The Anatomy of Successful Cyber Attacks

By Joseph Raczynski

Preparation for cyberattacks on your network requires a fundamental understanding of the complete picture of who has launched the assault.  Steve Surdu of Surdu Consulting, LLP gave the keynote address at ILTA LegalSEC Summit 2015 in Baltimore, MD describing “The Anatomy of Successful Cyber Attacks.”

Steve outlined four attacker or threat profile group types; Hacktivists, Criminals, Terrorists, and Nation States.  In the matrix below I break out each section he reviewed into a column view to better understand the who, why, where, motivations, advantages, limitations, and impacts for each group.  I removed the Terrorist group as they tend not to pose a threat to law firms.

In summary the table offers an insight into the full anatomy of the threat for law firms.  To mitigate the aforementioned threats, he outlined five key strategies:

  • Awareness: An absolute must is providing education of all parties surrounding the law firm. This includes teaching employees, management, suppliers, and even your clients on the threats that exist, the tactics of the hackers, and the various outcomes from unsafe computing.
  • Visibility: Never assume that you will know everything that is happening on your network. Keep an inventory of assets, logs and all alerts which when gathered together creates actionable intelligence.
  • Focus: Law firms must think how the hackers attack, so avoid misplaced faith in compliance alone.
  • Operational Expediency: Firms should make reasonable operational and security trade-offs. That is, do not spend all of your time on areas with little benefit, like patches for little used systems.  Prioritize on the biggest impact items first.
  • Priorities: The most valuable time spent on cybersecurity is spent on people and process over technology.

Wrapping up his discussion, he touched on cybersecurity in three areas pertinent to law firms; mobile, Cloud, and eDiscovery.

Mobile Technology:

At this juncture, mobile devices do not pose a significant attack vector for large law firms.  The real risk is one-offs including physical loss of the device, or exposure to data stored on the unit.  Firms should remain vigilant by using encryption, password protection, and provide remote wiping on demand.  Lastly he mentioned that Android remains a target.


The Cloud is intriguing from a security perspective.  It provides familiar components to on-prem issues, but is outsourced.  What that means is that the same predicaments arise but since a different operator is in the equation, it can be more complex.  Surdu recommends to counter this threat by vetting your Cloud vendor carefully to manage your risk.


Similar to the Cloud, eDiscovery invokes the same issues that it does externally as it would internally.  When you use hosted services those services have to be vetted for controlled access, general integrity, encryption were necessary and to assure that privacy laws are being followed.  He recommends that firms use familiar and consistent platforms when possible.

In his parting thoughts, he focused on several salient points.  While difficult, attempt to retain key players for your firm security.  A revolving door in the Information Security department is ripe for attacks.  Create a process to track key information and assets.  By having these procedures in place the firm will know the who, what, where and when of deflecting cyber-attacks.  Work to cultivate and maintain senior management to establish a sense of normalcy.  Often hackers go after newer management because they are less likely to know systems and process.  He also stressed that your best adversaries understand that details matter.  “You should focus on the little things, because if you cannot get that right you will not get the bigger things.”  Lastly he ended with a push for firms to concentrate on finishing security projects because that is much more important than simply starting them.

Law Firm Security Architecture 101

By Joseph Raczynski

In a granular overview of the appropriate security procedures a law firm should have in place, Douglas Brush, Director ISG, Kraft Kennedy; Brad Bragg, CIO Womble Carlyle; Scott Rolf, CIO, Tucker Ellis, LLP; and Tim Golden, Manager, Enterprise Architecture & IT Governance, McGuireWoods; discussed “Security Architecture 101” at the ILTA LegalSEC Summit 2015 in Baltimore, MD.

Looking at the foundation level of security, the triumvirate used a security bench marking technical guide to offer an overview of the top 20 critical security controls.  The SANS Top 20, renamed the CIS Top 20 establishes specifics that companies should follow to maintain the highest level of security around their systems.

