Holland & Knight

Clients increasingly expect an innovative approach to tasks set for outside counsel, and some law firms are testing their luck by bringing technology and processes in-house.

This is the case for Holland & Knight, which has had its innovation arm HKLab since 2012. Comprised of legal experts and software engineers, the group underpins a host of efforts across the law firm, including its launch of its Cybersecurity, Data Breach and Privacy Team in its litigation section.

So why would an innovation arm be needed in launching a cyber-focused practice group? HKLab leader Joe Dewey told Legaltech News it's because there are certain areas of data security and privacy “where having technology capabilities, when coupled with policy and legal expertise, is particularly useful.”

“A lot of the legal regimes that apply to these areas of law inevitably become very technical in terms of their applications,” he said, noting that Holland & Knight has had companies come to them believing they were in compliance with a regime, but analysis of their technology processes said otherwise. “There's usually a disconnect between people on the engineering and legal sides. When you can marry that expertise, you can produce better results.”

Many international privacy requirements are placing new pressures on organizations for greater technological expertise. The European Union's (EU) recently enacted General Data Protection Regulation (GDPR), for example, requires that multinationals oblige by strict mandates in managing EU citizen data, a stipulation that has already proven problematic for some of the world's largest technology companies. What's more, individual EU member states have their own privacy laws, with some, such as those in Spain and Norway, being more robust than others. Other nations, like Australia and South Korea, also have strict requirements.

Cybersecurity laws also can prove challenging. China's Cyber Law places strict requirements on companies handling Chinese citizens' private data. The U.S. also has a host of state and federal level laws mandating the handling of a cyberbreach.

Such regulations require that companies take varying approaches in assessing how they manage data, requiring considerable legal and technological acumen. HKLab leverages its subject matter expertise in both arenas in addressing compliance challenges, but technology also plays a part. In HKLab's technology stack, he explained, are a host of “virtual machines” running on the open source platform Linux and utilities for port scanning, which scour servers for vulnerable ports.

“A lot of it is a very sort of systematic checklist you go through to find vulnerabilities, and then a lot of it is code review, which is more expertise in terms of knowing what to look for and how web pages and web applications operate and enact with the users and how that data actually flows,” he added.

Dewey said HKLab's initial focus was primarily on data security and privacy matters, and it was only 2½ years ago that the firm decided to expand its scope to cover other areas of technology and innovation. As to why the firm is now utilizing it for its launch of a cyber and privacy practice, he cited regulatory and litigation trends as reasons.

“Given the nature of things like the GDPR and the fact that litigation was becoming such a large component of the results of compliance, it made sense to have a better organizational structure around [our cybersecurity and privacy] practice,” he added.

Holland & Knight is far from the only firm internalizing innovation efforts. Reed Smith recently launched GravyStack, a technology subsidiary that will develop and license the law firm's technology products for clients, while Littler Mendelson regularly develops and employs technology for client issues. Nor is Holland & Knight the only firm incorporating cybersecurity services into their offerings—BakerHostetler, for example, has a services group for helping clients manage data breaches.

Holland & Knight also has a Data Privacy Testing Lab, which offers to conduct “technical tests and reviews” for clients' devices and online accounts “before regulators, outside technology firms or news media outlets do,” the law firm's website said.

Dewey said that at present, client demands regarding issues around virtual currencies are among the top drivers of HKLab's cyber-related efforts, particularly around tracking digital assets and understanding how they operate. He also noted that clients are interested in creating and understanding issues around smart contracts.

“I think it's difficult to replicate the outcomes you have with this expertise in-house and in an environment that fosters collaboration as much as it does when you're in the same firm. It will be difficult to compete if you don't have that value add,” he said. “It'll be hard to practice areas where you can't provide that.”