Recent articles in the Wall Street Journal (paid subscription required) point out an inconvenient truth for many bank law firms: as third party service providers, they, too, must ensure that their information security systems are “up to snuff.”
Big banks are demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.
Once given special status as trusted third parties, lawyers, particularly those who get access to sensitive bank information, now are more likely to get full background checks. The number of compliance checklists for law-firm technology systems and security procedures has ballooned. And law firms big and small increasingly are getting on-site audits to check who has access to documents and office servers.
The demands come as financial regulators are paying more attention to third-party vendors. Benjamin Lawsky , the superintendent of New York state’s Department of Financial Services, last week sent a letter to dozens of banks requesting information on security risks relating to law firms, accounting firms and other third parties.
Law firms “can have access to a very large volume of sensitive data on a recurring basis and that makes them a point of vulnerability,” Mr. Lawsky said.
When “Gentle Ben” Lawsy speaks, lawyers better listen. Not because he possesses any special insight into the banks he regulates (his background in actual banking is non-existent), but because he’s demonstrated that he intends to follow in the footsteps of his role model, Eliot “Mess” Spitzer, by pursuing publicity-laden enforcement actions against victims that the public loves to loathe. Banks and lawyers might as well have a bulls-eye painted on their foreheads.
Thus far, it appears that big banks and their big firm minions are first in line for proctoscopic examinations. However, how long will it be before the “trickle down” theory of bank regulation that we’ve seen prove itself again and again since the creation of Franken-Dodd and its dark spawn, the CFPB, will spread this “closer look” process to smaller banks and their law firms? Not long, I think, even if you measure the passage of time in dog years.
It’s hard to argue that law firms for banks of any size should be cut any slack. The Interagency Guidelines Establishing Information Security, the relevant regulatory guidance on third party relationships (such as OCC Bulletin 2013-29), and basic ethical requirements to protect the confidentiality of client information, should have impelled lawyers for banks to take information security in an online world quite seriously long before this point. In many cases, engagement agreements between law firms and bank clients already specifically require that law firms take the kind of security precautions that big banks are requiring of their law firms. True, “one size does not fit all” may be as true of bank law firms as it is of the banks they represent, so, perhaps, not every law firm will need to have inn place all of the precautions described in the linked article.
Some firms instruct attorneys not to open documents sent via email unless they are in a secure environmentin the office, or using a firm laptop on an encrypted line. For particularly sensitive matters, firms might restrict work to stand-alone computers that don’t connect to the Internet, said Mary E. Galligan, a Federal Bureau of Investigation veteran who now is a director of cyberrisk services at consulting and accounting firm Deloitte & Touche LLP.
Mobile devices are a particular focus. Many firms can wipe data from smartphones and laptops that are lost or stolen, and most firms install some level of encryption.
Law firm Davis Polk & Wardwell LLP in recent weeks added a new precaution: Lawyers must have a special application installed on their smartphones to open attachments sent to their firm addresses.
On the other hand, those security measures make sense and many of them are not unreasonably expensive to implement. Those firms that don’t want to encounter a nasty (and expensive) surprise would be wise to take this concern seriously, and prepare for such an examination, whether or not one is ever actually performed.