Why Law Firms Need to Do Third-Party Risk Management

As a legal professional, you probably know the importance of risk management for your law firm. However, it's not just the financial, reputational, and client risks within your law firm that you need to be concerned about. Third-party risk management (TPRM) is equally important and should be included in your overall risk management strategy, especially as you continue to handle sensitive client information, trade secrets, mergers, and other critical data.

So, what is TPRM? TPRM is the process of identifying, assessing, and mitigating risks associated with the use of third-party vendors, service providers, or partners.

Why Law Firms Need Third-Party Risk Management

As part of their daily operations, law firms work with various third parties, including vendors, contractors, consultants, and service providers. Law firms commonly outsource specific functions to third-party providers, which can include functions such as:

• Legal research
• Document review services
• Marketing services
• IT services 

There’s always a certain level of risk when working with third-party vendors. For example, these vendors may have access to sensitive data, and if security measures are inadequate, your law firm will be at risk of cyberattacks, data breaches, and regulatory violations. Additionally, third parties can expose your firm to risks such as financial instability, legal disputes, and reputation damage. A comprehensive TPRM program is essential for law firms to ensure they can consistently identify and mitigate the risks associated with third parties.

Third-party vendors pose a range of risks to law firms, which can include: 

1. Cybersecurity: When partnering with third-party vendors, you must consider the chance of a data breach or cyberattack due to a third party’s system being compromised, especially since third-party vendors may have access to sensitive client information, and a breach of their systems could lead to its exposure.
   
   If a third-party vendor experiences a breach, it can damage a law firm's reputation, even if the firm wasn’t directly responsible for the breach. Data breaches can also lead to costly lawsuits. Third-party vendors may be targeted by cybercriminals, and a successful attack could compromise a law firm's systems and personal client information.
   
2. Business continuity: Third-party vendors may experience disruptions to their services, which could put a pause on the law firm’s work if the vendor is critical to the firm’s operations. 
   
3. Regulatory: Third-party vendors may not comply with applicable laws, regulations, and ethics, exposing law firms to legal and regulatory risks and costly fines or litigation.
   
4. Data ownership: Third-party vendors may claim ownership of the data they handle, leading to disputes over data access and ownership.

Data Breaches Are Becoming Common at Law Firms

Data breaches are becoming more and more common at law firms, but why? Law firms collect so much personal information that it’s very attractive to cybercriminals. 

Several high-profile breaches illustrate the importance of implementing third-party risk management at your firm and evaluating the risks associated with all third-party vendors. Some recent examples are:

• In 2022, Cadwalader, Wickersham & Taft suffered a data breach caused by a third-party vendor contracted to provide email archiving services. The breach exposed the personal information of 93,211 current and former clients and employees of the firm. The firm is now facing a proposed class action lawsuit.
• In 2021, Jones Day suffered a data breach caused by a third-party vendor contracted to provide file-sharing services. The breach exposed confidential client information of several high-profile clients, including the National Football League, the City of Chicago, and the Democratic National Committee. 
• In 2020, Grubman Shire Meiselas & Sacks suffered a data breach caused by a third-party vendor that had been contracted to provide IT services. The breach exposed confidential client information related to several high-profile clients in the entertainment industry, including Lady Gaga and Madonna.

U.S. Laws and Regulations Governing Law Firms 

It’s not just data breaches that firms should be concerned about. U.S. law firms are also subject to a range of laws and regulations that require them to protect client information and maintain data integrity and security. These laws and regulations include:

1. Gramm-Leach-Bliley Act (GLBA): The GLBA applies to law firms that provide financial services and requires them to safeguard client financial information.
2. Health Insurance Portability and Accountability Act (HIPAA): Applies to law firms that handle health information, requiring them to comply with HIPAA regulations. This includes ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI).
3. Sarbanes-Oxley Act (SOX): Applies to publicly traded companies, their auditors, and law firms that provide services to these companies. Law firms must ensure the accuracy of financial statements and maintain records in accordance with SOX requirements.
4. Foreign Corrupt Practices Act (FCPA): Prohibits U.S. organizations, including law firms, from bribing foreign officials to obtain or retain business. Law firms must have policies and procedures in place to prevent FCPA violations.
5. Cybersecurity Information Sharing Act (CISA): CISA encourages sharing of cybersecurity information between the private sector and the federal government. Law firms that handle sensitive information may be required to share information with the government in the event of a breach.
6. New York State Department of Financial Services Cybersecurity Regulation: This regulation applies to law firms licensed by the NY State Department of Financial Services and requires them to implement specific cybersecurity measures.
7. State data breach notification laws: These laws require companies to notify individuals in the event of a data breach that compromises their personal information.

How Third-Party Risk Management Protects Your Law Firm

With all the risks and regulations that law firms face, it’s critical to have a plan in place that will protect your firm and your clients’ information. Implementing TPRM can benefit your law firm in several ways, including:

• Improved cybersecurity: TPRM helps firms identify and mitigate cybersecurity risks associated with third-party vendors, reducing the risk of a breach. A TPRM program can improve vendor oversight and help you detect and mitigate problems before they result in a data breach. 
• Compliance with laws and regulations: TPRM ensures vendors and contractors comply with applicable laws and regulations, reducing the risk of legal and reputational damage.
• Improved vendor relationships: TPRM establishes strong relationships with your third-party vendors by setting clear expectations and requirements from the very beginning of the onboarding process.
• Reduced costs: Incidents with third-party vendors can result in significant financial losses for an organization, whether they involve data breaches, lawsuits, or damaged reputations. TPRM is a structured process designed to address and manage vendor risks before they lead to costly issues.

4 Steps to Get Started in Third-Party Risk Management

1. The first step is to identify all the third parties your law firm engages with, whether they’re vendors, contractors, consultants, or service providers. Once you’ve identified these third parties, you should assess the level of risk they pose to your law firm and your clients.
2. Next, you can then define the standards and requirements that third-party providers must meet to comply with applicable laws and regulations. This may include requiring third-party vendors to conduct regular security assessments, implement strong access controls, and promptly report any security incidents or breaches.
3. Third, conduct risk-based due diligence to ensure that your third parties are legitimate business entities with appropriate risk management practices and controls in place. Third parties that have the highest risk require the most robust due diligence. 
4. Next, establish a regular risk monitoring process to ensure that third-party vendors continue to comply with your standards and requirements. This can include regular audits or assessments, ongoing communication with third-party vendors, and the use of TPRM tools and software. Make sure that your TPRM program includes policy, process, and procedures for managing the entire third-party lifecycle. 

Implementing a TPRM program can significantly benefit your firm by safeguarding the firm’s reputation, ensuring compliance, protecting client information, and reducing breaches. When law firms take a proactive approach to TPRM, they can identify and address potential risks before they become an issue. 

This helps the firm become more efficient and avoid costly mistakes. TPRM also enables a firm to demonstrate its commitment to risk management and build client trust.