This was a ton of fun! I had the chance to record this “holding Joe’s feet to the fire” 😉 conversation about the future of legal industry and where we all may be going with dynamic duo of Marlene Gebauer and Greg Lambert. Thanks to both of them for the opportunity to go down the rabbit hole of technology and the legal industry!
Interview with Joseph Raczynski, written by Michelle Worrall Tilton
Attorneys look to precedent to solve today’s legal problems. “Steeped in tradition” is how we often describe the legal profession. As result, it’s no surprise that there is inherent tension between emerging technology and the legal profession. The American Bar Association’s 2020 TechReport, which surveys firms and tracks attorney use of technology in their practices, reported that only 7% of attorneys are using tech tools, such as Artificial Intelligence (AI), for document review and research. Firms with more than 100 attorneys are more likely to use AI, as well as firms that engage in mass tort litigation. Despite promises of increased efficiency, productivity, and profitability, a significant number of attorneys cite distrust of the technology and underlying algorithms.
Even though the legal services market is estimated to be a $1T industry globally, Forbes reports that it is also one of the least digitized:
That is, until the COVID-19 pandemic forced the legal community to remote hearings, yoga pants, and dining room tables seemingly overnight. Prior to the pandemic, the ABA’s 2019 TechReport estimated that the vast majority of law firms of all sizes – other than solos – worked in traditional law firm environments. Now, many managing partners are rethinking their office space needs because technology allows attorneys and staff to work from home. Cloud-based document storage doesn’t demand the physical space once required for the paper detritus of the legal practice.
According to commercial real estate brokers with expertise in law firm office space, firms have been downsizing for some time – and the trend is expected to intensify post-pandemic. It’s anticipated that firms will increasingly implement a hybrid model where employees schedule the use of a community workspace or a conference room, but otherwise work remotely. This provides the opportunity for collaboration and meetings with clients in a professional and inviting setting – think chic hotel lobby – while reducing the real estate footprint and attendant expense.
Despite the occasional mishap of appearing in virtual court as a cute kitten, the legal profession has progressed in dog years with respect to the use of technology during the pandemic. Remote hearings provide greater access for certain types of cases and hearings. Litigants and their attorneys are saving time and money by not having the hassle of travelling back and forth to court. It’s easier for litigants to attend hearings remotely without having to take off as much time from work or to arrange for child care. Corporate clients are now accustomed to remote environments and online meetings. Many companies, such as Salesforce, American Express, and Microsoft, have reverted to permanent work-from-home arrangements for some employees. A silver lining of the pandemic is that the legal industry has had no choice but to embrace technology. So, what will the practice of law be like in the next twenty years?
Fortunately, we don’t have to guess how technology will transform the legal profession in the years to come nor do we need to rely on a DeLorean time machine with a mad scientist sidekick. Thomson Reuters Corporation has a forward-thinking technology specialist on the payroll with the title of “Futurist.” Joseph Raczynski is a Technologist & Futurist, Manager of Technical Client Management for the cutting-edge legal products and services company. Raczynski, who is based in Washington, DC and focuses globally specializes in the future of technology and its impact on the legal profession. He has expertise in cybersecurity, blockchain, artificial intelligence, cryptocurrency, and drone technology. Raczynski also hosts a popular podcast, The Hearing, which focuses on legal innovation.
After talking with this fascinating tech expert via halo-conferencing (not really, but made you wonder), it’s clear that technology will play a significant role in the future of the practice of law. While firms were pushed to adapt and use new technology during the pandemic, some firms that have operated for decades with little change, may revert back to that mindset. Firms, however, that buck the system and invest in technology will thrive in the long term. According to Raczynski:
Firms that are willing to embrace technology will provide better services for their clients. They will be better able to quickly sift through and digest immense sums of information. “In the decades ahead, data and services to understand that data will reign supreme,” Raczynski predicts. Facing pressure from corporate clients to cap rates and reduce billings, some firms are incubating legal tech companies to speed development of software and other products to facilitate the efficient delivery of client services. Those that are successful will license their internally developed tech services to other firms or sell the technology to companies. Either way, these entrepreneurial firms are generating new revenue streams while developing tools to better serve their clients. For example, national plaintiff personal injury firm, Parker Waichman, developed case management software, which it licenses to other firms to help them manage mass tort litigation. Not to be left out, smaller firms are banding together in collaborative settings to invest in technologies together that they wouldn’t be able to manage financially on their own.
