BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.