Tuesday, 25 April 2017 10:25

For Law Firms, Where Is the Digital-Age Sweet Spot Between Business Growth and Data Security?

By: 

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." -- Eric Schmidt

Eric Schmidt is trying to upset us. And his thought here warrants close attention because as a software engineer and the CEO of Alphabet (Google), he arguably understands the Internet about as well as anyone on planet earth. It’s a probe that does for the Internet what Marshall McLuhan’s famous probes did for television in the 1960’s: it shakes us up.

McLuhan used his probes to remove the blinders from our narrow, naïve thinking about electronic media so we could see where they were actually taking us: towards the electronically connected global village that we inhabit today.

Schmidt’s probe does likewise for the Internet with the difference that his vision is markedly darker than McLuhan’s. It dispels once and for all the puffed-up and endlessly marketed notion of the Internet as an unmitigated blessing for humanity. It nudges us to look past all this hype so we can see the Internet for what it is: a mixed blessing at best, replete with promise and fraught with peril for humanity.

That’s not an easy task. Most people feel uncomfortable being nudged in this way. Perhaps law firms especially. It’s not hard to imagine a group of complacent, white-wigged English barristers hearing Schmidt’s musings about Internet anarchy and then chiming in with mocking shouts of “Hear, hear!”

At the same time, such white-wigged sarcasm surely warrants respect, for its roots lie in the lawyerly aversion to anarchy and the disposition to order that marks the practice of law on both sides of the pond.

But there’s a second and more pressing reason why law firms might be prone to neglecting the Internet’s downside. This has to do with the hyper-competitiveness of all business today—the relentless drive for business growth that’s being fueled (of all things) by the Internet. In this heady atmosphere, law firms risk succumbing to the temptation—indeed, the seeming necessity—to exploit to the hilt the Internet’s huge upside—its massive growth and profit potential—while neglecting its huge downside: its immense threats to data security.

For law firms such neglect is exceedingly consequential, for it puts at risk core principles and capabilities that make possible the very practice of law. These include the fundamental tenet of attorney/client privilege and the indispensable ability to conduct sensitive M&A negotiations in absolute confidence. On the need to protect the former, E-Discovery expert Ralph Losey makes the essential point:

Cybersecurity should be job number one for all attorneys. Why? Because we handle confidential computer data, usually secret information that belongs to our clients, not us. We have an ethical duty to protect this information under Rule 1.6 of the ABA Model Rules of Professional Conduct.

To put it mildly, a dilemma arises here. And there arises also a challenge that may be put this way: in a digital age, does there exist a sweet spot between business growth and cybersecurity? A valid answer to this question requires, first, an awareness of the actual consequences of lax cybersecurity.

On this score we need look no farther than to the 2016 hacking of partner emails—specifically, a number of spear-phishing attacks—that led to the enormous data breaches of the elite New York firms of Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. The stakes could hardly have been higher, for these firms, as Wall Street Journal said, represent “Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations.”

7 gigabytes of data were stolen. That’s enough for tens or even hundreds of thousands of emails.

The three Chinese hackers recently charged with the hacks were smart. As targets they chose partners whose practice areas included mergers and acquisitions and intellectual property.

The Chinese hackers are charged with using hacked data to make $4 million in profits from insider trading. That’s bad. Worse yet is the possibility of hackers kidnapping M&A and intellectual property data and holding it hostage for huge ransoms. The worst-case possibility, as Fortune magazine reports, is that “the breach [of Cravath and Weil, Gotshal] took place as part of a larger initiative by the Chinese government”.

So then: what’s to stop breaches like these from occurring in 2017? No nearly enough. In today’s digital world there exist dozens of groups of expert hackers, be they Chinese or Russian, state agents, trained professionals or self-educated teens, that are entirely capable of doing to other firms what the Chinese hackers did to Cravath and Weil Gotshal.

And there exist dozens of law firms—including BigLaw firms—that aren’t taking these hacker groups seriously enough.

At times, the legal profession’s disregard of cybersecurity can be stunning. To take just one instance: the American Bar Association’s 2015 Legal Technology Survey Report finds that nearly 40 percent of lawyers in the U.S. are using public Wi-Fi to access client data, but only 22 percent are using an encrypted connection.