With insight from Raczynski, let’s zoom ahead for a glimpse into the future.
Raczynski predicts that current roles undertaken by attorneys will change significantly over the next twenty years. “Much of the rote work being performed now, will be gone,” he says. “That said, many new facets which we haven’t even conceived will likely supplant some of those activities.” Certainly, AI imbued eDiscovery tools will be the norm for document review. This technology eliminates the “amounts of eyes on pages,” he says.
AI and machine-learning will continue to facilitate and expedite research and trial practice. Raczynski describes how attorneys will have computer applications at their . Research platforms will have semantic and nuanced understanding of the actual meaning of legal opinions and will go well beyond key-word matching. The applications will quickly access every case and ruling on point and “spit out decisions,” which will likely be “the final decision,” or at the very least be “augmented intelligence” to assist the judge or jury, he predicts. Litigation will become less burdensome and more efficient for the majority of cases. Perhaps, too, this will result in significant financial savings to clients. Interestingly, Raczynski anticipates that technology will reduce courtroom drama as finders of fact will make decisions based on data – and be less influenced by attorney performance. Courts will be virtualized with mixed reality 3D glasses for the judge and jury that will bring crime scenes, accident reconstruction, and other cases to life.
Outside of the courtroom, Raczynski anticipates that technology will automate transactional work. While contract negotiations will still exist, “everything will be interactive, voice automated, templated, intuitive, and securely stored on a blockchain,” he says. Blockchain creates an immutable, digital record of transactions. It eliminates human error, which is commonplace in contract drafting. Retinal scans will be used to confirm the validity of executed documents.
Blockchain technology, according to Raczynski, will be run so that triggering language on this platform will automatically negotiate deals or execute contractual obligations. “What we are talking about is fully codified contracts,” he predicts, “with the ability to interact with factual data and either negotiate on its own, based on Party A’s and B’s preferences, or even self-litigate when something in the code goes awry.” While blockchain is still somewhat nascent and the stuff of computer scientists, it will transform global commerce and the practice of law.
Technology will also transform law practice management and allow attorneys to spend more time serving clients instead of handling administrative issues. Thomson Reuters conducted a study on time management and reported that with smaller firms, approximately 61% of their time was spent practicing law. The balance of their time was spent on the business of running the firm, which is crucial, but not a billable activity. The larger the firm, the less time spent on administrative work. In the future, law practice management will be facilitated through the use of a decentralized autonomous organization or DAO. This is a business model structured on self-executing smart contracts that function without the need for in-person decision-making. Smart contract governance doesn’t require boards of directors or firm management committees to meet, analyze data, and make decisions. Rather, a DAO outsources the analysis through smart contracts allowing for token-holder network consensus. Voting attorneys would hold tokens based upon their seniority, billings or pecking order status.
Admittedly, much of this technology is difficult to explain let alone visualize in practice. However, there are steps that law firms should be taking now to better position themselves to be able to leverage emerging technology. “Opportunity abounds in the legal market right now,” Raczynski says. He portends a golden age for the practice of law: the intersection of where the legal industry marries technology. While firms of all sizes were once reluctant to spend disposable income on technology – even on network security – large firms, in particular, are starting to increase their IT spend and budget for the future. Planning and budgeting for the proactive use of technology are key first steps.
There has been a significant shift in law firm operational budgets allowing for an increase in technology spending. As attorneys have become more technologically advanced, there has been less need for clerical staff to draft pleadings and correspondence, perform filings, mail letters, and other tasks. Younger lawyers, who have never used a Dictaphone or fax machine, have long been drafting their own briefs. Since the recession in 2008, firms have been increasing attorney-to-clerical ratios and spending less on clerical support staff. A legal secretary, who once supported one or two attorneys, is now working with eight or more. As described earlier, firms are spending less on their office leases by reducing square footage. Technology has filled the void left by these drastic operational changes, while freeing up cash for reinvestment in IT products and infrastructure.
Importantly, technology also levels the playing field. Solo and small firms are poised to benefit as the cost of technology decreases. “If they decide to embrace technology, Raczynski says, “it enables them to automate, find answers quickly, and respond to their clients with aplomb.” He recommends that solo and small firms connect with the growing LegalTech community to see how they can learn, interact, and leverage new ideas to benefit their practices. Additionally, law schools are excellent sources for technology training and incubating new ideas.
