What’s the most effective way for lawyers to protect their clients from a data breach of  Sony-like magnitude? Sure, they can sponsor trainings for clients, develop handbooks and checklists and purchase cyberinsurance. Or lawyers could take the most direct approach and identify and plug the security gaps themselves.

Sounds crazy – and outside a lawyer’s pay grade. Yet, Chris Cwalina and Steve Roosa, two Holland & Knight attorneys have built a practice area within their firm on that very concept. As the Washington Post describes (sorry, this story is from August 2014 – a bit dated for me), Cwalina and Roosa have created a “lab” that they use to research and test apps and websites of their clients to detect security lapses. Cwalina and Roosa don’t appear to have technical expertise (though Cwalina was in-house counsel at ChoicePoint, one of the first companies to disclose a massive data breach a decade ago), they work with a team of paralegals and tech consultants to create the testing environment. Once familiar with vulnerabilities, the lawyers can plug them. In addition, through hands on use of these technologies, Cwalina and Roosa can gain an idea of what types of procedures for protecting security are practical and feasible.

The firm charges a flat fee for this service. Presumably, fee-splitting rules aren’t invoked because the lawyers team with IT professionals employed by the firm who are paid a salary rather than allocated a share of the fee.  

Even though Cwalina and Roosa are big firm attorneys, solo and small firm lawyers could implement the same concepts. For example, a lawyer with restaurant or daycare experience could evaluate clients’ regulatory compliance from a more hands-on perspective, and then figure out what types of precautions are needed from a legal perspective.

What’s the benefit of taking the lead on a service like this? It’s one that at least for now, lawyers are uniquely qualified to offer. A chef or teacher or tech person who doesn’t have a law degree might face hurdles teaming with a lawyer to deliver these kinds of hybrid services could violate fee-splitting or UPL rules. By contrast, a lawyer with these dual skills can seamlessly offer legal and non-legal skills as part of one practice, so long as the lawyer maintains independent judgment.

Does your firm, or any that you know of offer these kinds of hybrid legal services? What’s your opinion of them. Share your thoughts in the comment section.

2 Responses to Hands On Lawyers and One Future for Legal Services

WOW — too scary that attorneys are checking clients’ cybersecurity vulnerabilities. Keeping up with cybersecurity threats is a full-time job, and done properly, can’t work as a sideline to a law practice. Over the past two years, I’ve done a lot of research into, and work with, cybersecurity specialists, and have the greatest admiration for their level of expertise. They are constantly in training to learn more and more as the cybercrooks break new ground. I’ve heard several presentations by FBI agents, a former CIA cybersecurity expert, and two guys who have been training U.S. Army personnel in cybersecurity issues for the past several years, and I can’t imagine that two attorneys have the advanced skills necessary to conduct a comprehensive audit. No offense intended, but If I were Holland & Hart, I’d put some extra bucks into the firm’s liability insurance.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *