Four out of five corporate law firms operating in Texas have experienced a “cyber incident” or an actual data breach during the past two years, according to an exclusive new Texas Lawbook survey.
Forty-two of the 49 business law firms surveyed report that they were victimized by a cyber attack in 2017 and 2018.
Exclusive Texas Lawbook research found that 31 of the 49 firms, which represent companies in litigation, regulatory and transactional legal matters, say their operations suffered a “breach of law firm data” during the two-year period.
Thirteen law firms confirmed that they have experienced multiple such incidents.
The full results of The Texas Lawbook survey will be released this Thursday at an exclusive CLE program hosted by the Cyber Law Consortium and Aon’s Cyber Solutions. The CLE lunchtime program features an all-star panel that includes Match Group Chief Legal Officer Jared Sine, Aon’s Cyber Solutions Vice President of Engagement Management John Ansbach, Akin Gump partner and cybersecurity practice group co-leader Michelle Reed and Locke Lord director of security Andy Sawyer.
For more details or to attend the CLE program, which is being conducted at the new Dallas office of Akin Gump, contact Texas Lawbook publisher Brooks Igo at brooks.igo@texaslawbook.net.
“The survey confirms what many of us have long suspected: law firms in Texas – and the professional-service providers and vendors they work with – are actively targeted by cyber attackers,” says Aon’s Cyber Solutions Vice President of Engagement John Ansbach, who is an expert on cybersecurity.
While The Texas Lawbook data focuses only on corporate law firms, Ansbach and other legal and data privacy experts say accounting firms, consultants and other professional service businesses are equally as vulnerable and may face even more significant threats.
Ansbach, the former general counsel at General Datatech, said that law firms – large and small – are “attractive targets for cybercriminals motivated by factors such as financial gain, activism or national interests because of the secret, material and potentially valuable client information they possess.”
“In some cases, especially for smaller firms with less resources available for cybersecurity, the information is more accessible to cyber attackers through the law firm than through their more cyber-secure clients,” he said.
Locke Lord’s Sawyer agreed that law firms are especially high-value targets because of the confidential client information they possess. He points out that Locke Lord has had a “comprehensive information security management system” in place for a decade.
“The threat landscape is ever-evolving with attack sophistication running the gamut,” Sawyer said. “A sound cybersecurity program includes equally sophisticated preventive, detective and corrective systems to counter threats and address risk. A comprehensive security awareness educating our attorneys and staff, our human firewalls, is as important as sophisticated cyber-defense systems.”
Sine, the chief legal officer at Match Group, said his company has its outside vendors, including law firms, agree to data protection addendums in their contracts that require firms to comply with best industry practices.
“Law firms hold some of the most sensitive and confidential information that companies have,” Sine said. “Lawyers are really good at providing legal advice, but they don’t often think like business leaders who need to understand the risks they face.
“A major data breach at one of our law firms is a terrifying thought,” Sine said.
Other corporate general counsel agree.
“I’m very worried about data breaches at the outside law firms we use,” Robb Voyles, general counsel of Houston-based Halliburton, told The Texas Lawbook in a recent interview. “We are in the process of putting in new requirements regarding data privacy in our agreements with our law firms.”
The Texas Lawbook survey found that 44 of the law firms – or 90% – reported that vendors that they use have experienced data breaches.
“The good news is there appears to be a strong recognition by law firms in our community that cyber attack is a major threat to them, even more so than just a couple of years ago when we first asked that question,” Ansbach says.
All 49 firms surveyed identified cyber attacks as a top-three risk. Two out of three firms said cybersecurity is their biggest risk.
“That awareness is the good news,” Ansbach says. “The challenge for law firms is the outstanding need to mount a response to this risk. Fifty-five percent of law firms surveyed – more than half – said they did not have someone devoted full time to helping the firm defend against cyber-attack.”
Reed, an Akin Gump partner who has represented several companies and professional services firms that have experienced data breaches, said the survey shows that cybersecurity is taken more serious than in the past. But she said there remain significant gaps.
“Every business and professional services company has a cyber-response plan, but very few actually test their programs,” she said. “When there is a real breach, they are unprepared.”
Reed said “accountability and oversight” are critical components of a successful cybersecurity effort.
“There has to be someone responsible for owning cybersecurity, and that person has to have the authority to do something about it,” she said.
The Texas Lawbook and the corporate general counsel at more than a half-dozen Texas companies, including American Airlines, AT&T, Conduent and Masergy, developed the survey. The Texas Lawbook used the survey to question lawyers and leaders at 58 law firms that have offices in Austin, Dallas and Houston. Nine firms declined to be surveyed.
Law firm leaders also answered questions ranging from the costs of their cyber incidents and the number of clients that were impacted by the breaches to the breadth and depth of their own cybersecurity and data privacy law groups. The full results of the survey will be detailed Thursday at the CLE program.