In Tomorrowland, there will be significant opportunities for tech forward iGeneration attorneys. Law school graduates, who grew up with mobile devices in their strollers, will have key leadership roles. Attorneys with degrees in engineering, network security, computer science and coding will be valuable hires. As technology is second nature for them, they can undertake important IT operations and reverse-mentor firm members who aren’t as tech savvy.
Finally, corporate clients aren’t going to wait for their hometown attorneys to become comfortable with emerging technology – especially when some firms are deploying high tech tools in their practices. Corporations are investing in their own technology infrastructures and expect the same commitment from their professional service providers. They also expect law firms to engage in vigorous network security to protect sensitive client data from malicious actors, which is a real threat. Ideally, law firms will automate routine research, drafting, and discovery review, so that attorneys can focus on customer service, including responsive and timely communications, learning about their clients’ unique business needs so they can be proactive instead of reactive, and cultivating new client relationships.
There is no time like the present to prepare for the future. Attorneys should attend technology conferences, network with legal service vendors, join cyber law committees, and connect with futurists like Raczynski to gain a better understanding of the technology that is already transforming the practice of law. Learning something new will feel uncomfortable at first, but it will get easier. The DeLorean is idling out front and ready when you are.
Originally published on Thomson Reuters, Legal Institute.
By Joseph Raczynski
The pandemic was “the great equalizer” for the legal industry, combining the good from before with the great from the now.
A recent half-day virtual event, Legal Geek Presents Thomson Reuters Takeover, underscored this idea and offered a glimpse into the latest legal insights on the future of the legal profession and the impact of the opportunities arising in legal technology.
Lizzy Duffy, Senior Director of Global Client Services at Thomson Reuters Acritas, gave a sharp keynote that cut to the heart of the changes we all experienced during the pandemic over the last year. She shared the vision we lived, a sense of humanity, where we peered into each other’s homes, met pets, and universally heard one of our colleagues quip, “You’re on mute!” Raising important lessons from this time, Duffy focused on the positive, examining what we can learn from the last year and how we can push away the unhealthy habits we once had.
Turning toward numbers — since Duffy specializes in data around current legal trends — she said one major lesson of the pandemic (and potential benefit) is the renewed focus on doing more with less. Over the last year, the pandemic created a surge in work for law firms and corporations, specifically around contracts and financing. Alas, legal budgets did not grow in tandem, she said. While corporate general counsel experienced an uptick in disputes, for example, the spending did not follow, Duffy said, identifying an imbalance in legal organizations desire to provide more to clients and customers, but doing without any increase in resources. The pinch of the increased need for services coupled with less resources became real in lockdown.
Law firms also have refined their drivers as a result of the pandemic, according to Duffy. The parameters now include, what is delivered, how it is delivered, and who is delivering it. First, law firms have to distinguish themselves with what is delivered, by offering highly specialized, experienced talent, while also increasing their range of services provided. Second, technology and thinking innovatively greatly influenced how it is delivered, and leveraging alternative resources were accelerated. Third, diversity, equity & inclusion (DEI) became an important standard for all parties as to who is delivering it, while trust and personal relationships — seemingly omnipresent, were even more important in a virtualized environment for clients and law firms.
The struggles highlighted during the keynote demonstrated a divide between virtual and in-person experiences. Acritas found that 15% of practitioners experienced an overall deterioration in their perspectives by being less efficient and productive, missing collaboration with colleagues and learning opportunities. Conversely, 34% said they felt they were more efficient, enjoyed leveraging technology, and felt more productive.
Duffy noted our human existence of commonalties, yet juxtaposed our differences. In the end, the path forward is a hybrid approach, where law firms and corporations acknowledge these different experiences and adapt to allow individuals the latitude of picking their own Tao-ish professional path towards balance, flexibility, and order.
In the session Now What’s Trending?, Rawia Ashraf, Senior Director of Legal Practice and Productivity, and Jim Leason, Vice President of Customer Proposition, both at Thomson Reuters, led a discussion making sense of the latest trends in legal technology. They dove into a panoply of topics including, working from home, alternative legal service providers, the Cloud, and transaction management.
