Cyber Security & Golden Handcuffs (Spring 2021)

cyber security
In 2017, I gave a presentation to fifty members of an Asian trade association regarding the U.S. legal services market. I predicted that technology companies will continue to transition IP work to small “Alternative Law” platforms. While not challenging the data, a member of the audience did question the cyber security of New Law platforms. He thought big firms were more secure.

To address that question, one first needs to better understand big U.S. law firms, often called “Am Law.” Their key performance indicator, profits per partner (PPP), is akin to a baseball player’s batting average. U.S. law firms are publicly ranked by PPP to impress clients and each other. To maintain a high PPP, Am Law firm leaders pass overhead onto clients, decrease infrastructure costs, boost hourly rates, and enforce attorneys’ billable quotas.

As a former partner of an PPP centric firm, I was invited to Samsung’s main facility in Seoul. Every visitor there was stopped and searched by security guards. The guards inspected briefcases and sealed every port on every laptop, including those belonging to their own outside counsel.

After reassuring myself that I was no further north than Seoul, I walked under a large warning sign. Visitors who are caught with a memory stick will be indefinitely banned from all of Samsung’s facilities. Later that year, I needed to display a legal analysis for the in-house team in Tokyo, I was informed that there are no ports for memory sticks on any company computer.

Clients recognize the cyber security threat that memory sticks pose. So why do U.S. law firms allow employees to use these devices on client matters? The simple answer is indirectly tied to PPP. Employees seek ways to bill more time to more clients. This helps them keep their job in the quota driven Am Law PPP ecosystem.

If attorneys or staff fail to meet billable quotas, they risk being “transitioned out.” It is process designed to discharge employees while avoiding expensive employment lawsuits. During the “transition period,” which may last six months, employees seek new jobs while working for the law firm. Since being fired is no longer a worry and memory sticks are not banned, data leakage can readily occur during the transition period.

Last fall a Google “unicorn,” which is a praiseworthy accolade, confirmed that humans are the weakest link to cyber security. In addition to memory sticks, surprisingly patent litigation teams can be a weak link. For example, Am Law teams have used Zoom and Dropbox to review confidential information, including their clients’ source code. These tools are cheap and easy to use, but news reports establish that there are serious cyber security threats. For that reason, the Bauz IP Law team members can only use secure tools such as LeapFILE and MS Teams.

Lawyers’ use of unsecure email is another risk. The managing partner of an Am Law firm reprimanded the attorneys for using Gmail to transmit client confidential information. The attorneys used it to send client e-files to their unsecured home computers and back again. Doing so helped them bill more hours from home. Tellingly, Google prohibits its counsel from using Gmail and Zoom.

Poorly supervised external litigation team members are another source of data leakage. Experts regularly use memory sticks. I know of one who has twenty memory sticks from different patent cases and clients. That means twenty teams failed to collect and destroy these memory sticks. For preparing expert reports, another expert I spoke with uses MS Office 365 for Home. This inexpensive software has minimal security. Third parties in public places like hotels can electronically access the data.

Today, many U.S. law firm computer systems are outdated and the datacenter security questionable. As evidenced on client bills, employees access the datacenter. Where they were working and what they were doing was not readily apparent from the bills.

At the 2018 Singapore FinTech Festival, the Head of Cyber Security for Morgan Stanley asked how many participants had ever visited their in-house datacenter. He asked whether there any dedicated in-house cyber security measures, such as guards. Like most partners, I never visited the datacenter.

His point was that Azure, AWS, and Google are physically and electronically secure to minimize in-house risk. Unlike Am Law, data security is their business. While migration to the cloud is arguably an improvement, PPP is a market force against migration.

A 2018 Altman Weil survey indicated that almost 60% of the firm leaders in 789 U.S. law firms believe that generally their clients do not want change. However, when clients lack visibility and rely on assumptions, it is difficult to request change. Thane Bauz personally and confidentially assists in-house IP teams to identify and close the gaps.

Returning to the question originally posed, clients should ask their law firms about data security. New Law platforms are free of PPP metrics. There are no billing quotas. They can economically acquire site licenses for powerful and secure tools. Bauz IP Law is not constrained by PPP, otherwise known as “golden handcuffs.”

Thane Bauz worked in global law firms for over twenty-five years. He now supports in-house IP teams by directly providing them with data and recommendations. His clients minimize risk, improve efficiency, and reduce cost. Email your questions to [email protected]