The significant financial and reputational impact of data breaches at law firms was most recently demonstrated last month when Heidell, Pittoni, Murphy and Bach agreed to pay $200,000 (in addition to the $100,000 already paid to recover their stolen data) to settle a data breach lawsuit after cyber criminals stole sensitive health-related info, social security drivers’ license numbers, and biometric data belonging to over 100,000 individuals. Not only did the lawsuit claim that the breach was due to poor security practices, but the investigation also found that this breach was a violation of HIPAA given their relationship with hospitals. This suggests that law firms can be held to certain industry-specific regulatory standards based on the nature of the clients that they work with, further reinforcing the need to have robust security programs and controls in place.
To help mitigate these risks, law firms need to implement a robust third-party risk management program (TPRM) that enables them to identify, assess, and mitigate third-party risks effectively. This article will explore the key components of an effective TPRM program for law firms and provide practical tips for implementing a program that ensures a secure and sustainable business environment.
The Importance of Third-Party Risk Management Programs for Law Firms
The legal industry is a highly attractive target for cybercriminals due to the valuable and sensitive information they store, including trade secrets, patents, trademarks, social security cards, mergers and acquisitions data, and other confidential info. While many law firms have implemented robust cybersecurity measures to protect their networks and systems, they still face significant risks from third-party vendors.
To mitigate the risks associated with third-party breaches, law firms must develop a robust TPRM program. Law firms should first identify the third-party vendors that have access to their networks and systems, as well as the data they have access to. This will enable firms to assess the risks associated with each vendor and ensure the remediation of deficiencies in a vendor’s security posture to mitigate risk.
Law firms are increasingly required to implement these programs to comply with regulatory standards and the ethical obligation to their customers. Failure to adequately assess and manage vendor risk is a violation of their ethical obligations to protect client data. Additionally, putting programs in place to get visibility into the security posture of vendors is required to comply with many regulatory standards, such as PCI, SOC2, ISO, and NIST.
If adequate controls aren’t in place, a client may be reluctant to work with that law firm and there may be legal ramifications. A great example of the consequences of inadequate security practices is the 2021 Johnson & Bell lawsuit, where the firm was described as “a data breach waiting to happen”. They were sued by clients who alleged that the firm failed to adequately protect their sensitive information, including social security numbers, medical records, and other personal data. The lawsuit accused Johnson & Bell of negligence and breach of contract, among other claims.
The Consequences of Third-Party Breaches
Cybersecurity breaches continue to plague the legal industry, with approximately 25% of law firms experiencing a breach at some point. These incidents can have devastating consequences for law firms and their clients, as demonstrated by the exposure of data belonging to 750,000 Americans due to law firm breaches. The consequences of such breaches can include financial losses, reputational damage, and potential lawsuits.
There are countless examples beyond the Heidell, Pittoni, Murphy and Bach breach mentioned above where breaches can cause irreparable harm to law firms, both financially and reputationally. One of the most well-known examples is the Panama Papers leak in 2016. A group of journalists received sensitive documents from the Panamanian law firm Mossack Fonseca, which contained information on more than 214,000 offshore entities related to 140 politicians and others, leading to the closure of the firm.
The costs of managing a breach can also be substantial, including the expenses associated with incident response, forensic investigations, and legal fees. The average cost of a data breach amounts to $4.24 million. A staggering 60% of all breaches happen via third-party vendors, making it critical to have a third-party risk management program in place.
The Importance of Conducting Regular Assessments of Existing Vendors and Vetting Potential New Vendors
The second component is regular security assessments and audits of third-party vendors. This is critical for identifying potential security risks and vulnerabilities that may exist in the vendor’s systems or processes. These assessments help ensure that vendors meet the security requirements set forth by the law firm and take appropriate measures to protect the confidentiality, integrity, and availability of the law firm’s data.
During the vendor vetting process, due diligence is also crucial to identify potential risks associated with a particular vendor. This includes assessing the vendor’s security policies and procedures, data protection measures, and compliance with relevant regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The Role of Continuous Monitoring Third-Party Risks in The Legal Industry
The third component is continuous monitoring. Continuous monitoring plays a critical role in third-party risk management in the legal industry. It enables law firms to detect and respond to adverse changes to a vendor’s security posture in real-time, thereby reducing the risk of a breach.
Through continuous monitoring, law firms can actively track the security posture of their vendors in real time by analyzing all of their internet-facing attack surfaces and vulnerabilities. This approach immediately notifies law firms of adverse changes to a vendor’s security posture to ensure timely remediation of these issues. By implementing continuous monitoring, law firms can better manage the risks associated with third-party vendors over time to ensure that they are meeting their security obligations in between assessments.
The risk of cyber threats from third-party vendors in law firms is significant and requires a comprehensive and effective third-party risk management program. This will enable law firms to reduce the likelihood of substantial financial and reputational damage and ensure compliance with evolving regulatory demands. The three key components of an effective TPRM program are:
- Identify Third-party Vendors
- Regular Security Assessments and Audits of Third-party Vendors
- Continuous Monitoring
ProcessBolt is a leading provider of third-party risk management solutions that can help law firms build a robust and effective TPRM program. Our fully integrated platform includes automated risk assessment and attack surface management functionality, and leverages AI to extract intelligence from vendor evidentiary documentation. This enables law firms to proactively manage third-party risks and comply with regulatory requirements. Law firms should consider partnering with ProcessBolt to build a comprehensive and effective TPRM program. Contact us to learn more.