720-891-1663

Attorney and Accountant Support

Six Critical Cyber Security Questions to Ask Your Attorney and Accountant

Whether you are shopping for an attorney or an accountant...or already have an existing relationship, you need to understand that these professionals know more about your deep, dark secrets than anyone. But as we have seen recently with New York law firms Cravath, Swaine & Moore and Weil, Gotshal & Manges, as well as Panama Papers law firm Mossack Fonseca, that information may - or may not - be secure. (In many cases, unless your engagement agreement calls for it, you may have no redress for any losses.)

It used to be that those documents lived in large file cabinets in your firm's offices, and all you needed to worry about was someone breaking in and carting away your valuable papers. But, that meant the thief had to be in the city where the office was, had to understand the company's filing system, had to be willing to break into the building with the possibility of being caught and, to do this at any scale, needed a large truck and some helpers with strong backs.

None of that is true anymore. The "papers" live as bits on a computer somewhere, possibly in "the cloud". Those bits can be accessed from anywhere on the planet, often with only a user id and password. The likelihood of being caught while hacking the firm (and your private data) from Outer Slobovia is almost zero. And the ability to steal vast quantities of data has become commonplace. Even if these hackers are identified, the likelihood of the hacker being arrested, prosecuted and convicted is almost zero.

While the amount of data stolen from the New York law firms has not been released by the FBI, the volume of files taken from Mossack Fonseca amount to 2.6 Terabytes. If we assume one printed page is about 2,000 characters, this haul represents about 1.3 billion pages.

Clearly, this means that we, as the owners of our private data, need to start holding our law and accounting firms to a higher standard.

To be clear, no law or accounting firm wants their client's data to be hacked, but preventing that takes work, may be inconvenient and likely will take time and money. And it is common knowledge in the cyber security industry that these professions are WAY behind the power curve on this issue. That leaves them...and you ...exposed.

So what are the SIX BASIC QUESTIONS you should ask?

  1. As my attorney (or accountant), what are your legal and/or ethical responsibilities to protect my personally identifiable information (PII) and other sensitive data and information associated with our relationship? Currently, attorneys and accountants have limited legal responsibility to disclose breaches unless non-public personal information or protected health information is involved. Some clients are including a requirement to disclose breaches in their engagement agreement or contract terms. Professional society ethics standards, which vary from state to state, may require disclosure of a breach to a client, especially if that breach may have a significant effect on the engagement - such as with an attorney where information important to a lawsuit is disclosed. The American Bar Association model ethics clauses do require the disclosure of breaches, but that model clause has not been adopted in all states. Therefore, while legal and ethical responsibilities are evolving and being worked out, you as the customer can insist on the safeguards and protections suggested in this document.

  2. Who in your office has the ultimate responsibility for protecting the sensitive information described above? The person responsible should be at the executive and/or partner level; someone with decision-making authority who can create policy for the organization.

  3. Are these responsibilities defined in the engagement letter or contract between your firm and my firm (or myself)? Such language may commit your attorney or accountant to certain responsibilities, therefore do not be surprised if the engagement agreement does not include it. However, from your perspective, you want this language...otherwise your interests are not correctly protected. You are the customer, so it is your right to insist that the following topics be addressed in the engagement letter:
    1. Steps the firm will take to protect your information - including safe email procedures
    2. How the firm will limit access to that information to people with "a need to know"
    3. What information security policies have been put into place to govern the protection of your information
    4. When and how the firm intends to notify you in case of a breach of information

  4. Who has access to my information and how does your firm insure that those with access protect my information? Many people within a firm have access to your information on a regular basis, but professionally managed client data can be protected via systems which control data access. Access to your data should be controlled by a "Client Data Protection Policy." Ask to see a copy of this policy. In addition, access to data should be logged and records retained for a reasonable period.

  5. What other steps do you take to insure that the information described above is correctly protected? A law or accounting firm that takes protection of client data seriously, should be engaged in a number of activities designed to protect your information. Such activities should include (but not necessarily be limited to) the following:

    a. Cyber security policies and procedures for a wide-range of activities, including those described here
    b. Security awareness training for staff
    c. Correct firewall configuration and logging
    d. Encrypted work stations, personal computers, laptops, tablets and phones
    e. Proper passwords and password management systems for all devices, including use of two-factor authentication, where appropriate
    f. Proper remote access management
    g. Email security
    h. WiFi management
    i. Software patch management
    j. 3rd-party vendor management
    k. An incident response plan

  6. What are your policies and procedures regarding notifying me in case of a cyber breach? Different states have different requirements regarding breach notification. In many instances, a business may not even know that it has suffered a breach, but in those cases when it DOES know that it has suffered a breach, what is the firm's responsibility to you? This should be clearly discussed in your engagement agreement.

For legal and accounting firms, that means that they need to have a formal (i.e. written) information security program with a partner or executive in charge. Notice we did not say a manager - not even a director. Security needs to start at the TOP because executive endorsement and support are an absolute necessity. For most firms, that also means engaging outside expertise to assist. We can provide that. But getting started is the first step.




Please call us at 303-997-5506 for more information.

Bloomberg reports that a law firm is threatening class action lawsuits to force other law firms to take their cyber security responsibilities seriously. Learn more...


See Mitch's blog post re: Dr. Solove's comments about the cyber problems law firms face. Go here...


"Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11."--Professor Daniel Solove-John Marshall Harlan Research Professor of Law at the George Washington University Law School

z z