The emphasis surrounding these controls focus on the classic trifecta in a firm; people, process and technology.  The details of the twenty security controls are very specific and so I have bulleted the primary points for each below.

CIS Top 20: Critical Security Controls and Firm Preparation:

#1 Inventory of Authorized and Unauthorized Devices

  • Know where all of your hardware is located
  • Assign responsibility to each group: Servers, computers, mobile devices
  • Control your release management: If you have a new piece of hardware inventory it and place controls on it when it is brought into service

#2 Inventory of Authorized and Unauthorized Software

  • This is much more difficult to control than #1
  • Each group within the firm is unique and creates challenges – think expectations of the partner vs. admin assistant
  • Forbid users from loading their own software
  • Use the technology Microsoft has in place to prevent unauthorized installations – think of those annoying but helpful popup warnings
  • Develop a life-cycle for your software up front and retire older software

#3 Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers

  • Test your “gold images” to make sure that all flaws are identified and the image is stable and secure
  • Use virtualization now!
  • Implement auto patching
  • Keep all logs for each image you have created

#4 Continuous Vulnerability Assessment & Remediation

  • Not every patch update is critical – stack rank which actually needs to be implemented
  • Sometimes outside organizations need to patch their third party software
  • Track time on what is being done for the firm management updates

#5 Malware Defense

  • Utilize common industry standard tools like FireEye
  • Web Sensors: break-the-link services are an excellent way to keep users from hitting corrupt sites, because these services visit the site before the page loads

#6 Application Software Security

  • Train your coders to use secure code
  • If you use outside developers vet them with background checks
  • Use common requirements
  • Mobile apps need to be encrypted – each piece can touch several parts of the mobile device, be mindful of that impact

#7 Wireless Device Control

  • Firms still do not lock down the WiFi (Major doors are open when access is available from the parking lot across the street.)

#8 Data Recovery Capability

  • Backup, backup, backup – include logs
  • If you are still using tapes – use encryption

#9 Security Skills Assessment & Appropriate Training to Fill Gaps

  • Make sure you have the right trainers – look inside your organization at firm training.  They know how to teach best.
  • Goal is to improve performance
  • Look at getting CLEs to incentivize the user base
  • Use metrics – where are they now verses before

#10 Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

  • Document so that you can see what has been opened (a port) and then go back and close it when a task or client use is complete
  • Use Outlook calendar as a reminder for what was opened for a client
  • Look into two factor authentication
  • Use password vaults

#11 Limitation and Control of Network Ports, Protocols, & Services

  • Keep logs on who is doing what over which port and services

#12 Controlled Use of Administrative Privileges

  • Get people out of the pattern of logging in as an Admin all the time
  • Users should only be an Admin when doing a specific task needed with those privileges

#13 Boundary Defense

  • Identity is the new perimeter – create access via user access rights
  • Be mindful of the cloud in the space. The more you rely on the cloud, the more access users can gain

#14 Maintenance, Monitoring & Analysis of Audit Logs

  • Take snap shots of normal traffic
  • Look for the anomalies
  • Keep vigilant

#15 Controlled Access Based on Need to Know

  • Try to “close” access to the DMS – verses open DMS – creates more security on that platform
  • Suggestion: Move email into the DMS – this is controversial at law firms
  • Delete stuff that does not need to be there
  • Two factor authentication – should be used where possible
  • Ethical walls – need to be established
  • Activity trackers – help admins to see who is doing what and why

#16 Account Monitoring and Control

  • Create documentation, auditing and a ticketing process
  • Create good password policies
  • Look at not only unsuccessful logins but successful logins as someone from China could be logging in successfully every time – but you do not have someone working from there

#17 Data Protection

  • Use complex passwords – but teach users how to do – use new tools available
  • Help your firm use encryption – many options such as WinZip, BitLocker, etc.
  • Push for secure Cloud drives if they are done correctly they are better than a thumb drive

#18 Incident Response and Management

  • This is a living document that walks people through what needs to be done and when
  • Define what an incident is at the firm
  • Classify an event as an incident and what level of threat is poses

