From IT upgrades to cybersecurity to e-discovery, law firms are seeking answers, which can be challenging when legal and tech personnel speak different languages. But the language of dollars and cents is universal.

Vendors are one thing. (For example, cybersecurity consultant Gideon Lenkey previously told the Law Journal that penetration testing can cost a firm anywhere from $7,500 to $70,000, while his hourly rates for other tasks is $280.)

But many more costs are internalized, and law firm technology spending is a growing part of the budgetary discussion, including at midsize firms.

At Chiesa, Shahinian & Giantomasi in West Orange, the technology budget was $1.4 million in 2017, compared with $1.1 million the prior year, and in each year, the number accounted for at least 2 percent of firm revenue, according to firm leaders. And that budget includes only hardware and software—no salaries or overhead for IT personnel, which include an IT director and four others.

The tech budget “has increased significantly, both in terms of absolute dollars and as a percentage of expenses,” according to Chiesa Shahinian managing partner Daniel Schwartz.

“It takes dollars, and these have been nondiscretionary dollars we've devoted to this over the last few years,” Schwartz said in an interview. ”Even [as] a law firm in West Orange, New Jersey, of 130 lawyers, we are taking this very, very seriously.”

About four years ago, the firm entered a “catch-up mode,” said firm executive director Jim Cunningham. Technology spending in eras past had been treated as a “necessary evil,” with the prevailing attitude among lawyers: “why are we spending this much money?” But that attitude has evolved into an acceptance, that money must be devoted to the issue, Cunningham said.

According to Schwartz, news of breaches at other law firms and client demand for efficient document-management and accounting systems have caused lawyers to be more interested than ever in technology issues. And that opens the lines of communications, it seems.

Accounting for the year-over-year $300,000 increase in Chiesa Shahinian's IT budget (a 27 percent spike) were the full virtualization of the firm's technology structure at the office and at the data recovery center in Pennsylvania: a series of servers working in tandem versus individual servers dedicated to certain programs. There was also the addition of a new encryption system that protects data that is “at rest,” as well as data being transferred. Budgeted for 2018 are penetration testing, whereby the firm's cybersecurity measures are subjected to simulated attacks, and the potential move to a cloud-based storage system.

When it comes to cloud storage vendors, “every indication is they can do it better than we can,” Cunningham said.

Schwartz said he considers the firm's five-person IT department “lean,” though he noted that the firm uses vendors for many functions.

These and other issues are discussed by the firm's technology committee, which sets the technology budget, and whose January meeting involved 30 proposed initiatives rated at one of three levels of priority, leaders said.

At Bridgewater-based Norris, McLaughlin & Marcus, a firm of about 135 lawyers, cybersecurity has taken up an increasing amount of the firm's budget in recent years, and accounts for about 1 percent of revenue and 35 percent of the firm's annual IT budget, according to Mike Blumel, information technology director.

Getting to that point was an achievement in itself, it seems.

“It was tough in the law firm to sell the litigators who have traditionally run the firm,” he said. “That took a few months of back and forth,” and, in some cases, “arms getting twisted by our clients,” he added.

The prevailing attitude in eras past was “what we have works,” Blumel said. “'I turn on my computer and I'm working on my brief—what's the problem?'”

Hardware should be replaced more often at law firms, he said.

“They just don't get it. It's not what they do. They practice law. … [But] tomorrow, when this 8-year-old server doesn't work, you're going to yell at me,” Blumel said.

Last August, the firm implemented a cybersecurity artificial intelligence program, Darktrace, which goes beyond intrusion detection by simulating patterns of human users to track abnormalities. The program, he said, can stop the spread of malware such as “zero day” beyond the first workstation. “It's really saved us,” he said. “The value is tremendous,” even though it is expensive compared to some other products, he added. (Splunk, he noted, is another big player in AI cybersecurity.)

Apart from serving clients in regulated industries, there aren't well-defined guidelines on what cybersecurity measures a law firm should have, according to Blumel. “It's like a gray area—how much is enough?” he said. He did note, however, that the International Information System Security Certification Consortium, or (ISC)2, which trains and certifies cybersecurity professionals, is the “gold standard” on best practices.

Headlines about law firm cyberattacks motivate midsize and small firms to act, he said, but because cybersecurity products are licensed by user and by device, firms of 100 to 500 lawyers are in a tier where the cost could hit them harder.

Apart from costly cybersecurity programs, there's also annual penetration testing, whereby cybersecurity professionals simulate attacks. For Norris McLaughlin, that can run $10,000 to $15,000, while internal policies and contracts are reviewed by hired contractors.

Other cybersecurity measures such as multifactor authentication, where remote network access requires not only a password but email approval by the user; a “sandbox” email feature, where all messages are diverted temporarily if they contain suspicious URLs; and yearly cybersecurity training—which some attorneys resist having to attend, according to Blumel—also cost money to implement, he added.

No Red Flag

Technology can cost dollars and save dollars, but it can also generate them. And sometimes staying out of the red is a victory.

The six-member litigation support group at Haddonfield-based Archer & Greiner is not a profit center, according to litigation technology manager Michael Reeves. But “I've told people numerous times, as long as we don't pop up as a red flag in the accounting department, we're good,” he said.

The group does primarily client work. They bill at $80 to $125 per hour, but don't charge clients a per-gigabyte hosting fee, and the service is intended as a “value-add” for clients, Reeves said.

Reeves, who previously held jobs at Philadelphia firms Conrad O'Brien and Wolf Block, came to Archer & Greiner in the early 2000s to help build databases for document review. Years later, he's the head of a full litigation-support group made up of four technologists and two paralegals.

Discussions about tech initiatives are ongoing. For example, Archer & Greiner has yet to fully virtualize its data storage with a cloud-based service. Reeves, like many others who discuss the consideration of cloud-based storage, cited client concerns about security that go along with such moves. But there's also a savings.

“The cost of maintaining servers and infrastructure behind a firewall … is becoming more expensive,” while cloud-based services “scale up and down” and can “do more with less,” Reeves said.

“The trade-off is, either your people go work for [the vendor], or are out of a job, bluntly,” he said. “We're at a time in the industry where we're doing a balancing act.”