How Legal Spend Management Helps Mitigate the Impacts of Data Breaches

The Panama papers and Paradise papers cyberattacks against law firms. The issues of data harvesting emerging from the Cambridge Analytica scandal. The volume of reported data breaches. Cyber-attacks and data breaches are becoming inevitable as increasingly high quantities of information are stored electronically. In addition, GDPR has introduced requirements to notify the relevant supervisory authorities and individuals who may be adversely impacted much more promptly (within 72 hours of becoming aware).

As a result, there is a greater need for stronger controls around data security, both within your organization and for companies holding your data. A robust records management policy is integral to your company’s ability to understand what information is available, where it is, and in what format. Most importantly, it sets a clear framework for handling, managing, and storing that data.

You may have agreements with your external partners on how they manage and handle your data; historically, companies may have relied on this with little further investigation.

However, if you have ever handled the fallout of a data breach by one of your suppliers, you will appreciate the pressures of trying to assess the potential risk and exposure the breach might have on your company. All of which must be done within very tight timescales if you need to notify the authorities and individuals concerned.


One often-overlooked tool that can help (both with an immediate investigation and future risk assessments) is a legal spend management system (Onit’s European legal spend management solution BusyLamp eBilling.Space). Integrated legal spend and matter management software can provide a wealth of information to help legal operations understand and manage the data that the law firms hold for you and can support you in building a records inventory.

Legal spend management tools can provide clarity on the following:

  • The external law firms used,
  • What type of work outside counsel are undertaking, and
  • Who at the law firms has worked on the matter and therefore had access to your data.

Knowing the data shared with your law firm is vital for an immediate investigation. Access to the matter details in your legal spend management system will provide you with a good starting point to gather information. Basic information will include the law firm’s name and the person(s) in your firm who may be working on the matter(s). It will also provide a contact point at the law firm. Finally, based on the work, you will have a rough idea of the documents shared with the firm.

If you are looking to assess the risks of sharing your data both now and in the future, legal spend management software will provide details of the number of times your company has used the firm. With this, you can assess the risks and controls in place with all your outside counsel and carry out appropriate system security assessments. You can also more easily check that the law firms have implemented and are complying with your records management and retention policies.

The amount and sensitivity of the data sent to your law firms comes from the type of work undertaken. Most companies will generally share similar types of data for specific categories of work with their external partners. As an example, for an employment issue, details about the employee and the grievance will be shared with the external counsel. Using the information in a legal spend management system about the types of work done by the law firms will help you assess the risks and controls each law firm has in place to protect your data and consider the best and most appropriate ways to transfer your data. Furthermore, it can help you build your records inventories.

Finally, as law firms record the time that a timekeeper spends working on a matter, invoice data captured by e-billing software will allow you to see who has access to your information at the firm.

Knowing and understanding the type and volume of data that your company has shared with your law firms will help you a) respond to and manage any data breach or data loss and b) understand the potential risks to your data. This knowledge will help you assess whether you are using the best legal technology for sharing your data and whether the processes you have in place to transfer your data are appropriate.

Learn more about BusyLamp from Onit, our end-to-end legal spend management solution built for European corporate legal departments

Thank you for subscribing!