It’s no secret that law firms are on the front lines of cyber attacks as they can hold clients’ most sensitive and confidential information.

For a law firm, the idea of designating a law partner formally as Chief Privacy Officer (CPO) is novel. It is also no secret that lawyers are typically slow to adopt new ideas and practice methodologies.

The idea of concentrating the firm’s privacy policies, procedures and employee training with a centralized person or group may be an idea whose time has come for the legal profession.

Soon enough, this more focused approach to privacy in law firms, adopted in companies of all sizes, may be widespread. (Remember when lawyers didn’t even use computers?)

While companies of all sizes have hired designated, experienced privacy officers, the first law firm to formally emulate its corporate clients and take this plunge is the national firm Fox, Rothschild LLP.

Fox, Rothschild selected Philadelphia-based partner Mark McCreary as its official CPO in September.

McCreary is charged with safeguarding the firm’s confidential information and that of its clients.

Clients of Fox, Rothschild — some with trade secrets and many in highly regulated industries — sleep a bit easier at night knowing that an attorney practiced in technology and privacy law knows what the right and left data-privacy hands are doing.

Two months into his new role as CPO, McCreary serves as the go-to attorney for the firm’s internal data-privacy matters while also servicing the firm’s busy privacy practice. Here’s McCreary’s job description:

  • Reviews existing policies and formulates new policies regarding the collection, handling, storage and use of confidential and personal information in the possession of the firm.
  • Reviews existing practices and implements new practices and standards concerning the collection, handling, storage and use of confidential and personal information on all firm devices as well as physical documents and records.
  • Responds to client requests and inquiries regarding the firm’s confidentiality, privacy and security policies and practices.
  • Develops educational programs for the firm on confidentiality, privacy and security policies and best practices.

McCreary admonishes that privacy issues cannot effectively be “practiced on the side” given the wide range of domestic and international laws and regulations, differing state laws applicable to data breaches and the many privacy laws spanning different industries.

So what’s different about this role to McCreary?

“Well, for one, I’ve had a lot of inquiries from total strangers about how the role works in a law firm,” he said. “But truly, it’s no different from what we did before this. Now, people are just thinking about privacy issues more. We’re simply more focused about protecting our firm’s and our clients’ confidential information.”

The impetus for the new CPO role stems from the firm’s renewal of its business and cybersecurity coverages.

“To comply with all aspects of the policies we considered, it just made sense to have an attorney committed to full compliance.” McCreary said. “With more than 650 attorneys, the cost didn’t really change us; we already had a robust IT department, and our hardware and software were always actively monitored.”

McCreary added, “It’s hard to foresee the ‘what ifs’ like an employee leaving unexpectedtly with sensitive client data or a firm device being lost. A law firm can’t risk harm to clients and client relationships. A firm needs to know how to shut down that information before damage ensues.”

Will hiring a CPO work in your firm?

When analyzing the costs and benefits of hiring a chief privacy officer for your law firm, you should first assess your firm’s needs.

Factors such as firm size and number of offices you have are key. Do you have offices in more than one state or country? Keeping up with ongoing changes in privacy legislation across multiple jurisdictions can be daunting for even one person to manage. You may consider that dividing the role across locations may be more effective.

The next question you may ask is whether to hire from within or from the outside. Hiring from within ensures that your privacy officer will understand your firm’s culture, priorities and inner workings. Hiring externally will be more time-consuming and probably more costly.

The benefit to bringing in an outsider is that you may find someone with more experience and training in data-privacy protection.

In addition to experience, it is critical that a lawyer serving as your firm’s privacy officer has good judgment when making decisions about privacy. Your privacy officer must be able to make business decisions that balance all of your firms’ other interests. He or she must also be able to work with your clients, employees and managing partners.

Above all, your privacy designee must have outstanding communication skills. This person must be able to create policies and procedures, train and educate employees from the top down and consult with key stakeholders.

Is a firm CPO the new cost of doing business in 2015, or a marketing benefit? Donna B. More, Fox, Rothschild’s managing partner in its Chicago office, said it best: “Spending on the front end and taking an offensive position to protect employees’ and clients’ sensitive information, we feel, prioritizes what’s important to our clients and elicits trust. Many of our clients need to know that we value their privacy just as much as they do.”