#19 Secure Network Engineering

  • Isolate user locations so that you can separate people, hardware and software. If you have everything in one bucket, when one goes awry the whole thing goes awry
  • Create a firewall rule that is ready so critical services can stay up if everything else goes down
  • In your server room, color code your network cables for ease of fixing

#20 Penetration Testing and Red Team Exercises

  • You should have firm technology people that can do penetration testing
  • Make sure they test using Social Engineering
  • Have rotating outside vendors perform this testing so that you always have different looks at your systems


Keeping It Secure – Internet in a Bubble

By Joseph Raczynski

Absolutely! Feel free to use YouTube, Twitter, Facebook and Gmail for business purposes at Kelley Drye.  As many firms struggle with internal access to these services for their employees, Kelley Drye has figured out how to satisfy employees and firm management by establishing a secure secondary path to the Internet in a bubble which they call Wild West Internet.

This inventive access was discussed at the “Keeping It Secure – Internet in a Bubble” session at the ILTA LegalSEC Summit 2015.  Judi Flournoy, CIO at Kelley Drye described the evolution of how they reached the Wild West Internet.   In part, the genesis was an outgrowth of a 300 part questionnaire request from a financial institution client.  With the significant restrictions the financial institutions placed on access they were forced to change their Web access policy.  The first iterations proved extremely draconian.  No access to personal email or social media was permitted. This met with incredible backlash from the staff.  In fact, there were attorneys in tears of frustration and anger, expressing feelings of disconnect from the outside world.  Peeling back the policy, the revised policy instituted individual access to those cleared by Human Resources on a one off approval basis.  Soon thereafter, throngs were making this request which became problematic.

Ultimately the solution and final policy decision involved creating a separate browser experience for users when they accessed YouTube, Twitter, Facebook and Gmail for business purposes.  With the assistance of Lisa Stone and Thomas Moreo from Cornerstone Information Technologies, they built a perimeter network which sat within their larger network but behind an additional firewall.  Thus they were able to safeguard all of their primary systems and establish a walled garden where people could access those services.  There were multiple safeguards put into place including that fact users could not print, download or cut and paste back into the primary network.  Users agree to these in principle and understand the limitations, but both those users and the firm found this to be a perfect halfway point.

For more granularity on instituting this please see the following:

  • They used an ASA Next Gen internal firewall creating an outer perimeter – DMZ
  • Citrix ZenApp
  • Read only domain controller with shares for profiles
  • MacAfee with all of the blocks associated for pornography and gaming sites
  • Blocked: printing, downloads and the ability to cut and paste back to the firm environment
  • Loaded MS Office in the environment so people could still read Word/Excel

The World of Advanced Endpoint Security

By Joseph Raczynski

Surprisingly the vendors in cybersecurity differ on their approaches to protecting your law firm. At the ILTA LegalSEC Summit 2015 in Baltimore, MD they had a panel discussion on how each vendor tackles the ever bounding threats.  For background when this post refers to endpoint security I am describing securing the user at the device level; i.e. the mobile phone or individual’s computer.

Gal Badishi of Palo Alto Networks started off his analysis with ominous statistics.  On average a firm does not recognize that they have been breached for 225 days after the initial strike.  In addition, of those attacks, 84% are found by third parties.  His primary theme throughout the conversation to counter these attacks was the proper implementation of a “Next Generation Firewall.”  This is defined on Wikipedia as “an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).” (Wiki, 6/14/2015)

Keith Palumbo of Cylance fascinated the audience with a unique and futuristic tact to cybersecurity for law firms.  They use a form of Artificial Intelligence to uncover and deflect penetration from malicious intruders.  In fact Keith described the use of mathematical endpoint solutions including algorithms to help predict what types of “ones and zeros” will be malicious based on like or similar files.  Their equations employ similar processes financial institutions have devised for rapid electronic trading.  The cutting edge autonomous driving cars also operate under similar algorithms.  What fosters this is the utilization of extremely efficient computers and their prowess in mathematical processing.  In essence, Cylance collects samples of viruses, extracts common features in the code then transforms that code into feasible branch code.  At this stage the software vectorizes the viruses to then train the system on what might arrive at the firm’s door.  Finally it classifies the virus and clusters it into a defined grouping for future learning.

