The “Panama Papers” leak and other breaches at major law firms in the past year bear out the findings from the American Bar Association’s 2015 Legal Technology Survey Report. Earlier this month, 11.5 million documents were published from the files of the world’s fourth-largest offshore law firm, Mossack Fonseca. The much-publicized leak underscores the survey finding that nearly one in four large law firms—those with 100 or more attorneys—has experienced a security breach. It is challenging for firms to keep up with the latest security measures and obtain the proper certifications that stand up to increasing client scrutiny. These necessary measures are costly, burdensome and distract law firms from their core competency.
With so much sensitive data at stake, ranging from intellectual property to inside details about bet-the-company lawsuits, corporations increasingly are scrutinizing their law firms’ data security procedures, particularly when it comes to one of their greatest vulnerabilities: relationships with third-party providers. This is especially salient in the context of eDiscovery, where many law firms host their clients’ sensitive data with third-party service providers.
Security-savvy law firms have established vendor management programs as a means of identifying risks and protecting their outsourcing investment. These firms, which tend to pass clients’ vendor governance audits with flying colors, have adopted the following steps for managing vendor risks.
1. Creation of a vendor management team.
A vendor management team is typically comprised of lawyers, legal assistants, litigation support, accounts payable, and other firm personnel that together manage the entire vendor management lifecycle, from selection to monitoring and off-boarding processes. The team establishes policies and protocols for ensuring that all firm employees recognize that forming a relationship with a third-party provider requires approval from the vendor management team.
2. Conducting current state risk assessment.
Strong vendor management teams review and track the suppliers that each firm department uses. Accounts payable often plays a key role in identifying expenditures to third parties or suppliers that may not been approved through formal channels. Typically, these teams then assess which vendors pose the top risks to the firm and its clients according to a list of criteria and then prioritize them for a risk review. For example, vendors who work closely with client data or other sensitive information are usually subject to the most robust assessments.
3. Adoption of rigorous vendor screening procedures.
Before contracting, top law firms require vendors to demonstrate compliance with firm policies and other applicable laws, including anti-bribery, anti-corruption and data privacy laws. In addition, they require vendors to establish that they are financially stable, that they have sound internal controls, and that they have responsible leadership. During the selection process, leading law firms thoroughly audit candidates’ cybersecurity protocols, including their physical security, network security, data storage, and infrastructure, as well as their history of identifying, assessing, and mitigating threats. These firms require acceptable vendors to have business continuity programs as well as incident reporting mechanisms. In an eDiscovery context, for example, firms might look to vendors that host their data in ISO 27001 compliant data centers.
4. Continued due diligence following a vendor’s onboarding.
Due diligence is not a one-time activity. Firms realize that ongoing monitoring is required to confirm third-party compliance with policies, the terms of their contract and compliance with SLAs, and evolving laws and regulations. These teams also periodically test their vendors’ information security and risk management protocols.
5. Established transition processes.
Leading law firms recognize that the greatest risk to client secrets may arise when a vendor relationship ends. Therefore, they set procedures to ensure all firm-related data is transferred back to the firm or destroyed. Certificates of destruction are required. They also ensure that vendor access to firm systems and data is terminated, whether through the recovery of firm equipment, revocation of access to firm facilities, or the elimination of virtual connections.
Unfortunately, there are no surefire ways to avoid becoming the next data breach victim, though many law firms are taking the steps outlined above in an effort to mitigate risk.