MANAGING YOUR PRACTICE Clients Demand Law Firm Cyberaudits An Inevitable Move By Sharon D. Nelson & John W. Simek iStock tion. We spend a lot of money and use a lot of law firms, so this is casting a very wide net.” T hree years ago, there was a collec- tive gasp heard ’round the country the day the press reported that Bank of America Merrill Lynch was au- diting the cybersecurity policies at its out- side law firms, partly under pressure from government regulators. The bank’s assistant general coun- sel, Richard Borden, stated that Bank of America is “one of the largest targets in the world” for cyberattacks, and that law firms are “considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information.” Regulators at the Office of the Comp- troller of the Currency, which oversees the bank and other financial services companies, “have focused on law firms,” said Borden. “They are coming down on us about security at law firms. So we have no choice but to check the informa- tion security and to audit — to actually audit — the information security of our law firms that have confidential informa- 36 OREGON STATE BAR BULLETIN • OCTOBER 2016 Pay Now or Pay Later Amid much hand-wringing, the prophecy that law firms would be forced to confront their data security shortcom- ings has finally come true. Clients now want, as do regulators, assurance that law firm data is being adequately protected. The receipt of information security au- dits, more politely termed “assessments,” is now a regular occurrence at many law firms. They come not only from clients, but from insurance companies offering cy- ber insurance — but they want to know what they are getting into first! Though law firms are not thrilled about lifting their data security skirts for inspection, this move was inevitable. For way too long, most law firms have paid scant attention to information security. We are hoarse from explaining that it is a “pay now or pay later” proposition — ei- ther law firms get serious about guarding their client data and spend the monies to do so — or they will pay later when a data breach causes them to require the services of digital forensics experts to investigate the breach and an outside lawyer to advise them of their legal responsibilities. They will also incur the costs of remediating the vulnerabilities and the costs associat- ed with complying with state data breach notification laws. (Currently, 47 states have such laws). The big firms have gotten the word. Previously, some clients have wanted to see law firm security policies. Some have allowed law firms to effectively audit themselves. Today, clients want to see if security policies and plans are actually be- ing followed. And they want independent third-party audits, sometimes including penetration testing. As clients have woken up to the po- tential vulnerabilities of law firms, they are demanding much, much more in the way of security — it is clear that clients are leaving firms that don’t meet their security expectations. Hence the fairly sudden desire to get secure. In the Am- Law 200 in 2015, firms were reported to be spending an average of 1.9 percent of gross revenues on cybersecurity — and that can amount to as much as $7 million a year. That is an extraordinary change, to say the least. A Small Question of Ethics This whole topic is hot, hot, hot — and it shows on the lecture circuit. Col- league Dave Ries sent a hypothetical currently being used for discussion in a CLE. The bulk of it was developed by the general counsel of Buchanan, Ingersoll & Rooney. It goes like this: Prior to being hired as counsel for Genetics-R-Us [“GRU”], Dewey, Cheatham & Howe must meet certain GRU security require- ments. GRU has stringent security requirements for its service provid- ers, including law firms. Lawyer 1 and Lawyer 2 are meeting with Dewey’s technology director to discuss GRU’s security require- ments and a questionnaire about security that GRU has asked the law firm to complete. The tech director says that the firm meets most of the requirements, but not all of them. It will take weeks, or perhaps months, to comply with all of them. Lawyer 2 tells him: “We have to tell the truth, but put our best foot forward and stretch things a little if you have to. I’d hate to lose this work because you