Recently news broke of the latest findings stemming from the newly released 2015 ABA Technology Survey. By our count, the complete report, which LexisNexis supported through sponsorship, runs more than 900 pages with an executive summary that alone counts 242 numbered pages.
Data providing insight as to the state of law firm security were among the first results widely reported among legal trade publications. Here’s a summary of the news reported with links to the reporting sources for those interested in additional reading.
Law Firm Breaches Reported
Across law firms of all sizes, those reporting having experienced a security breach remained relatively flat at 15% – though 23% weren’t sure according to Legaltech News. The impact may be lost in the average, as some legal news outlets reported larger firms experienced an increase in breaches.
“Law firms with 100 to 499 lawyers had the largest increase in reported security breaches,” according to the ABA Journal. “Twenty-three percent of surveyed lawyers from firms of that size reported security breaches such as computer hacking, or a lost or stolen computer or smartphone, up from 10 percent last year.”
The Legaltech News noted while the majority of those who experienced breaches, did not experience business disruption as a consequence – a trend down from previous years – the percentage that did trended up. The outlet reported “30 percent reported that beaches created downtime/loss of billable hours” which was up from 4% in the two consecutive years prior, and up 8% from 2012.
The Difference between Breach and Compromise
Nuance matters because in IT security and financial services circles, the term “breach” usually means actual data theft and requirements for disclosure become necessary, according to Jeff Norris, CISSP and senior director of data security for LexisNexis Managed Technology Services.
More importantly, it’s more than possible to be infected and exposed to risk without being conscious of it. For example at the ILTACON conference, security expert Josh Goldfarb presented a study where 97% of 1,216 companies examined were compromised and unaware.
To that end, when the ABA survey asked “in 2015 if their firm was ever infected with virus/spyware/malware, 42.4 percent said yes; 34.9 percent said no; and 22.7 percent did not know,” according to Legaltech News.
Third-Party Security Assessments
Most respondents – across firms of all sizes – were unaware whether or not the firm had engaged a third party for an independent security assessment.
Bloomberg’s Big Law Business reported, “at firms with 100 to 499 attorneys, 57.6 percent didn’t know, and at firms with more than 500 attorneys, 77 percent didn’t know.” Yet larger firms are more prone to receive requests from corporate counsel seeking assurances of data security prior to an engagement.
Law360 said, “Current and potential clients of the largest firms are most likely to request a security audit or a verification of the firms’ security practices. Thirty-four percent of law firms with 100 or more attorneys have fielded such requests, compared to 12 percent of firms with 10 to 49 attorneys and 3 percent of solo practitioners.”
The trend seemingly points to greater emphasis on security within law firms. For example, Fox Rothschild LLP, recently appointed partner Mark McCreary as chief privacy officer. In an interview with Bloomberg’s Gabe Friedman, Mr. McCreary pointed to ISO certification and encryption as priorities.
“The 27001 ISO certification is the certification for law firms,” he said in the interview. “It tests the security and policies of law firms. In our process, they came in and told us, hey you’re actually in pretty good shape, but we have suggestions for you.”
Just 10% of solo law firms “carry cyber liability insurance” according to the Legaltech News article and Bloomberg underscored the fact “more than 80 percent of the survey respondents who hailed from a firm with more than 100 attorneys said they didn’t know if their firm had cyber liability insurance.”
The Law360 article said, “cyber liability insurance rates are low among all sizes of law firms…fifteen percent of respondents at firms with 10 to 49 said they had liability insurance, as did 13 percent at firms of 100 or more attorneys and 10 percent of solo practitioners.”
A trend piece, on cyber liability insurance, published on the ABA Journal website in April, says such a policy is increasingly important.
“Cyber coverage provides an extra layer of protection, which helps firms mitigate the impact of security failures,” said Chris Andrews, vice president of professional liability at AIG, who is cited in the ABA Journal article. “There is no silver bullet, so firms need to be dynamic in their approach to cyber risk—meaning sound cyber risk management should encompass people, policies, procedures, technology and insurance solutions as well.”
Law Firm Cybersecurity Initiatives
The rise in cybersecurity risks in the last few years has prompted the ABA to champion a cybersecurity collaboration initiative among law firms.
“Law firms hold some of the most valuable data in the corporate world, so we have an important responsibility to work together to protect ourselves from cybercriminals,” said David Bodenheimer in an interview with the Business of Law Blog.
Mr. Bodenheimer, a partner in the Washington, D.C. office of Crowell Moring LLP, is vice chair of the ABA Section of Science and Technology Law.
“We feel that our pilot project revealed an important way forward. Our hope is that we can now identify resources and project sponsors from within the ABA to band together and help us implement some of these ideas.”
If you enjoyed this post, you might also like:
Infographic: Cybersecurity Stats for Legal Tech