Yes, with a troubling threat environment and unique vulnerabilities, law firms indeed have data security challenges. But there are strategic opportunities too. When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for stronger client relationships, lower and better-controlled expenses, and higher revenue.
As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing:
- increased competition from nontraditional providers and technology-driven service models;
- the Internet-driven dissolving of historic barriers to remote service delivery;
- the post-recession tightening in companies’ outside legal spend;
- the ongoing shift of work from outside counsel to in-house legal staff;
- the continued consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and
- the resulting pressure on mid-sized firms to scale/merge up or to specialize/boutique down.
It’s a more competitive world than ever for attracting and retaining clients. There still will be winners and losers, but now the margin of difference is more slim. That’s why strategic improvement in a law firm’s data security posture can make a big difference.
Here are three key examples of how better data security is a strategic win for law firms:
1. Meet and exceed client expectations
Improved data security helps the law firm satisfy client security requirements, which are on the rise. The risk and regulatory environment for most clients is compelling them to focus more closely on the security safeguards of their service providers, including their law firms. Client businesses are increasingly seeking law firm assurances on their firms’ data security posture, through security guidelines, security questionnaires, and even third-party audits. Results from the 2018 ABA Legal Technology Survey indicate that 34% of responding law firms have received security requirements or security guidelines from clients or prospective clients (26% for 2-9 lawyer firms, 52% for 10-49 lawyer firms, 66% for 50-99 lawyer firms, 66% for 100-499 lawyer firms, and 68% for 500+ lawyer firms). The all-firm results are up 10% from the 2016 Survey. 20% of the firms have been asked by a client or prospect to complete a security questionnaire – up 33% from 2016. And 11% of the firms have had a client or prospect request an audit or formal review of the firm’s security – up over 80% from 2016.
The Association of Corporate Counsel’s Model Information Protection and Security Controls for Outside Counsel, released by ACC in 2017, provides “inhouse counsel a streamlined and consistent approach to setting expectations with respect to the data security practices of their outside vendors,” including outside counsel.
Clients are also using third-party security ratings firms such as BitSight and Security Scorecard. These ratings firms perform ongoing external monitoring of the security posture of law firms and other service providers, with dashboard results, benchmarked scoring, and drill-down statistics on problem areas and remediation. Client companies using such services can compare security scores as a consideration in selecting and continuing to use their law firms.
Effective law firm data security is becoming a Have v. Have Not comparison point for clients and prospective clients. Law firms that put themselves in a position to respond quickly, robustly, and with confidence to client data security requirements have an advantage in competitive RFPs, and also in solidifying their existing clients’ confidence that they are using the right firm.
2. Strengthen the firm’s Trusted Advisor brand
Improved data security distinguishes the firm and strengthens its brand as the client’s trusted advisor. Whether or not a firm’s client or prospect is already imposing explicit data security requirements, data security is still a differentiator in a highly competitive market, a marker of expertise and sophistication. Why not be distinctively ahead of the curve, especially while other firms lag behind?
Beyond their expense, security breaches can cause significant embarrassment with existing clients, along with reputational damage to the firm in the competitive legal marketplace. Not all industries are created equal. While customer loyalty may largely survive breaches in the big retailer space, firms suffering breaches in the professional services sectors have a far harder time rebounding. An improved security profile helps insulate law firms from damage to or loss of important client relationships.
3. Control expenses and keep focus on relationships and revenue
Improved data security helps law firms anticipate and control expenses. Breaches can be expensive, with unplanned, unbudgeted response costs and liability exposures. Cyber coverage for first-party response costs and third-party breach liabilities can help with out-of-pocket expenses, subject to coverage limits and retentions.
But the most expensive aspect of a data breach is uninsurable – management distraction. No breach has ever happened at a convenient time. Data breaches are disruptive, extraordinarily so for the unprepared, and the drain on management time and focus can be immense. In law firms, where time means either current or future revenue, this loss of focus can significantly damage financial results.
Improving a firm’s data security posture requires leadership commitment and management effort. But that is a strategic investment, in a planned and controlled manner – time spent strategically, on the law firm’s terms, not the hackers’. And this investment is minor compared to the disruptive, uncontrolled, and unbudgeted repercussions of a significant data security event.
Firms that are serious about attaining better data security save significant time and money in the long run. They also keep their focus where it should be – on increasing their revenue and strengthening their client relationships.