Lawyers Are Not Above the Law When it Comes to Data Security

Don Miller

On February 12, 2013, the President signed Executive Order 13636 entitled “Improving Critical Infrastructure Cyber Security.”  Among other things, the Executive Order directs certain agencies to coordinate the development of a framework for protecting America’s critical infrastructure from cyber attacks.  In this blog, we have touched on how some players in the public and private sectors have been dealing with the Executive Order, and how managed file transfer principles might play a part in the process.

The President’s focus on cyber security has prompted federal regulators to put the data security practices of the largest private sector entities under the microscope.  For example, the Securities and Exchange Commission is requiring more companies to disclose the existence of security breaches.  Recently, companies like Google and AIG received letters from the SEC asking them to file revised cyber crime disclosures.

Even New York Governor Andrew Cuomo is getting into the act.  He launched an inquiry into the data security practices of the largest insurers.  The Co-Chair of the Governor’s Cyber Security Advisory Board explained the basis for the inquiry:  “Cyber security at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot.  We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.”

Now comes word that the companies being scrutinized by regulators/politicians are themselves closely scrutinizing the data security practices of their vendors.  According to this article, Bank of America is auditing its outside law firms’ data security practices.  Why?  Because the FBI “and others” have “flagged concerns over cyber security at law firms—given the value of their corporate clients’ information to potential attackers, and law firms’ often slow adaptation to new technologies.”

Isn’t that ironic?  Lawyers are constantly preaching to clients about being prepared and taking steps to avoid/limit liability risks.  Yet as a group, lawyers are so ill-prepared when it comes to cyber security risks that the FBI “and others” have identified law firms as a high-risk target.

Other vendors doing business with companies deemed part of the country’s critical infrastructure may soon be subjected to similar audits and scrutiny.  Federal regulators are concerned about cyber security risks up and down the supply chain.

Will you be prepared if a customer/client wants to subject your company to a data security audit?  If not, it may be time to deploy a secure managed file transfer software solution.  Please contact our data security experts at if you want to learn more about how best to protect your company’s sensitive/confidential data.