many clients as they wish. Merklinger and his colleagues, working with an advisory group of law firms, legal service providers, and in-house counsel, winnowed the questions to 160 controls. They’re based on categories and content pulled from the NIST Cybersecurity Framework. The firm completes the form by choosing multiple choice answers that describe its own policies, procedures, processes, and expertise. When the form is complete, the firm is given a rating (100 is perfect).
The standard package costs $9995 a year. This allows the firm to share its results with as many clients or prospective clients as it chooses. The service never shares the data with anyone, Merklinger emphasized. It’s completely up to the firm. This fee allows the firm to update any information during the year at no extra charge. For instance, if a law firm adds multifactor authorization to some of its processes, it can add that information and improve its rating. Also, if a firm wants to highlight for a client certain capabilities that are not included in the standard controls, it can add its own items into the mix and share these with specific clients at no extra charge. (These would not, however, change the firm’s rating.)
There are two alternatives to the standard program. If a law firm has only one client that wants to see an evaluation, it can pay $1495 a year for the single-client option. That’s the bare-bones offering. Suppose a firm wants to go the other way? If it wants its security prowess certified by an independent third-party expert, the DSP also offers that. The firm still has to pay the annual fee and complete all the information required on the standard package. It then pays an additional $8000 once every three years for the independent certification. And, of course, it must respond to all of the questions and requests from the independent assessor.
The Role of the Law Department
Corporate law departments are not charged any fees. ACC hopes that they will see the benefits and encourage their firms to sign up. That would relieve legal departments of the responsibility of finding or creating a security questionnaire, and provide them with a wealth of information about their firms.
The information goes far beyond the equivalent of a grade on a test. The ratings are just a snapshot, Merklinger said. Law departments can dig into the results by accessing the DSP assessment’s dashboard. There they see the firm’s strengths and weaknesses. And how they answered each question. They can also input requests for evidence to back up the firm’s answers. The program makes it easy for the firm to respond to those requests by uploading spreadsheets, screen shots, or other relevant documents.
The biggest surprise so far, Merklinger said, is that law firms have become “big proponents of this.” It’s a way to demonstrate their strengths. This may be particularly appealing to some small firms, he said. He cited firms that are part of the NAMWOLF network as an example. The assessment can also help firms see areas where they need to improve. It may even spur conversations with their clients about steps to remediate deficiencies.
With all the examples of breaches at law firms, Merklinger thinks he’s got the right product at the right time. The program got rolling late last summer, he said, and he hopes that by the end of 2021 they have 300 firms on board.
At the end of the interview, Merklinger conjured a conversation between a general counsel and his CEO. They’ve just learned that they’ve had a data breach. “This information got out from the law firm we hired,” the CEO says to his top lawyer. “How did they do on the evaluation we gave them?” The general counsel hesitates. “We didn’t evaluate them.”
“I would not want to be that general counsel,” Merklinger said.