Ashraf recalled a conversation she had in 2018 about Cloud adoption, where a leader in the industry mentioned that it was going to take a pivotal event to push the legal industry fully into the Cloud, thinking it was going to be a major security breech. It ended up, of course, being COVID-19.
During a participant poll in this panel, Ashraf asking attendees what percentage of law firms were not comfortable with the Cloud, based on the 2020 ILTA Technology Survey. While most respondents thought it was 28%, Ashraf informed the audience that it was only 11%. Clearly Cloud technology has grown in importance over the last handful of years, and this was greatly accelerated over 2020.
Another issue that Leason and Ashraf tackled surrounded cost. With projected real estate footprints falling, where do the unallocated savings go? Leason believes a good percentage will be invested in technology; and with a multitude of newer applications and services coming into play, it is a natural progression for efficiency and productivity in the marketplace.
Lastly, Legal Geek brought us breakout sessions around artificial intelligence, discussing ethics and contract review, which are strong themes in machine learning. The session highlighted Thomson Reuters’ recently launched AI Principles, a set of guidelines designed to ensure the organization is promoting the ethical research, development, and adoption of AI. Given the bias that can be found in various algorithms which can be greatly exacerbated by AI, it was comforting to learn the industry is conscious and actively doing something.
The Legal Geek event really brought home that 2020 has been a time to reflect, learn, adapt, and adopt. While we all have commonalities in our goal of serving a client, we may do it differently. Leveraging technology, what we have learned about ourselves, and tapping into our own basic nature will make the path forward easier and better for everyone. That will be especially true if we can embrace the flexibility we have recently enjoyed and combine it with the good of the old, thereby creating a healthier ecosystem that’s well enabled by technology.
I had the privilege of being selected to report on how ILTA (International Legal Technology Association) did on their predictions from 2013 up to today, during their 2020 ILTA-ON Conference. Even more fun, predicting what technology and LegalTech will look like from 2020-2025, and then going out to 2060.
Remember back when we had ‘Law Firm 2020 predictions’? In the first part of my ILTA-ON presentation, we will go ‘Back to the Future’ reviewing past predictions to see what came true and what we got wrong. Then, we will blast into a journey of what LegalTech looks like in the next five years. Lastly, for those who get motion sickness, grab your Dramamine, because we will take a 1.21 gigawatts ride, shooting into the future. We will predict what the technological and legal landscape will look like in 2030, 2040, and into the Singularity! Great Scott!
Part 1 – Jump Ahead (9:17): Grading the Law Firm 2020 report from 2013: https://youtu.be/UgyDyBSJ3AA?t=558
Part 2 – Jump Ahead (22:55) Predictions for 2020-2025: https://youtu.be/UgyDyBSJ3AA?t=1377
Part 3 – Jump Ahead (40:17) Technology Predictions 2030, 2040, 2050, and 2060: https://youtu.be/UgyDyBSJ3AA?t=2419
I spoke with Gail Gove, General Counsel at Reuters who takes us behind the scenes of the case that grabbed the world’s attention in 2018: the incredible story of Reuters journalists, Wa Lone and Kyaw Soe Oo, who were imprisoned in Myanmar while investigating reports of mass murder. Gail and I talk about the all-encompassing nature of the work and what it’s like to work with one of the most famous lawyers in the world, Amal Clooney.
Starting out as a civil rights lawyer, Gail speaks of the importance of looking at legal issues through a wide-angled, global lens, the minefield of media laws around the world and the importance of having robust journalism.
Listen on Google: https://podcasts.google.com/feed/aHR0cHM6Ly9wb3J0YWwtYXBpLnRoaXNpc2Rpc3RvcnRlZC5jb20veG1sL3RoZS1oZWFyaW5n/episode/aHR0cDovL2F1ZGlvLnRoaXNpc2Rpc3RvcnRlZC5jb20vcmVwb3NpdG9yeS9hdWRpby9lcGlzb2Rlcy9FcDUzX0dhaWxfR292ZV9taXhkb3duLTE1OTA3NDkwMzM5ODcyOTc3MTAtTXpBME9EQXRNemMwTXpVNE1qaz0ubXAz?ved=0CAcQ38oDahcKEwj41-eKoObpAhUAAAAAHQAAAAAQAQ
This was originally posted in The Legal Executive Institute.