The third speaker, Harry Sverdlove of Bit9 begin his discussion with the statement that, “antivirus protection is almost pointless.”  He noted that what firms have been employing for the last 20 years with virus detection through updates is dead.  With the number of virus on the Internet, there is no feasible way to scan, collect, submit and maintain a log of the rapidly changing viruses.

Harry suggested that each firm start from the assumption they are or will be breached.  He painted an example of a house that a thief gains access to daily.  If you think about it in this sense, prevention of that thief from entering is no longer enough.  Firms must invest in detection and response.  Most firms do not have systems that seek out real-time detection mechanisms.  This lends itself to much longer periods of time that the thief remains inside the firm’s firewall.  If the initial firewall breach was not detected by the firm, that intruder could remain inside for significant periods of time.

Ultimately the three panelist concluded that a three pronged approach to endpoint security was necessary; prevention techniques, detection once the breech has occurred, and lastly creating a documented response using various tools and processes.  Whatever solution, they all suggested turning your firm data (logs, user profiles, patterns of access) into intelligence.  If you set precedents for how people access your network, you can identify the variance and seize the thief.


Wikipedia, Next-Generation Firewall, 6/14/2015,


Form a Phalanx: Law Firm Lessons on Managing Cyber Security through Talent and Culture

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

As law firms continue to appreciate the significance of creating an understanding surrounding security and risks, this starts with a sharp focus on talent and culture.  The first component that the panel discussed during the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, surrounded protection and prevention methods.

Protection and Prevention

Barry Strauss, COO, Elegrity; Curt Cunningham, CIO, Fragomen; Michael Lewis, CIO, Hogan Lovells; Ramound Umerley, CDPO, Pitney Bowes had a very engaging discussion about how firms can best protect their data.  In the beginning stages firms should prioritize their assets.  What documents, emails, IP, databases, software, and services are most important?  As new data arrives, the firm should exam the process.  How is data stored, transmitted and deleted?  The process for each aspect needs to be examined carefully.  The firm has to be mindful of both structured and unstructured data and in addition, understand and follow the rules for national and international compliance of this information.

Several of the panelist suggested that every firm should conduct its own network penetration tests.   Michael Lewis, of Hogan Lovells recommended firm’s design phishing emails to see which employees are actually clicking on those links.  Another aspect he mentioned was to review data retention policies.  Are these policies industry standard?  Michael Lewis also advocated that firms take a baseline network traffic reports from all offices.  Once established, that can be compared to any unusual traffic on your network setting off alerts to anomalies and a possible compromise.

Some other protection and prevention methods:

  • Use encryption everywhere that you can; email, documents, databases, SAN
  • Web Application Vulnerability Testing
  • Mobile Device Management – separate data on their BYOB
  • ISO certification and accreditations

Incident Response

Another critical aspect of firm culture is incident response.  The panel discussed the need to have a cross functional team in place for when the cyber-attack occurs.  This group should include many of the following groups; Communications, HR, BD, HR, Managing Partner, IT, Audit, and Info Security.  A suggestion that hit a cord with the audience was accessibility to your vendors.  That is the ability to contact a vendor no matter what time of day or night.  Get the phone number to a real person who is accountable.  They emphasized that this should be negotiated and arranged in the contract.  Lastly, once an issue is complete conduct a retrospective of the attack and defined learnings for the next event.

In an age where law firms are clearly in the sights of cyber criminals there is a need to act. Law firms are aligning their understanding of security and risks directly with the need for a sharp focus on internal talent and culture.  Protection, prevention, and incident response methods are a major component of safeguarding the firm’s assets.  The panel closed with their three most important take-aways;  prepare technologically, educate your staff, and create clear processes.

