In the wake of a number of high-profile data breaches involving law firms — including the recent Panama Papers breach — many U.S. law firms are moving toward obtaining ISO data security certification.
ISO is an international organization that provides formal certification of a company’s data security practices. In the past, ISO 27001 certification (covering information security) has typically been sought by U.S. companies for regulatory and compliance reasons. Law firms did not consider ISO certification necessary to the practice of law. But now, as hackers take aim at the legal profession, many law firms are obtaining ISO certification in order to reassure their clients that the firm’s data security practices are adequate. Some firms are using ISO certification for business development purposes — as a means of differentiating themselves from other law firms.
The move toward ISO certification was initially driven by law firm clients — particularly those in financial services industry — that have long been the target of malicious cyber-attacks seeking customer credit card and financial information. In an effort to enhance their data security, and driven by enhanced regulatory scrutiny, financial services firms began asking the laws firms (as well as other vendors) that have access to sensitive company information submit to data security audits and questionnaires. In many cases, financial services companies are mandating that law firms add physical and logical controls to mitigate the risk of data loss or a breach.
Since that time, the cyber threat landscape for law firms has increased. In March 2016, The Wall Street Journal reported that the FBI was investigating a series of data breaches involving major U.S. law firms, including Weil Gotshal & Manges and Cravath Swain & Moore. Reports indicate that hackers were targeting sensitive client information concerning upcoming deals. The coup de grace occurred in April 2016, when the Panama law firm Mossack Fonseca was hacked in the infamous Panama Papers attack. It resulted in the public release of more than 11 million documents, detailing the formation of off-shore accounts and other questionable, if not illegal, financial activities of international politicians, business people, and celebrities to shield income from taxation.
To improve their data security practices, and provide assurance to jittery clients, many Am Law 100 law firms are seeking ISO certification. A March 2015 ILTA survey found that 18 law firms had obtained ISO certification, and that another 30 were in the process of obtaining the certification. It is likely that these numbers have increased since then. Many law firms are using the ISO certification for marketing purposes, touting the firm’s commitment to ensuring the same level of data security as their clients. A White & Case press release in March 2016 illustrates the trend: “Our long-standing adherence to [ISO] global standards demonstrates our commitment to protecting our clients’ sensitive information… As many of our clients have said, the protection of their information is of paramount importance when conducting business with our Firm.” Other international law firms, including Shook Hardy and Allen Overy, have also publicized their ISO certifications.
The trend toward ISO certification is not likely to abate as long as law firms continue to be targets of hackers. In the future, obtaining ISO certification may be like obtaining malpractice insurance for law firms — a cost of doing business.