Are you aghast over Hacks at top law firms?
On the day before April Fool, the Corporate Counsel headline was “GCs Are Aghast Over Hacks at Top Law Firms”, as if that fact should be newsworthy.
Just as it was once observed that, “A fool and his money are soon parted,” in this day of cybercrime, the au courant observation should be, “So you got hacked. Were you prepared for it and is my data safe?”
In-house counsel cannot rely on outside law firms for cybersecurity
It is both ineffective and dangerous to rely upon outside law firms to manage and store confidential and sensitive company information. The problem is particularly acute with large law firms with many clients requiring “Chinese walls” of separation within the firm to avoid serious conflicts of interest.
Confidential and sensitive documents, particularly original hard copy and unencrypted ESI should never leave the custody and control of the Company. Responsibility for document management during litigation should always remain in-house. It is difficult enough for a company to manage its own cybersecurity without having to worry about cybersecurity at a large time billing outside law firm.
Should law firms ever assume responsibility for client documents?
“No!” In fact, “Never!”
In their enlightened self-interest, outside law firms, regardless of their size, should insist, as a condition of engagement, that maintaining the cybersecurity of confidential and sensitive client information shall be the responsibility of the client not the law firm.
This admonition may appear to be counterintuitive because it suggests eliminating a major profit center from the litigation departments of large time billing law firms, and substantially reduces the potential for “leveraging” the time of Associates and paralegals. Nevertheless, it reduces the cyber security risk and limits dramatically the potential for firm-busting liability, but it does not reduce the effectiveness of the litigation team responsible for the trial.
When the actual physical documents are required, the client can produce them, otherwise, the attorneys can access them in read-only format protected from download on a segregated, limited access database maintained under the supervision and control the client.
Only the attorneys with matter specific “need to know” should be able to access the specific matter database and their access should require multiple authentication and should be logged. Of course the matter specific database should be fully encrypted.
If documents need to be worked on collaboratively, edited or otherwise modified in some kind of editable format, that work should be done on an independent matter-specific server or blade with multiple authentication access control and logging, full encryption of the documents, and strict version control with lockout.
Once editing and modification of a document is completed, the final electronic version of the document should move from the interactive editing server to the matter specific database in read-only format. Any hardcopy materials associated with the document can be identified and stored by the client.
Cost-effective cybersecure document management during litigation
Managing document discovery in-house, particularly E-discovery, limits the risk of a cybersecurity breach by 50%. Instead of two potential sources of opportunity and attack portals for a cyber security breach, there is only one.
It should be readily apparent to any in-house counsel who has reviewed the billings of an outside law firm managing discovery, particularly E-discovery during active litigation, that a great deal of the time billed by Associates and paralegals at the outside law firm represents services which could be performed in-house and would be considerably less expensive even if temporary contract workers were required. Managing discovery in-house means one less layer of overhead expense and no additional markup on any outside contract services required.
If in-house counsel has the wisdom to retain an independent barrister as Discovery Counsel, the entire discovery process can be streamlined with substantial cost savings. It does not take an entire litigation department, much less a full service time billing law firm to manage discovery, particularly E-discovery. It only takes one experienced litigator — an American barrister — totally committed to the discovery effort and responsible only to in-house counsel and the Court.
In-house counsel who ignore these simple cybersecurity housekeeping precautions during litigation invite breaches of data security.
The only question is when they will occur.