30 May 2017

Cyber (In)security: A threat to law firms, and an emerging area of practice

Published on 30 May 2017

Amidst the state of constant change that now characterises the legal profession in Australia and abroad, a few key trends are starting to emerge. In particular, increasing internet insecurity is presenting a challenge to law firm confidentiality and data privacy, while simultaneously offering a relatively new, high-demand, swiftly-expanding area of practice. In this story, Insights provides a deeper examination of cyber security and its implications for law firms.  


The Global State of Play


It is impossible to escape cyber hacking and its consequences, especially in recent months. Russian hackers have allegedly attempted to influence elections from France to the United States; in the case of the latter, repercussions are still being felt. Closer to home, the denial-of-service attack on the Australian Census exposed vulnerabilities in government security and may have affected recently released results.


For law firms, this global state of cyber insecurity presents a threat and opportunity – the threat of hackers obtaining sensitive, confidential client information, and the opportunity of defending against this growing area of legal exposure.


“In some ways, cybersecurity is just another risk that all organisations have to manage in their day-to-day business,” observed King & Wood Mallesons partner Cheng Lim in a publication for Forbes. “However, the difference is the volume, variety, and velocity of the attacks, the increasingly interconnected nature of our world, and the vast quantities of data that can be compromised through a cybersecurity breach.”


Law Firms Under Threat


Law firms Cravath, Swaine & Moore, Freshfields and Allen & Overy were among 48 firms targeted in a cyber-attack which used keywords to identify draft merger agreements, letters of intent and confidentiality agreements to implement what Lim described as “algorithmic insider trading.” As an approach to insider trading, it is largely without precedent. However, law firms have previously been identified as source of weakness when securing secrecy in M&A dealings.


According to Peter Armstrong, cyber director at Willis Finex Global, a risk management firm, as repositories of highly sensitive confidential information, law firms are constantly under threat from cyber criminals.


As Armstrong explained to The Law Society Gazette (UK): “Firms aggregate sensitive information, such as on mergers and acquisitions, and so are very high on the target list of both organised criminals and nation states.”


With almost four generations of lawyers now working side-by-side in firms, the challenge to improving cyber security can be both ideological and practical. Unawareness of risk and a reluctance regarding technology can be a dangerous combination. As an example, Armstrong noted that some senior partners may disregard law firm security policies preventing the use of cloud-based storage services like DropBox, which may be more open to being compromised.


An Emerging Area of Practice


Conversely, as many lawyers know, the flipside of increased risk is increased demand for legal services. In this regard, cybersecurity is no different – and lawyers have been responding.


A cybersecurity hotline established by law firm Herbert Smith Freehills provides clients with up to five hours of advice per month.


As Anne Sutherland, a Herbert Smith Freehills partner, told Australasian Lawyer: “We’re able to strengthen our relationships with clients through helping them with their day-to-day enquiries, and to be their trusted advisers on cyber security issues.”


“We’ve set the hotline up in response to client demand. Cyber security is a significant issue affecting our clients, and many in-house legal and compliance teams are needing advice in this area,” said Sutherland.


Failing to obtain good cybersecurity advice can be commercially costly, as retailer Target found out following a data breach. While the breach cost Target USD $252 million, insurance only covered USD $90 million.


“Companies should consider the appropriateness of obtaining cybersecurity insurance, not only to cover third-party liability (for which some companies may already be covered under their professional indemnity insurance) but also to cover first-party loss and expenses (that is the cost to the company of dealing with a cyber breach, such as data restoration and systems remediation),” said Lim.


As well as these preventative measures, law firms will likely see an increase in litigation related to cybersecurity negligence and fault. This will further contribute to growth in this area of practice.


With the Internet of Things projected to connect 21 billion devices by 2020, data protection and ensuring cyber security will be, more than ever, a priority for companies, governments and law firms.


“Supporting the profession by providing them with a forum to discuss and share experiences about the opportunities and challenges of LegalTech and tech tools is part of the remit of  The College of Law’s Centre for Legal Innovation”, Terri Mottershead, the Centre’s Director said. “All of this can be overwhelming, we want to make sure that the people working on and with these things every day in their firms and legal departments have a place to collaborate and develop practical best practices – that’s been the focus of our events and roundtables to date. We will be rolling out more events directly in or touching on cybersecurity in the second part of this year.”