From Russia (and Asia) with Love: Cyber Warfare and the growth of State-Sponsored Hacking

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

The scope of the threats to law firm data is global.  In this panel discussion at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, a country by country breakdown of dangers were discussed while the audience absorbed the magnitude of the panels concern.

Eben Kaplan, Senior Consultant, Control Risks; Josh Goldfarb, CTO, FireEye; Jay Healey, Senior Research Scholar Columbia University; Robert Knake, Senior Fellow for Cyber Privacy, Council on Foreign Relations; Daniel Sutherland, Associate General Counsel, Homeland Security demonstrated that each entity had various motives and techniques for cyber-attacks.

Who, Why, and How?

Who: China – They have a defined plan with tactics and procedures.

  • Why: They are primarily seeking intellectual property with a new focus on firms that retain such information, especially those with newer IP clients (Target: Silicon Valley – DC based firms)
  • How: They focus on social engineering
    • Text messages, Spear fishing
    • Looking for the weakest link at the firm – someone who will click a link
    • Watering hole attack – In this tactic, China compromises a trusted third party site so the primary target would not suspect it and then in turn it becomes infected. Example: A famous Think Tank’s website is compromised – Big Law firm goes to the site and gets infected… the target was the Big Law firm and they got infected indirectly.

Who: Russia – They are one of the most experienced countries at hacking.

  • Why: Money, but increasingly they are focused on IP, so law firms should be aware of this.
    • They are quieter and more careful than China
  • How: They are using more BotNets, worms and malware than China

One interesting concern expressed on the panel is that Russia is very worrisome for the United States at the moment.  The rule of thumb was that countries which could hurt the US years ago did not because they did not have a desire to do so.  On the other side, those who wished to do harm did not have the bandwidth.  This has changed.  Putin is leading Russia down the road of an attack on the US, and they have the skills and bandwidth to do significant harm.

Who: North Korea – They are still new in this arena but improving quickly.

  • Why: Political
  • How: Uniquely North Korea is buying its capability to attack from the Dark Web, or hackers for hire. They used black hat hackers to launch the Sony attack and it was very successful.
    • They are brazen in their approach but until recently have not been as interested in law firms.

Who: Iran – They too are improving quickly

  • Why: Political
  • How: They have started leveraging worms that were used on them by other countries like Israel.

The Saudi Aramco Wiper Worm was a virus/worm supposedly created by Israel and launched on the Saudi company’s network.  It reportedly wiped clean 75% of the world’s most profitable company’s computers and left only an image of a burning American Flag.  Iran may have adapted the worm from something that had been launched on them years before by Israel.

The thrust of the panel discussion were that the threats to law firms are far and wide.  While some nation states have not traditionally sought out law firms, there is keen interest in IP and M&A information.  In closing Josh Goldfarb, CTO, FireEye mentioned some startling statistics.  While they were installing hardware on their customer networks, many of which were law firms, they found of 1,216 customers tested that 97% of them were compromised.  Even more fascinating was that 25% of those compromised networks were by other nation states.  This underscored the importance of understanding who is knocking at your firewall and what they are seeking.



Enemies at the Gate: Responses to Data Security Threats at Law Firms

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

In eerie silence, law firms could be easily breached like JPMorgan Chase, Home Depot and Sony by cyber criminals.  The difference with law firms, few would know the sensitive data was absconded.  While law firms do not have to report such penetrations we learned at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum that they must increasingly stay vigilant to avoid such a plight.

In the first panel discussion of the day with Mike Marsilio, Director of Security and Compliance, DTI; Mark Connelly, CISO Thomson Reuters; Steve Katz, Board member Glasswall Solutions; John Masserini, CSO, The MIAX Exchange; Mark Olson, VP and CISO, Iron Mountain, they focused on a few key data security topics.

What keeps them up at night?

John Masserini expressed several concerns which were mutually shared by the panel.  Simply put, employees create significant anxiety.  What are they downloading?  What links are they clicking?  Are they using dirty unencrypted jump drives on their computers?  All were in agreement that internal employee’s actions can cause the most harm to a network.

