Are Cybersecurity Solutions and Consulting a New Revenue Stream for Law Firms?
The Big 4 accounting firms have identified legal services as an area for growth beyond traditional financial services and consulting services.
January 16, 2019 at 11:00 AM
8 minute read
|
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The Big 4 accounting firms have identified legal services as an area for growth beyond traditional financial services and consulting services. Additionally, data security and compliance are critical components for the success of both developing and established companies.
These combined trends present an expanding field for law firms to develop partnerships with cybersecurity companies to offer their clients legal expertise with additional business services. Numerous firms have created subsidiaries under the firm's umbrella to offer consulting services, from big law to mid-size firms, setting a precedent for law firm cybersecurity relations and other relevant consulting services.
|Keesal Propulsion Labs
Recently, Keesal Young & Logan's client consulting team spun up a sister company, Keesal Propulsion Labs (KPL), to augment its service offerings for key clients through a partnership with Mitratech for Mitratech's TAP Workflow Automation and Privva for Third-Party Vendor Risk Management. The law firm leverages the Privva platform for vendor risk assessment on behalf of the firm and as part of the firm's client-facing cyber risk practice, and KPL is building custom legal and business process automation workflows on TAP for clients in Silicon Valley and on Wall Street.
These are not just tools purchased; KPL meets with Privva and Mitratech regularly and has become part of the development feedback loop, helping to improve the products by sharing lessons learned in the field.
“By investing our time and energy in our relationships with these strategic partners, we are able to provide integrated solutions featuring best-in-class people, process and tech — each professional and organization focusing on what they do best, while all acting as one unit” says Justin Hectus, KPL Principal and Keesal Young & Logan's CIO/CISO and a member of Cybersecurity Law & Strategy's Board of Editors.
|A Worldwide Development
The data regulation and compliance environment will only become more restrictive in the future. Governments and governing bodies worldwide are creating legislation to ensure data protection for their citizens in the domestic and global markets. The European Union, Canada and Japan have created some of the most intensive legislation on the topic of citizen data to date, however, experts anticipate China's data privacy and security standards to be far more reaching than that of the European Union's GDPR.
In March 2018, the United States federal government adopted new data breach notification laws that require companies to inform their consumers if any personal data has been compromised, while also expanding the definition of what is considered personal data. Individual states are continually taking greater control of their own data security regulations, with the most intensive legislation coming out of California in the California Consumer Privacy Act. Due to California's large commercial economy, the state sets precedent for international companies doing business within the United States to implement California standards throughout the entirety of the country.
A handful of other states have also implemented their own data breach laws, including broadening the scope of who is required to post notice of a data breach, including companies or bodies that retain personal or user data. Other state legislation passed that includes penalties and/or fines that may occur if a data-retaining body does not post notice of a data breach to the individuals who may be affected by the breach.
|Hedge Against Client Pressure on Hourly Rate
Traditional consulting business models are very similar to law firm business models, including hourly billing rates, fixed fee or value-based pricing models. However, changing business dynamics may result in new pricing models and less traditional hourly billing. Licensing revenue and centralized documentation can mitigate billable hour loses by creating a new relationship dynamic involving increased communications between law firms and their clientele. In turn, increased communications create additional product and firm stickiness for involved clientele.
Clients trust their attorneys with managing risk and attending to the most critical and sensitive matters, giving firms an opportunity to offer clients products that can provide more consistent revenue streams. Nelson Mullins Riley & Scarborough LLP formed a subsidiary to offer lower cost HIPAA Risk Assessments under the brand HIPAA2Z.
This solution allows Nelson Mullins to offer a solution to their clients at a lower cost than traditional consulting companies and will likely generate additional business for the law firm through policy development and contract/business associate agreement development and review. HIPAA2Z, which aggregates Privva's platform with legal and compliance services, streamlines the compliance process, and intersects with a company's current compliance efforts, by providing a customized risk assessment, management plan and other tools to ensure that documents adhere to the law and that providers and vendors are secure and compliant.
“By combining security and legal services, HIPAA2Z offers everything you need to know, and do, to comply with HIPAA and to be more secure in handling data,” says Roy Wyman, Partner and a former Chief Privacy Officer, who is also a member of the firm's Healthcare Regulatory and Transactional Team and deals extensively with healthcare IT issues. “By standardizing and automating HIPAA compliance, we reduce the cost, hassle and time required to feel confident about protecting health information and complying with the law.”
|Looking Forward: Achieving Impactful Clientele Relationships
Identifying opportunities that will help law firms have a greater impact at the board level will be critical to business and relationships as this trend continues. For example, Gartner stated that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. A clear understanding of vendor risk management, clientele/vendor relations, and the overall threat landscape of a client's industry has the potential to create more partnership opportunities between law firms and their clientele. Increasing the number of impactful relationships among clientele opens opportunities for more current and future board-level involvement.
Overall board-level involvement promotes a more holistic management strategy throughout the entire company. Law firms who provide cybersecurity consultation to company boards can advise additional risk management strategies that not only promote current and future company goals, but that also can create an informed culture of cybersecurity awareness throughout every level of the company, reducing future security risks. Actions taken proactively to reduce cybersecurity risks may also mitigate stakeholders concerned of a looming cybersecurity attack.
|Areas of Focus and Opportunities for Legal Services Law Firms
Vendor Risk Management: Digitization is increasing the flow of information to third-party vendors, creating a greater security risk for companies. The importance of detailed security review and relevant contract terms and condition (g., breach notification clauses) is an area in which law firms can add value to their clients.
SOC 2 Readiness: Increasing data collection and utilization increases data security risks. Regulation compliance ensures best practices are implemented to ensure the Trust Service Principles audited by SOC 2 are properly maintained and mediate potential remediation costs for clients.
GDPR Assessment: Sweeping European Union data regulations raise requirements and expectations of domestic and international companies when conducting business within the EU. A detailed assessment comprising of compliance thresholds promotes a smooth transition for clients to continue business in the European sphere while minimizing penalty and fine risks.
HIPAA Risk Assessments: Digitization and the transmission of patients' medical files from medical facilities to other facilities, offices, and insurance companies create data insecurity. Insecure data transfers can create large gaps in the security of files, putting all parties involved in the transfer at risk of future lawsuits. A comprehensive risk assessment can display insecurities in affiliated third-party clients and give the clientele information to decide how these insecurities may be rectified moving forward. Ensuring the proper policies are in place and implemented are a critical component of being HIPAA compliant.
Law firms expanding their services beyond legal is a logical next step to diversify the existing revenue stream. While consulting services may take law firms and attorneys outside of their comfort zone, possibly causing hesitation, the landscape is changing and forward-thinking firms can create the opportunity to get ahead of it simply by starting the conversation. Identifying areas of need within a particular domain of expertise can complement their practice and provide a new, sustainable revenue stream to take firms to the next level.
A successful program will require a team of stakeholders including IT/security, business development, innovation and attorneys. Identifying strategic partners that will value your client relationship like their own will ensure long-term benefits both financially and strategically.
Ishan Girdhar is the CEO and founder of Privva, a cloud-based platform that streamlines the data security assessment process across industries including legal, financial services, education, healthcare and real estate. Prior to starting Privva, Ishan's experience included corporate strategy, business development, and investment banking including working for the Walt Disney Corporation in their corporate strategy and business development team. The author gratefully acknowledges the assistance of his Privva colleagues, Madison Lovasz and Carly McGee in the preparation of this article.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250