By Joseph Raczynski
Major credit for these events goes to the respective Field teams in Boston, New York, and Hartford as well as home office – Marketing – on pulling these off with aplomb! A special thanks to the Thomson Reuters Labs for their deep knowledge and expertise. Hopefully, all contributors are listed below. Many thanks!
Recently I had the good fortune of moderating three different Thomson Reuters-sponsored panel discussions on emerging technology in Boston, Long Island, N.Y., and Hartford, Conn. The events filled rooms to capacity and focus of the discussion was around how emerging technology is transforming the legal industry.
At each event, the panelists and attendees engaged around the impact of Artificial Intelligence, Blockchain, data analytics, Virtual Reality, and ‘bots on the practice of law. Before diving into each topic, I set the stage for this conversation by teeing up the sweeping technological changes mankind is grappling with and attempting to balance today.
Boston: Using VR in Court
Among all of the hot topics discussed at the Strega Waterfront location, Virtual Reality was an area of specific interest to the audience. One attendee discussed how one law firm is using VR to help at trials. He described a jury donning their headsets and then being fully immersed in a crime scene. With each head turn they could see a hypothetical victim on the ground and discarded weapon nearby.
The panelists for this event — Marc Lauritsen, Legal Knowledge Systems Architect at Capstone Systems; Oliver Silva, CEDS and Litigation Support Manager at Nutter McClennen & Fish; and Brian Ulicny, Senior Director of Thomson Reuters Labs — also dug into the growing importance of data analytics in the legal industry. A consensus by both the panel and Managing Partners and COOs in attendance: Analytics is becoming vastly more important to law firms. One panelist remarked that while the longing for these tools is real, the reality is that there is currently a dearth of robust options available.
Long Island, NY: the Growing Impact of Blockchain
This event brought together a wide cross-section of industries and included corporate, government and law firm professionals. Held at Seasons 52 in Garden City, one area of particular interest to this group was the legal impact of Blockchain. The panelists here — Carol Challed, Vice President of Business Operations at Henry Schein; Dr. Theodoros Zanos, Professor and Lab Head for the Neural Decoding and Data Analytics Laboratory at the Feinstein Institute; Valerie M. Cartright, a Long Island Councilwoman; A. Jonathan Trafimow, Partner at Moritt Hock & Hamroff; and Nick Jarema, Head of Strategy at Thomson Reuters Labs — dove into how this technology will impact their respective industries.
Challad stated that from the corporate world, there is no question Blockchain will create efficiencies in supply chain management and order fulfillment. Councilwoman Cartright warned that her constituents and town government are holding off on this technology for now. She surmised that blockchain is in its early days and they do not have a bent on being early adopters. Trafimow spoke about how this technology could make things more secure with respect to cybersecurity down the road, which could help law firms. Lastly, Jarema mentioned that at the heart of Blockchain is security and transparency, which could serve all industries as it evolves.
Hartford, Conn: How Fast will AI Come?
Held at Max Downtown, this discussion centered on Artificial Intelligence (AI) as well as Blockchain. After level-setting on the definition around AI, panelists Zac Kriegman, Senior Data Scientist at Thomson Reuters Labs; Gail Gottehrer, Partner at Akerman; Edward Chang, 2VP for Cyber Risk Management at Travelers; and Judge Ron Hedges, Senior Counsel at Dentons, bantered about their perspectives on the topic.
Judge Hedges was skeptical. He likened AI to the early days of TAR (Technology Assisted Review, for eDiscovery) and said we have to keep an eye on how the courts will view it. Gottehrer was equally as skeptical about the immediate timeline of AI, but prudent in her assessment that this will be impactful to the legal industry, but probably further out than we expect.
Kriegman, talking about how TR Labs said they are testing many Proof of Concepts in this space to better understand how algorithms can be leveraged in many facets of legal and beyond. Chang touched on how AI will hopefully better secure our data within a law firm or corporation. Lastly, with respect to Blockchain, we delved into the ICO (Initial Coin Offerings) — think IPO, which have been making a major splash during the last year. It is the new way for companies to raise money leveraging the Blockchain, without the cost of investment bankers.
Moderating these three panel discussions on emerging technology in the legal industry with so many experts from distinguished backgrounds was an incredible honor and experience in each city. Certainly, these topics are front of mind for many within the legal industry.