Other concerns expressed:

  • Regulatory requirements
  • Not having enough skilled people
  • Complexity of vendors systems and vendors who are not mindful of the security concerns

Answering some of these issues Mark Olson of Iron Mountain offered a few suggestions.  There has to be processes in place.  Enact physical requirements on your data rooms, e.g. isolating buildings and spaces.  In addition have vendors escorted into your buildings.  Knowing that you have to trust some vendors, log absolutely everything.  Do not allow jump drives unless cleansed by your security professionals.  Ultimately the mantra of the day was educate, test, create and follow process and procedure and retrain constantly to guard against breaches.

How do you speak with the partnership about security?

The panel discussion also touched how best to convey the magnitude of security and risk with the firm partnership.  One distinction they made was that the Chief Information Security Officer (CISO) must show that their investment in IT is directly related to retention and new business.  If there was a breach the harm to the brand could be irreparable.  When explaining security they suggested staying away from tech talk and painting a picture that non-technical people could understand.  Partnership tends to lean-in regarding financial discussions from the CISO.  When they do IT should state it in a fashion that “they know you know” the business is about making money.  The concept driven home was that security and risk is not a cost center rather a retention and new business play.

As the panel closed the session they emphasized that law firms are in a precarious position.  They are brokers of sensitive and important information (think IP and merger information), and to that end they are a massive target.  It is the responsibility of the Chief Information Security Officer (CISO) to put in place process, procedure and pound the drum for employee education and awareness.  The unseen enemy is really those employees that are uneducated, unaware, and unwilling to properly care for the firm’s tools and technology; thus exposing the firm to the outside attacks.

Stanford, Sights Set on Legal: Part 3 – School Projects Create Significant Companies

By Joseph Raczynski

The Legal Lessons Learned from Stanford Series

Stanford University is fully embracing the legal industry, a historically cautious mover, as a focal point of its innovative solutions.  The industry is primed to evolve through more transformative processes by pairing inventive thought and applied technological advancement to solve niche legal process issues.  Recently at the Emerging Legal Technology Forum, hosted by Thomson Reuters and Stanford University, we learned how and what the school has developed to further advance the legal space.

Lex Machina Blazes a path:

As I mentioned in the previous post, not too long ago Stanford decided to coalesce departments across its graduate campuses.  This meant combining groups that had always been housed in separate buildings.  Once they started this project, the nascent ideas emerged.

Lex Machina – one of the first and most successful of the emerging projects, started with a mashup of the university’s law school and computer science department’s collaborating.  It is an IP litigation research company which creates legal analytics data and software.  It began as a project on campus under the broad and supportive limbs of Stanford’s incubator environment before being spun off into what it is today, a full-fledged company based in Menlo Park, CA.  This exemplifies the university’s core, to intertwine siloed departments, leverage strengths, and thus seek out whitespace.  In this instance they were able to leverage computer algorithms from the CS department with the publically available legal data to produce visualization of IP litigation data and predictive outcomes.  Never before had these two disparate groups collaborated.

Securities Litigation Analytics is a similar type of project still sitting inside of Stanford.  In a similar way SLA is an analytics based legal platform focused on federal shareholder lawsuits.  It allows a user to query a database of over 2,000 federal shareholder lawsuits across hundreds of variables and see the statistics for outcome, settlement size and resolution.  Like Lex Machina there is an ability to display the results of your search through interactive graphics.1

What is remarkable about these projects is that it took comingling of two different cultures and philosophies into one venture to produce them.  One surprise during their discussions was the realization that both Michael Klausner CEO of SLA and Josh Becker CEO of Lex Machina did not know the other existed and yet they were a few floors apart working on their respective projects in a similar field.  Given the advanced and innovative approach that Stanford is taking, I was rather surprised to hear them say they did not know about each other.

