Law firms face significant data security threats. But there’s good news for law firms on data security. When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for higher revenue, lower and better-controlled expenses, and stronger client relationships.
As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing (a) increased competition from nontraditional providers and technology-driven service models; (b) the Internet-driven dissolving of historic barriers to remote service delivery; (c) the post-recession tightening in companies’ outside legal spend; (d) the shift of work to in-house legal staff; (e) the ongoing consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and (f) the resulting pressure on mid-sized firms to scale/merge up or specialize/boutique down. There’s no viable “let’s simply wait it out” option in the face of these trends. In short, it’s now a far more competitive world for attracting and retaining clients. There will continue to be winners and losers, but now the margin of difference is more slim.
And this is the “there must be a pony in here somewhere” epiphany – in this highly competitive environment, strategic improvement in a law firm’s data security posture can, more than ever before, make a huge difference.
Here are three examples of how better data security is a strategic win for law firms:
1. Improved data security helps the law firm meet or exceed client security requirements, which are on the rise.
Client businesses are increasingly seeking law firm assurances on their firms’ data security posture. The regulatory environment for most clients is compelling them to focus more closely on the security safeguards of their service providers, including their law firms. For example, the Association of Corporate Counsel’s Model Information Protection and Security Controls for Outside Counsel, released by ACC in 2017, provides “in-house counsel a streamlined and consistent approach to setting expectations with respect to the data security practices of their outside vendors,” including outside counsel.
Results from the 2017 ABA Legal Technology Survey confirm this trend:
- 35% of responding law firms have received security requirements or security guidelines from clients or prospective clients (24% for 2-9 lawyer firms, 44% for 10-49 lawyer firms, 62% for 50-99 lawyer firms, 73% for 100-499 lawyer firms, and 79% for 500+ lawyer firms). The all-firm results are up 13% from the 2016 Survey.
- 21% of the firms have been asked by a client or prospect to complete a security questionnaire – up 40% from 2016.
- 11% of the firms have had a client or prospect request an audit or formal review of the firm’s security – up over 80% from 2016.
Effective law firm data security is becoming a Have v. Have Not comparison point for clients and prospective clients. Law firms that put themselves in a position to respond quickly, robustly, and with confidence to client data security requirements have an advantage in competitive RFPs, and also in solidifying their existing clients’ confidence that they are using the right firm.
2. Improved data security demonstrates the law firm’s sophistication and strengthens its Trusted Advisor brand.
Whether or not a firm’s client or prospect is already imposing explicit data security requirements (if not yet, odds are they will), data security is still a differentiator in a highly competitive market, a sign of expertise and sophistication. It has always behooved the cobbler to have her kids in fine shoes, and it always will. Why not be ahead of the curve, especially when others are behind?
Beyond their expense, security breaches can cause significant embarrassment with existing clients, along with reputational damage in the competitive legal marketplace. Not all industries are created equal – while customer loyalty may largely survive breaches in the big retailer space, firms suffering breaches in the health, finance, and professional services sectors have a far harder time rebounding (as the Ponemon Institute’s 2017 Cost of a Data Breach Study – United States confirms, yet again, in its industry sector churn rate statistics). An improved security profile helps insulate law firms from damage to or loss of important client relationships.
3. Improved data security helps law firms avoid unanticipated, uncontrolled expense.
We all know that breaches can be expensive, with unplanned, unbudgeted response costs and also liability exposures. Cyber coverage for first-party (response costs) and third-party (liability) exposures can help mitigate the out-of-pocket expenses, subject to coverage limits and retentions.
But the most expensive aspect of a data breach is uninsurable – management distraction. While every breach on which I’ve coached response has been different than the others in one way or another, there’s always a common denominator – no data breach has ever happened at a “convenient” time. Data breaches are disruptive, extraordinarily so for the unprepared, and the drain on management time and focus can be immense. In law firms, where time means either current or future revenue, this lost time and focus can literally blow a hole in financial results.
Sure, improving a firm’s data security posture requires leadership commitment and management time and effort. But that is a strategic investment, in a planned and controlled manner – time spent on the law firm’s terms, not the hackers’. And this investment is pennies on the dollar compared to the disruptive, uncontrolled, and unbudgeted repercussions of a significant data security event. Firms that are serious about attaining better data security save significant time and money in the long run. They also keep their focus where it should be – on increasing their revenue, controlling their expenses, and strengthening their client relationships.