On March 29, 2017, the Association of Corporate Counsel released a set of model cybersecurity practices to help corporate legal departments address security and risk management issues born out of their outside legal counsel’s use of sensitive company data. Protecting corporate data has increasingly been a top-of-mind topic for in-house counsel. As reported by Corporate Counsel magazine, from 2014 to 2017, the percentage of in-house lawyers viewing the threat of data loss as an “extremely” important issue rose from 19 percent to 26 percent.
This proposed set of best practices should really come as no surprise. Law firms have already been targeted with ransomware exploits given a small payment to access encrypted data takes a far backseat to potential lost billable time . Similarly, law firms have long been targeted by sophisticated criminals and state actors interested in the wealth of confidential data they maintain.
In is not clear, however, how most outside counsel will comply with several of the best practices outlined by the ACC given the significant expense, implementation risk, and time commitment. For example, the ACC suggests the following three baseline measures:
Outside Counsel shall have vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies reasonably designed to identify, assess, mitigate, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.
Outside Counsel shall have, shall implement, and shall maintain network security controls, including the use of firewalls, layered DMZs and updated intrusion, intrusion detection and prevention systems, reasonably designed to protect systems from intrusion or limit the scope or success of any attack or attempt at unauthorized access to Company Confidential Information.
If Outside Counsel has not achieved ISO27001 certification, Company may request that Outside Counsel undertake the certification process and provide Company with evidence of certification when attained.
Although AV protection and patching is fairly standard fare, not many law firms will go to the trouble of getting ISO certified or developing an intrusion plan focused on thwarting or mitigating attacks that are based on the nature of the data involved. In fact, the ACC has done what is fairly typical of published “best practices”, namely it put together a wish list that will never be implemented by the vast majority of outside counsel.
Found in these best practices, however, is one suggestion that may actually have some appeal for a wide range of law firms – a risk transfer model that puts the onus on an insurance carrier to foot the bill for a data incident. Specifically, the ACC suggests law firms purchase at least $10 million in cyber insurance:
Without limiting its responsibilities set out in herein, in countries where cyber liability insurance coverage is available, Outside Counsel will obtain and maintain in force at all times cyber liability insurance with an insurance company having a minimum credit rating of A- from Standard and Poor’s or other equivalent rating agency, with a minimum coverage level of $10,000,000.
Although the cost to purchase $10 million in limits may be significant, it will open the door to some minimal underwriting for security best practices as well as the recognition that a deep pocket is always available to absorb the risk. In other words, it will be a much softer route for outside counsel to obtain buy-in regarding its data security chops if it starts with the purchase of data loss and privacy insurance. After purchasing this insurance – and satisfying the encryption and other underwriting requirements, outside counsel’s next steps are largely dependent on the size of the firm. Indeed, for a smaller firm, $10 million may not make any sense – a much smaller $5 million or even $2 million policy limit would be sufficient. Even though some law firms rely on data loss and privacy insurance to address coverage gaps and transfer loss caused by a data intrusion it remains a non-standard coverage.
For a larger firm, there is also more likely an IT Director, CIO or even a CISO already in place. Such positions necessarily bring with them certain advanced practices that can be found in the ACC’s suggested best practices. On the other hand, in a law firm with no such position in place – nor the money or desire to create one, the Office Manager is often tasked with squeezing out the most security from the smallest possible budget. In that instance, firewalls and proper endpoint protection are necessary baseline defenses. Also, the use of certain cloud security vendors – including those providing encryption or phishing-detection email services, can end up being a cost-effective step up in security. Applying the NIST Cybersecurity Framework or getting ISO certified is far fetched to say the least.
No matter what the size and level of sophistication law firms will always remain low-hanging fruit for dedicated thieves looking for some good data to steal. To that end, the ACC’s grandiose best practices can only be perceived as a beneficial and necessary step in the right direction.