Ultimately Stanford is pushing into the legal space with the hopes of engaging the industry, its respected schools and technology.  They are actively establishing an ecosystem of innovation by driving experimentation and promoting new ways of working within the legal space.  Based on the projects evolving into established companies, we know their imaginative processes are creating a furtile ground for pushing legal forward.


Stanford, Sights Set on Legal: Part 2 – “Designing” a Legal Industry

By Joseph Raczynski

The Legal Lessons Learned from Stanford Series

Stanford University is fully embracing the legal industry, a historically cautious mover, as a focal point of its innovative solutions.  The industry is primed to evolve through more transformative processes by pairing inventive thought and applied technological advancement to solve niche legal process issues.  Recently at the Emerging Legal Technology Forum, hosted by Thomson Reuters and Stanford University, we learned how and what the school has developed to initiate increased efficiencies in this arena.

In my last post I wrote about how Stanford’s Design School created a better process for Fidelity Investments when it came to driving more customers to create estate plans.  What was most fascinating about the talk was Margaret Hagan from the Stanford Institute of Design perspective and approach.

In her opinion, in any one of these scenarios it is all about collaboration and rapid prototyping.  She set the stage by recommending the legal industry create more “Popups” i.e. brief rapid-fire meetings that have the following:

  • Different backgrounds – people from various perspectives and specialties
  • Innovative spaces – bright, colorful, open rooms
  • Music, force people to stand, uncomfortable chairs, intimate space, white boards, pens in hands
  • Keep the conversation going by saying “Yes and…” don’t worry if this will work or not
  • Concept of “flaring” which is putting all ideas up on the board

Margaret started a Legal Design Initiative to explore new areas and draw out ideas.  Over an eight week period she set up popups with partners like Orrick.  They worked in collaboration targeting teams of JD/MBAs and d.School to come up with fresh concepts.  The goal was to be exploratory.  The benefits to this was that Stanford came away with a host of clever ideas and new projects that could eventually be elevated to the realm of a Lex Machina or SLA, which I will delve into more in the next post.

Stanford, Sights Set on Legal: Part 1 – Fidelity Investments Estate Planning

By Joseph Raczynski

The Legal Lessons Learned from Stanford Series

Stanford University is fully embracing the legal industry, a historically cautious mover, as a focal point of its innovative solutions.  The industry is primed to evolve through more transformative processes by pairing inventive thought and applied technological advancement to solve niche legal process issues.  Recently at the Emerging Legal Technology Forum, hosted by Thomson Reuters and Stanford University, we learned how and what the school has developed to initiate increased efficiencies in this arena.

Designing a Better Legal Process:

Fidelity Investments had a problem.  They have 20 million customers and 70% of them did not have an estate plan.  Being a customer centric organization they wanted to significantly lower that gap.  Fidelity reached out to Stanford and the school brought the Design School (d.School) and Law School together to collaborate.  Margaret Hagan of the Stanford Institute of Design and Philippe Mauldin of Fidelity used some of the basics of the design program to figure out how to help find a solution.  Interestingly enough, core to this process was determining what the problem was, and not focusing on the solution.  They began by visiting people’s homes to see firsthand what their customers chatted about when it came to finances.  Fidelity had a focus on how they could help people protect their assets.  What they uncovered is that the problem was education which bled into a lack of execution for their customers.  Simply stated, people did not know what they did not know and so they did nothing.

Fidelity went back to Stanford and they all collaborated on what this process of establishing a state plan would look like on  Their focus was on how to help the customer prepare.  Thus they created a wizard interface with step by step templates from Stanford Law School and linking out for complex legal terms.  In addition the wizard helped guide users through a list of pertinent information assisting them in preparation about decisions that they would have to make.  Once that piece was completed the next step was to assist people in partnering with trusted attorneys.  Stanford ultimately recommended a vetted attorney for each state to keep in compliance for local jurisdictions and to review finalized documents.


In an effort to create a simple legal process, driving understanding and efficiency, Stanford combined their Design School with the Law School through a real world problem to create a better customer experience.  In the next post I will delve into how the d.School tactically innovates through process which I believe all industries could benefit.