Perspective: The Looming Law Firm Disruption

Editor’s Note: The author of this post is a lawyer who focuses on public policy and cybersecurity.

By Brian Finch, Pillsbury Winthrop Shaw Pittman, partner

The most frequent questions discussed within (and about) law firms these days either relate to how the business of law will change or how firms can best tackle the explosive growth of cybercrime. Only now however, are some lawyers coming to realize the ominous connection between the two.

Law firms, perhaps more than any other service industry, must protect against disruptive cyber-attacks. Most law firms continue to rely on the billable hour as their primary method for generating revenue, and those billable hours in turn are predominantly generated using IT systems to generate and review documents as well as to communicate with clients and opposing counsel.

The challenge is that information security was typically a secondary concern when law firms implemented their current IT systems. Now, in a world where information can be stolen from those systems far more easily than anyone could have imagined, law firms find themselves uniquely vulnerable to cyber-threats.

Take for example the recent and very worrisome rise in “ransomware” attacks, where viruses spread by cyber-criminals encrypt the data of unsuspecting users. The only real remedy for victims once the virus has taken hold is to pay a… well, ransom to unencrypt their data. Ransomware has become so ubiquitous on the Internet that now criminals give it away for free, asking only a share of any monies paid by victims in return.

In the specific context of law firms then, one can easily see how cyber-attacks can quickly and easily cripple a firm’s ability to use their information technology systems to provide client services. If a firm is struck by a cyber-attack and cannot generate or edit documents, review documents, or even communicate with a client, it has effectively been paralyzed. No work being performed means no hours being billed, and the revenue of that firm spirals downward.

Just imagine a scenario where a firm is essentially brought to a standstill for days or weeks thanks to a ransomware infection. The effect of such a situation on clients — not to mention firm finances and reputation — would be devastating and, potentially, catastrophic.

And remember, the likelihood of this scenario actually occurring increases every single day. No public or private company, or even government agency, is immune from cyber-attacks. Cyber criminals are far too numerous and inventive for anyone to establish impenetrable defenses. Law firms are no exception to that rule.

That does not mean firms should wait passively for this kind of event to happen. There are many measures they can take to at least mitigate these risks, from setting up fulsome backup systems to implementing filters aimed at preventing the internal transmission of ransomware.

The main takeaway here is that firms need to do something to prepare for cyber-disruptions. Firms that do not take appropriate mitigation measures will take a hit to their wallet and their reputation.