Law firms are very attractive targets for hackers due to the huge amounts of sensitive and confidential information in their care, custody, and control. By hacking into one law firm network, a cyber criminal can gain access to information on hundreds or thousands of companies and individuals. But, direct attacks on law firm systems are not the only way a cyber criminal can succeed. Indirect attacks can be just as powerful and often times easier!
Third Party vendor risk management is one of the biggest challenges law firms, of all sizes, face today. Given the current privacy regulatory environment, the risk of a data breach brings with it significant financial and reputational fallout for the firm. As digital connections between law firms and vendors continue to increase, the risk of a breach, via those connections, increases as well. Law firms outsource multiple different non-legal functions such as e-discovery, legal research, billing, copying, IT, etc. In addition, law firms – like all companies – have a host of other business vendors they rely on such as accountants, payroll companies, advertisers/marketers, travel agencies, etc. All of these vendors are likely connected, digitally, to the firm’s network, and the firm is likely sharing data with all of them. It could be employee data or client data, or a combination of both.
In July 2017, a company named Sabre Hospitality Solutions, which facilitates the booking of hotel reservations made by individuals and companies through travel agencies, suffered a breach of its booking system. Many high-profile law firms, including Jones Day and Alston & Bird, were directly impacted by this breach because they used Sabre to book business travel for their employees.
Firms cannot outsource their responsibility to protect personal and confidential information in their care, custody, or control. Firms will be held accountable for decisions relating to their choice of third-party vendors and outsource service providers. Accordingly, it is crucial for firms to implement a robust third-party vendor risk management program. Below are some tips and considerations:
STEP 1: THE LAY OF THE LAND
The first step, of course, is getting your arms around what you have. Questions to ask:
- How many third-party vendors or business partners do we have?
- Which ones do we share client or employee sensitive/confidential information with?
- How much data is shared?
- How is it shared?
- Exactly what kind of data is being shared – medical information, financial information, corporate information?
STEP 2: CONTRACT REVIEW
Look at the contracts you have in place with your vendors. Refresh your recollection regarding the specific terms of your agreements.
- Do the agreements set forth what happens if there is a breach of the vendor’s system that impacts our data – data for which we are considered the owner?
- Are they required to notify us within a certain time frame?
- If there is a breach, do we want the vendor to notify our employees and clients directly, or would we rather be involved in that communication?
- Do the agreements mandate the vendor be in compliance with relevant state, federal, and foreign privacy laws?
STEP 3: DUE DILIGENCE
Review your vendor selection process. And, perhaps more importantly, the level of ongoing due diligence you’re conducting relative to these vendors. The cyber threat environment changes every day. Ongoing due diligence is a key component of any third-party vendor risk management program.
STEP 4: INSURANCE
Note whether you currently require your vendors to maintain cyber insurance. Also ask:
- Does our firm carry comprehensive cyber insurance with dependent business interruption coverage?
- Do we conduct annual or periodic updates of vendors insurance programs?
Our Cyber and Law Firm Service Team is available to answer any questions you may have about cyber insurance or third party vendor risk management.
This material is for informational purposes only and not for the purpose of providing legal or insurance advice. Insurance coverage, and the terms and conditions relating to such coverage, will vary. EPIC is not a law firm and does not provide legal advice. If such advice is needed, consult with a qualified adviser.
The Law Firm Service Team of Lemme, a division of EPIC Insurance Brokers & Consultants, specializes in assisting law firms worldwide with the procurement of insurance coverage. Our team provides personal, proactive, timely and exceptional service while being fully transparent and accountable to our clients. We do not believe in the status quo. Experienced, results driven brokers negotiate creative insurance solutions while also offering best practice advice, valuable insight and risk management services for our law firm clients.
Managing Principal - Arlington Heights, IL
Principal - Arlington Heights, IL