secure state
Law firms that represent European clients face greater scrutiny for cybersecurity and privacy. The European Union’s General Data Protection Regulation, which went into effect in May, requires, among other things, law firms based in the EU and those that have EU clients to disclose data breaches to regulators and affected clients within 72 hours of becoming aware of the breach, regardless of whether the investigation is complete. The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017, only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. A top priority for many in-house counsels now is to make sure their outside law firms are in compliance with the rigid requirements of the GDPR. As alluded to already, the GDPR extends existing regulations to any enterprise processing data about EU citizens; and failure to meet these requirements risks fines of 20 million euros or 4 percent of a company’s annual global turnover, whichever is greater. Thus, companies are understandably focusing a lot of attention on ensuring their outside law firms are up to speed in their cybersecurity protocols. However, it is not just the GDPR that in-house counsels should be thinking about, as one of the “sleeper issues” of 2018 is Chinese cybersecurity rules. China has been rolling out rigorous cybersecurity regulations (some have already taken effect and others will later this year), and some of these obligations include an analysis of cybersecurity programs, assessment of data transfers out of China, and a requirement that certain companies share information about cybersecurity with the Chinese government. Read more ...Karen Painter Randall is a partner and certified civil trial attorney in the Roseland, New Jersey, office of Connell Foley, where she’s chair of the firm’s cybersecurity and data privacy practice group. Steven Kroll is a partner at the firm and works with businesses regarding the ever-evolving issues related to cybersecurity and data protection. He provides awareness training for employees on issues related to cybersecurity. This article was published in the August 2018 ABA Journal magazine with the title "The customer is always right: How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections."
No comments:
Post a Comment