My personal take-aways from these discussions were that the antennae are up for everyone on AI. There is fear, skepticism and then the questions of how, when, and what can we do to leverage it? On the Blockchain front, mouths tend to be agape. Many more industry players are aware of this technology now compared to when I spoke about it 12 months ago, but people are still coming to grips with how it can be used. When it comes to data analytics, clearly the technology is there, it just has not been especially well built out in legal… yet.
By Joseph Raczynski
An article of mine on blockchain published on the Wall Street Lawyer:
By Joseph Raczynski
Surprisingly the vendors in cybersecurity differ on their approaches to protecting your law firm. At the ILTA LegalSEC Summit 2015 in Baltimore, MD they had a panel discussion on how each vendor tackles the ever bounding threats. For background when this post refers to endpoint security I am describing securing the user at the device level; i.e. the mobile phone or individual’s computer.
Gal Badishi of Palo Alto Networks started off his analysis with ominous statistics. On average a firm does not recognize that they have been breached for 225 days after the initial strike. In addition, of those attacks, 84% are found by third parties. His primary theme throughout the conversation to counter these attacks was the proper implementation of a “Next Generation Firewall.” This is defined on Wikipedia as “an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).” (Wiki, 6/14/2015)
Keith Palumbo of Cylance fascinated the audience with a unique and futuristic tact to cybersecurity for law firms. They use a form of Artificial Intelligence to uncover and deflect penetration from malicious intruders. In fact Keith described the use of mathematical endpoint solutions including algorithms to help predict what types of “ones and zeros” will be malicious based on like or similar files. Their equations employ similar processes financial institutions have devised for rapid electronic trading. The cutting edge autonomous driving cars also operate under similar algorithms. What fosters this is the utilization of extremely efficient computers and their prowess in mathematical processing. In essence, Cylance collects samples of viruses, extracts common features in the code then transforms that code into feasible branch code. At this stage the software vectorizes the viruses to then train the system on what might arrive at the firm’s door. Finally it classifies the virus and clusters it into a defined grouping for future learning.
The third speaker, Harry Sverdlove of Bit9 begin his discussion with the statement that, “antivirus protection is almost pointless.” He noted that what firms have been employing for the last 20 years with virus detection through updates is dead. With the number of virus on the Internet, there is no feasible way to scan, collect, submit and maintain a log of the rapidly changing viruses.
Harry suggested that each firm start from the assumption they are or will be breached. He painted an example of a house that a thief gains access to daily. If you think about it in this sense, prevention of that thief from entering is no longer enough. Firms must invest in detection and response. Most firms do not have systems that seek out real-time detection mechanisms. This lends itself to much longer periods of time that the thief remains inside the firm’s firewall. If the initial firewall breach was not detected by the firm, that intruder could remain inside for significant periods of time.
Ultimately the three panelist concluded that a three pronged approach to endpoint security was necessary; prevention techniques, detection once the breech has occurred, and lastly creating a documented response using various tools and processes. Whatever solution, they all suggested turning your firm data (logs, user profiles, patterns of access) into intelligence. If you set precedents for how people access your network, you can identify the variance and seize the thief.
Wikipedia, Next-Generation Firewall, 6/14/2015, https://en.wikipedia.org/wiki/Next-Generation_Firewall
By Joseph Raczynski
The 5th Annual Law Firm CFO/CIO/COO Forum
As law firms continue to appreciate the significance of creating an understanding surrounding security and risks, this starts with a sharp focus on talent and culture. The first component that the panel discussed during the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, surrounded protection and prevention methods.
Protection and Prevention
Barry Strauss, COO, Elegrity; Curt Cunningham, CIO, Fragomen; Michael Lewis, CIO, Hogan Lovells; Ramound Umerley, CDPO, Pitney Bowes had a very engaging discussion about how firms can best protect their data. In the beginning stages firms should prioritize their assets. What documents, emails, IP, databases, software, and services are most important? As new data arrives, the firm should exam the process. How is data stored, transmitted and deleted? The process for each aspect needs to be examined carefully. The firm has to be mindful of both structured and unstructured data and in addition, understand and follow the rules for national and international compliance of this information.
Several of the panelist suggested that every firm should conduct its own network penetration tests. Michael Lewis, of Hogan Lovells recommended firm’s design phishing emails to see which employees are actually clicking on those links. Another aspect he mentioned was to review data retention policies. Are these policies industry standard? Michael Lewis also advocated that firms take a baseline network traffic reports from all offices. Once established, that can be compared to any unusual traffic on your network setting off alerts to anomalies and a possible compromise.
