What’s the most effective way for lawyers to protect their clients from a data breach of Sony-like magnitude? Sure, they can sponsor trainings for clients, develop handbooks and checklists and purchase cyberinsurance. Or lawyers could take the most direct approach and identify and plug the security gaps themselves.
Sounds crazy – and outside a lawyer’s pay grade. Yet, Chris Cwalina and Steve Roosa, two Holland & Knight attorneys have built a practice area within their firm on that very concept. As the Washington Post describes (sorry, this story is from August 2014 – a bit dated for me), Cwalina and Roosa have created a “lab” that they use to research and test apps and websites of their clients to detect security lapses. Cwalina and Roosa don’t appear to have technical expertise (though Cwalina was in-house counsel at ChoicePoint, one of the first companies to disclose a massive data breach a decade ago), they work with a team of paralegals and tech consultants to create the testing environment. Once familiar with vulnerabilities, the lawyers can plug them. In addition, through hands on use of these technologies, Cwalina and Roosa can gain an idea of what types of procedures for protecting security are practical and feasible.
The firm charges a flat fee for this service. Presumably, fee-splitting rules aren’t invoked because the lawyers team with IT professionals employed by the firm who are paid a salary rather than allocated a share of the fee.
Even though Cwalina and Roosa are big firm attorneys, solo and small firm lawyers could implement the same concepts. For example, a lawyer with restaurant or daycare experience could evaluate clients’ regulatory compliance from a more hands-on perspective, and then figure out what types of precautions are needed from a legal perspective.
What’s the benefit of taking the lead on a service like this? It’s one that at least for now, lawyers are uniquely qualified to offer. A chef or teacher or tech person who doesn’t have a law degree might face hurdles teaming with a lawyer to deliver these kinds of hybrid services could violate fee-splitting or UPL rules. By contrast, a lawyer with these dual skills can seamlessly offer legal and non-legal skills as part of one practice, so long as the lawyer maintains independent judgment.
Does your firm, or any that you know of offer these kinds of hybrid legal services? What’s your opinion of them. Share your thoughts in the comment section.