Several recent articles – one in the March 2010 issue of the ABA Journal and another in the March 9, 2010 issue of The National Law Journal – offer a study in contrast regarding how law firms are dealing with data security exposures. The ABA Journal takes the position that law firms are proactive in managing this exposure by, for example, barring use of the iPhone. The National Law Journal article takes the position that although attacks against law firms have been increasing the past several years, “[w]hen it comes to network security, however, law firms in general do not invest as heavily as do other industries.”
A review of the law firm procedures and attitudes related to data security indicates a wide gulf that is really hard to find consensus on. Some law firms absolutely do not focus on this as an issue and really go about their business as if their network security is an autonomous part of the office that can take care of itself. On a relative scale, revenue generation for these firms is number one or two while data security is between ten and twenty. That is not to say there aren’t some small firms who actually do understand how rainmaking can be enhanced with a strong data management system in place. They are just in the minority.
Given the economic downward spiral that has not let up for the past several years, law firms must obviously be judicious with their resources. It is clear to some, however, that spending time and money improving the network security and privacy posture of a firm can ultimately help improve its financial position. As with most things in business (go ask Steve Jobs), it is about the proper marketing of your services. Running a tight data security ship is no different from being well-versed in environmental law prior to advising clients who may have an environmental exposure. It should be considered part of the advance work necessary to be a successful attorney. On the flip side, if you are one of the hundreds of law firms to have sustained a data breach during the past several years, there is no need for further prodding. The old adage “once bitten, twice shy” will certainly apply and money to improve data security will flow quite easily.