By Brenna Goth

Companies go to great lengths to protect their data, but they may be ignoring a security soft spot—the information they provide to outside legal counsel.

A group of corporate legal executives is trying to mitigate the risk of future data breaches. Gary Tully, director of legal operations for Gilead Sciences, is one of those leading the initiative.

The first step is adopting an assessment tool that will score a law firm’s security while giving companies a common baseline for comparison. Widespread use could make the rating as valuable as a FICO score for credit, Tully said.

In-house legal departments have an ad-hoc approach to addressing the cybersecurity of outside firms—if they do at all. Some companies trust that the law firms they use are protecting their data while others implement a time-consuming review process, Tully told Bloomberg Law.

“We really need to make a difference here,” he said. “We need to move quickly.”

Tully and other leaders with the Corporate Legal Operations Consortium, or CLOC, are pushing a new initiative to boost the cybersecurity of law firms while pushing in-house legal departments to more closely consider their vendors. Heads of the group, which has members from nearly 700 companies representing more than a quarter of Fortune 500 companies, say they aim to create a new industry standard.

Problems Assessing Cybersecurity

Law firms hired by a company can have that organization’s most sensitive data, said Connie Brenton, president and CEO of CLOC and senior director of legal operations at NetApp Inc.

Assessing how law firms protect that data can be difficult. Companies may send to firms questionnaires, which can be laborious and inefficient. A one-time assessment can take months. Firms that self-evaluate may need audits.

But the consequences of not checking security practices can be huge.

Imran Jaswal, managing director of Duff and Phelps’ CyberClarity360 tool, said even if a company’s data isn’t compromised by an outside law firm, its business could be disrupted in the case of an attack. Jaswal spoke during a panel discussion at the CLOC Institute in Las Vegas the week of April 23.

CLOC is endorsing the CyberClarity product as a common cybersecurity assessment tool for companies.

A firm’s operation could shut down for a few weeks after an attack or, in some cases, may not recover. “This is something that’s highly impactful to your organization,” Jaswal said.

Law firms, though, are also burdened by cybersecurity reviews, said Justin Hectus, the chief information officer and chief information security officer of Keesal, Young and Logan, said at a CLOC institute panel. Firms that are already stretched thin may have to fill out numerous questionnaires on the same topic from different companies.

The paperwork problem needs streamlining, Hectus said, particularly considering that the number of companies seeking assessments is rising.

“You can see the possibility of this thing just exploding,” he said.

‘Think Ahead of Time’

The range of concerns led CLOC to push a new approach that leaders hope will lift cybersecurity efforts throughout the industry.

A corporation can ask a law firm to take the assessment, which gives it a score and remediation advice. Companies have a score they can use to compare competitors while law firms can take one assessment and release it to multiple corporations.

A widespread solution has to be cost-effective, quick, and easy, Tully said. It also has to be fluid enough to react to changing threats.

The remediation advice aims to improve security across the entire industry over time, Jaswal said, as law firms respond to their assessments.

Companies need to create a culture of security and not just check a box once, said David Shonka, acting general counsel of the Federal Trade Commission, during a CLOC panel. Federal law requires reasonable efforts on that front.

“The answer is to think ahead of time,” Shonka said. “Plan things.”

Pitching an Industry Standard

The CLOC initiative comes out of meetings among corporate legal departments, law firms, educators, and vendors who are vetting it, Brenton said. Otherwise, the solution won’t work, she told Bloomberg Law.

“As an industry standard, it better be bulletproof,” she said.

Still, there’s resistance to change, Tully said, as cybersecurity protection can be particularly sensitive to talk about. But leaders are optimistic the idea will take hold as people talk about the benefits and share the tool with colleagues.

Law firms would have a way to show they’re protecting clients. General counsels have incentive to avoid going to their boards after a data breach.

Tully hopes the initiative moves beyond a questionnaire. He envisions a marketplace developing around the security score and room for other product vendors to get involved.

It’s a concept that can gain steam outside the legal industry, Tully said. Legal professionals are working on a proof of concept before it spreads to the rest of their companies, he said.

“Our industry is going to lead our corporations,” Tully said.