.  .  .  .  .  

All this raises the question of the actual state of law firm cybersecurity today. Several years ago Jody R. Westby of the American Bar Association observed that “Law firms have never been very good with technology, and now they are struggling, as breaches in firms have made headlines and clients increasingly are asking questions about their security programs.” Demand for data protection came, notably, from clients, not attorneys.

Recently the 2016 Novitex and Association of Legal Administrators' (ALA) Report documented the extend of this neglect today. Based on a survey of hundreds of firms worldwide, the report found that “… law firms across the globe [are] primarily concerned with bolstering their business operations and financial viability above all else”.

The Report went on to say that “Only 8.4 percent of [800] firms [surveyed] were most concerned with reducing cybersecurity risk, compared to 7.8 percent of firms concerned with improving workflows. Around of half of those (4.1 percent) were also primarily focused on upgrading their technologies.”

These findings are alarming. In the long run, priorities like these one are invitations to trouble. There’s a mantra going around these days that cybersecurity in a digital world isn’t an IT problem, but a business problem. It’s the right mindset, and it points the way to the sweet spot of data security as an actual driver of business growth.

Now let’s see how law firms can strengthen their cybersecurity practices.

.  .  .  .  .

Belatedly, the legal profession is responding to market demand for data safety. Belatedly. Consider this ILTA Technology Review graphic of 2012:

As abysmal as these numbers are, what matters for our purposes here is the eight activities they measure. As an IT professional whose job it is to protect Chi Networks’ Customers from the downside of Internet anarchy, I see the need for these eight activities, in more comprehensive version of them, to be as familiar to all members of a business as the rules of the road are to drivers. That’s saying a lot. But in digital world, computer security should be second nature. Think of a day when your colleagues are as comfortable talking with each other while securing their computers as they are comfortable talking with passengers while driving. That’s the goal to strive for. Because when all is said and done, it’s our strongest protection from the dark side of the Internet.

My own updated and more comprehensive list of eight focal points for business protection looks like this:

1. Emails. For emails end-to-end encryption is the gold standard. But it requires both ends—your end and, say, your client’s end—to be encrypted. In any event, use a provider that supports strong encryption. If you host your own emails, use encryption software.

2. For passwords, use two-factor authentication. Require employees to use a modern password manager that can create complex passwords, change passwords automatically and show you have to improve password security. Although password managers require time to learn and stock all with secure passwords, they are free, save time in the long run, and they really, truly make life easier and safer.

3. Require employees to use only firm-approved mobile (BYOD) phones. Have your IT staff partition BYOD phones into separate encrypted compartments that securely wall off company from personal data. At my company, Chi Networks, call this the Work Wall.

4. Secure computers with firewalls and virus protection. Keep operating systems and software up to date.

5. Ensure employee mastery of company cybersecurity policies. Update them based on the findings of periodic risk assessments.

6. Implement ongoing, firm-wide employee education on the latest cyber threats. By trial and error, create learning environments—group sessions, fun contests with prizes, self-paced individual tests, one-on-one interactions with IT staff—that work best for your employees.

7. Have penetration tests on your IT system conducted by outside firms or your own security team. Hack yourself before someone else does, then fix the hacks.

8. Conduct regular practice drills testing everyone’s ability to respond correctly in the event of an actual data breach.

So: will these eight steps, effectively implemented, make cybersecurity second nature for your colleagues? They won’t. But they are solid steps in the right direction.

Wrapping up, Eric Schmidt has it right. The Internet is an experiment in anarchy. It’s taking humanity deeply and inexorably into a brave (and dangerous) new world of creative disruption on a global scale. That much we know for certain.

This awareness gives the legal profession in particular, as a primary guarantor of societal order, the responsibility of ensuring that data security becomes an actual driver of business growth. There’s your sweet spot. If these words don’t strike a chord, maybe six others will: Cravath Swaine & Moore, Weil Gotshal & Manges.

Source : corpcounsel.com

Leave a comment

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.
Please wait

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Newsletter Subscription

Receive Great tips via email, enter your email to Subscribe.
Please wait

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now