Photo: Shutterstock

As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort.

Legal software company Aderant this month released its second “Business of Law and Legal Technology” survey, which showed general optimism among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern.

Pennsylvania law firms are grappling with the issue—and the cost—along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers' cybersecurity efforts as an afterthought.

Devin Chwastyk, chair of the privacy and data security group at McNees Wallace & Nurick, said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements.

“Every RFP now requires us to disclose how we protect confidential information,” said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said.

Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work.

“Cybersecurity as a line item has certainly become a bigger expense for us,” Chwastyk said. “That was inevitable regardless of client demands.”

Cyber insurance is another driver of increased cybersecurity standards at law firms, Chwastyk said, as firms must enact a certain level of safeguards to obtain coverage.

Alan Promer, a partner who chairs the technology committee at Hangley Aronchick Segal Pudlin & Schiller, said his firm, too, has seen an increase in its technology spend, and that is due in part to security costs. Technology on the whole has become a greater expense for law firms, and since not all of the costs are scalable, the impact is outsized at small and midsize firms.

“It really is an imperative” to stay up-to-date on cybersecurity measures, Promer said, pointing to client requirements. Smaller clients and individuals may not have extensive knowledge and specific demands, he said, but larger institutions often have an entire in-house team dedicated to data privacy and cybersecurity.

He said clients regularly inquire about Hangley Aronchick's cybersecurity resources, which include firewalls, intrusion detection, antivirus systems, encryption and multi-factor authentication. Every year the firm gets a security audit by an outside contractor.

“It's been years, and it evolves constantly,” Promer said.

Over time, he noted, cybersecurity has become increasingly “professionalized” at law firms of various sizes, which are hiring dedicated professionals with extensive technology training to handle it.

“A smart lawyer is only going to engage in the things they're knowledgeable about,” Promer said. “I don't know many lawyers that speak fluent cybersecurity.”

From talking with data privacy professionals at other firms, Chwastyk said it's clear that cybersecurity concerns are common to firms of all sizes. “A lot of the client pressures are the same,” he said. But, he noted, firms are generally more cognizant of the issues if they do commercial work, particularly for clients in regulated industries such as insurance, financial services and health care.

“Even the solo practitioners are worried about this,” Chwastyk said. “They all recognize they have particular obligations under the rules of professional conduct to guarantee confidentiality.”

For more business of law coverage exclusively geared toward midsize firms, sign up for a free trial of ALM's new weekly newsletter, The Mid-Market Report.