Business of Law

Bank's new cybersecurity audits catch law firms flat-footed

  • Print

Under pressure from federal regulators, who are concerned about lax cybersecurity at law firms, the Bank of America Merrill Lynch has begun conducting audits on the law firms it does business with, to verify what they are doing to protect sensitive information.

Although experts have been warning for some time that such audits were looming, a number of law firms have been caught flat-footed, assistant B of A general counsel Richard Borden told attendees at a recent conference for top in-house lawyers, Corporate Counsel reports.

Similar audits may be looming in the United Kingdom, where regulators also are concerned that law firms may represent the “soft underbelly” of clients, such as defense contractors, that are likely to be targeted by hackers, according to ITV News.

And in both the U.S. and north of the border, law firms and their clients are increasingly concerned about cybersecurity issues and how best to address them, Canadian Lawyer Magazine reports. Many insurers are now require that compliance programs be in place before they will place coverage for cybersecurity risks, the article notes.

“It’s been really interesting dealing with the law firms, because they’re not ready,” said Borden, an in-house cybersecurity lawyer who has been helping the group that’s auditing the Bank of America’s outside counsel. “Some of them are, I should say, but there are many that aren’t. And it actually does pose a threat.”

Auditors are looking to see if the law firm has a cybersecurity plan, he told Corporate Counsel, and, if so, whether it is followed. Since mobile electronic devices are a likely weak area, one issue is whether confidential information sent to them is encrypted. Additionally, unwary employees clicking on malicious links in email remains a common cause of problems, just as it has been for years.

In a series of SANS Institute transcripts first posted over a year ago, director of research Alan Paller described a chilling conversation with a law firm managing partner and information technology partner concerned about a recent visit from the FBI, as an post previously discussed.

Lou Milrad of Milrad Law in Toronto tells the Canadian Lawyer that coordination between the legal department and the information technology department is a critical step in dealing appropriately with many cybersecurity issues and related intellectual property and privacy matters.

“My big concern, quite frankly, is that the IT departments are not reaching out to the in-house counsel and making them part of the team that does the evaluations,” he said. “There can be quite a few risks around breach of privacy, IP violations, and that kind of thing.”

For example, many employees use a personal electronic device for work purposes, he points out. Will the company be able to audit or inspect the device before the employee leaves for another job or is fired?

See also:

ABA Journal: “Lax data security can cost you clients”

ABA Journal: “Cyberspace Under Siege” “Unaware ‘Anonymous’ Existed Until Friday, Partner of Hacked Law Firm Is Now Fielding FBI Phone Calls” “Law Firm, Police Hit By Hack Attacks; Lawyer Cell Phone Records Reportedly Accessed”

Give us feedback, share a story tip or update, or report an error.