Some other protection and prevention methods:
- Use encryption everywhere that you can; email, documents, databases, SAN
- Web Application Vulnerability Testing
- Mobile Device Management – separate data on their BYOB
- ISO certification and accreditations
Another critical aspect of firm culture is incident response. The panel discussed the need to have a cross functional team in place for when the cyber-attack occurs. This group should include many of the following groups; Communications, HR, BD, HR, Managing Partner, IT, Audit, and Info Security. A suggestion that hit a cord with the audience was accessibility to your vendors. That is the ability to contact a vendor no matter what time of day or night. Get the phone number to a real person who is accountable. They emphasized that this should be negotiated and arranged in the contract. Lastly, once an issue is complete conduct a retrospective of the attack and defined learnings for the next event.
In an age where law firms are clearly in the sights of cyber criminals there is a need to act. Law firms are aligning their understanding of security and risks directly with the need for a sharp focus on internal talent and culture. Protection, prevention, and incident response methods are a major component of safeguarding the firm’s assets. The panel closed with their three most important take-aways; prepare technologically, educate your staff, and create clear processes.
By Joseph Raczynski
The 5th Annual Law Firm CFO/CIO/COO Forum
The scope of the threats to law firm data is global. In this panel discussion at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, a country by country breakdown of dangers were discussed while the audience absorbed the magnitude of the panels concern.
Eben Kaplan, Senior Consultant, Control Risks; Josh Goldfarb, CTO, FireEye; Jay Healey, Senior Research Scholar Columbia University; Robert Knake, Senior Fellow for Cyber Privacy, Council on Foreign Relations; Daniel Sutherland, Associate General Counsel, Homeland Security demonstrated that each entity had various motives and techniques for cyber-attacks.
Who, Why, and How?
Who: China – They have a defined plan with tactics and procedures.
- Why: They are primarily seeking intellectual property with a new focus on firms that retain such information, especially those with newer IP clients (Target: Silicon Valley – DC based firms)
- How: They focus on social engineering
- Text messages, Spear fishing
- Looking for the weakest link at the firm – someone who will click a link
- Watering hole attack – In this tactic, China compromises a trusted third party site so the primary target would not suspect it and then in turn it becomes infected. Example: A famous Think Tank’s website is compromised – Big Law firm goes to the site and gets infected… the target was the Big Law firm and they got infected indirectly.
Who: Russia – They are one of the most experienced countries at hacking.
- Why: Money, but increasingly they are focused on IP, so law firms should be aware of this.
- They are quieter and more careful than China
- How: They are using more BotNets, worms and malware than China
One interesting concern expressed on the panel is that Russia is very worrisome for the United States at the moment. The rule of thumb was that countries which could hurt the US years ago did not because they did not have a desire to do so. On the other side, those who wished to do harm did not have the bandwidth. This has changed. Putin is leading Russia down the road of an attack on the US, and they have the skills and bandwidth to do significant harm.
Who: North Korea – They are still new in this arena but improving quickly.
- Why: Political
- How: Uniquely North Korea is buying its capability to attack from the Dark Web, or hackers for hire. They used black hat hackers to launch the Sony attack and it was very successful.
- They are brazen in their approach but until recently have not been as interested in law firms.
Who: Iran – They too are improving quickly
- Why: Political
- How: They have started leveraging worms that were used on them by other countries like Israel.
The Saudi Aramco Wiper Worm was a virus/worm supposedly created by Israel and launched on the Saudi company’s network. It reportedly wiped clean 75% of the world’s most profitable company’s computers and left only an image of a burning American Flag. Iran may have adapted the worm from something that had been launched on them years before by Israel.
The thrust of the panel discussion were that the threats to law firms are far and wide. While some nation states have not traditionally sought out law firms, there is keen interest in IP and M&A information. In closing Josh Goldfarb, CTO, FireEye mentioned some startling statistics. While they were installing hardware on their customer networks, many of which were law firms, they found of 1,216 customers tested that 97% of them were compromised. Even more fascinating was that 25% of those compromised networks were by other nation states. This underscored the importance of understanding who is knocking at your firewall and what they are seeking.