CLOC: Legal Operations need to assess vendors’ cybersecurity

published on Cybersecurity, General Counsel
Legal Operations need a standard way to assess the cyber-security of third party vendors, including law firms & technology providers, that according to CLOC.

In a post-conference report by CLOC (Corporate Legal Operations Consortium), it was noted that legal operations’ knowledge of cyber-security is typically limited. They emphasised that when talking about corporate legal operations and cyber-security, it’s not only about data housed in the company itself, but also data that travels to third parties, such as external law firms.

Cybersecurity is a growing concern for companies and one that’s not going away any time soon. In fact, according to a 2017 Ponemon study, companies face a 27.7% likelihood of being involved in a recurring material data breach over the next two years.

Once thought of as strictly an IT issue, Legal Counsel are increasingly expected to be on the front foot when it comes to data protection. But is Legal supported by the tools and know-how to be effective in preventing the risks?

While you may think that the sensitive emails or documents you share with law firms are kept safe, law firms are not immune to data breaches. In fact, a 2017 LogicForce study on law firm security found that every law firm assessed was targeted by cyber-criminal in the past year. Worse still –  approximately 40% did not know they were breached – casting a lot of doubt over the attention paid to keeping client data safe.

For this reason, it’s no surprise that client security assessments are becoming the norm, even though they are far from standard.

Assessing cybersecurity of vendors

CLOC is developing a common set of criteria and methods to help corporate legal departments better scrutinise cybersecurity of third parties. This involves legal departments assessing all vendors – law firms and technology providers alike – at onboarding and every six months thereafter, undertaking the following:
  • Auditing vendor responses (rather than relying on self-reporting)
  • Leveraging security assessment information (i.e. within a matter management or e-billing tool)
  • Offering remediation advice to help vendors improve their own security
  • Benchmarking vendors
This is quite an intense ongoing assessment but deemed necessary for corporate legal departments to travel the road to security, so we too recommend following it rigorously.

However, it does beg the question – if you’re going to the effort to scrutinise third parties to this extent, what are you doing to audit your internal data security? If your documents and files are scattered everywhere (e.g. saved on employees computers, saved in emails) you are just as much at risk of a data breach.

An easier solution: a secure online repository built for your legal operations

Since you are tasked with assessing all vendors, including technology providers, why not entrust your data security to a third party that specialises in that area for legal departments? Better still, what if the auditing wasn’t on you? That is, rather than conducting an audit or relying on their self-assessment, they engaged an accredited third party themselves.

A dedicated cloud-based legal repository, which is designed specifically for corporate legal departments) offers bank grade security, helping you securely store, manage and share all corporate legal information across the business and with third parties.  Storage is ISO 27001 certified, anti-intrusion software always up-to-date and data is encrypted with all transfers monitored by independent third parties Norton and McAfee. And because data is mirrored elsewhere in real time, you’ll never fall victim to any sort of data ransom attempts.

If you would like to learn more about internal data security, identifying vulnerabilities and what to look out for when choosing a cloud-based practice management software, then please download our latest whitepaper: Best practices for preventing data breaches and avoiding liability.