Law Departments and Cyber Security: Addressing the Scary Stuff

Law firm security bears one of the softest underbellies within the world of professional services. This alarm was sounded during an ILTA panel discussion surrounding security with Michael Russell of Liberty Mutual, Brian Donato of Vorys Sater, and Natalie Fedyuk of KPMG.  The consensus from the group was that law firms have more possible exposure to threats due to their complicated handling of highly sensitive data that crosses the spectrum of (PII) Personally Identifiable Information.

According to the panel, a recent investigation called the Mandiant Report cited one of the largest threats to law firms outside of the United States is China.  The evidence supports that the Chinese Army is attacking law firms because of their traditionally low levels of security and their highly sensitive information.  In one example a law firm had been attacked and the email addresses released of military officers who were being investigated for atrocities in Afghanistan.

With countless successful breaches occurring, the panel focused on how to create better safeguards.

 

  • Manage Vendors: Do a risk assessment of your vendors. Make a security part of the RFP process so that there are tactical steps to support a management strategy.
  • Governance: while security software is important it is a small part of the whole. Make sure a process is in place to govern all aspects of data flow, access, audits, and compliance.

Establish informational audits for internal personnel and vendors which include the following:

  • Input/Intake
  • Issue Questionnaire
  • Conduct Review
  • Complete Questionnaire and Report
  • QA Review
  • Issue Questionnaire and Report
  • Closing meeting with Vendor

Ultimately all firms should seek out best practices to protect themselves.  They recommended beginning this process by adopting and enforcing a security controls framework.  The LegalSEC “Top Ten” was considered the place to start for implementing proper controls as well as audits.

Ultimately to eclipse the mounting threat of cyber assault on law firms, the panel stressed several salient points.  They stated that creating a very thorough risk assessment for all parties, and establishing a governance process was most important.  They also highlighted that diligently seeking out best practices for data destruction, incident response, and considering a cyber-insurance policy, just in case everything else fails was invaluable.

Advertisements
About Joseph Raczynski (92 Articles)
Joseph Raczynski Legal Technologist/Futurist Joseph is an innovator and early adopter of all things computer related.  His primary bent is around the future of law and legal technology. He also focuses on several fields including machine learning, mobile, security, cryptocurrency, and robotics (drone technology). Joseph founded wapUcom, LLP, consulting with companies in web and wireless development.  As a side project DC WiFi was created to help create a web of open wireless WiFi access points across cities and educate people about wireless security. Currently he is with Thomson Reuters Legal managing a team of Technical Client Managers for both the Large Law and Government divisions.  Joseph serves the top law firms in the world consulting on legal trends and customizing Thomson Reuters legal technology solutions for enhanced workflows. He graduated from Providence College with a BA in Economics and Sociology and holds a Masters in eCommerce and MBA from the University of Maryland, University College. You can connect with Joseph at JoeTechnologist.com or JosephRaczynski.com or @joerazz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: