Enemies at the Gate: Responses to Data Security Threats at Law Firms

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

In eerie silence, law firms could be easily breached like JPMorgan Chase, Home Depot and Sony by cyber criminals.  The difference with law firms, few would know the sensitive data was absconded.  While law firms do not have to report such penetrations we learned at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum that they must increasingly stay vigilant to avoid such a plight.

In the first panel discussion of the day with Mike Marsilio, Director of Security and Compliance, DTI; Mark Connelly, CISO Thomson Reuters; Steve Katz, Board member Glasswall Solutions; John Masserini, CSO, The MIAX Exchange; Mark Olson, VP and CISO, Iron Mountain, they focused on a few key data security topics.

What keeps them up at night?

John Masserini expressed several concerns which were mutually shared by the panel.  Simply put, employees create significant anxiety.  What are they downloading?  What links are they clicking?  Are they using dirty unencrypted jump drives on their computers?  All were in agreement that internal employee’s actions can cause the most harm to a network.

Other concerns expressed:

  • Regulatory requirements
  • Not having enough skilled people
  • Complexity of vendors systems and vendors who are not mindful of the security concerns

Answering some of these issues Mark Olson of Iron Mountain offered a few suggestions.  There has to be processes in place.  Enact physical requirements on your data rooms, e.g. isolating buildings and spaces.  In addition have vendors escorted into your buildings.  Knowing that you have to trust some vendors, log absolutely everything.  Do not allow jump drives unless cleansed by your security professionals.  Ultimately the mantra of the day was educate, test, create and follow process and procedure and retrain constantly to guard against breaches.

How do you speak with the partnership about security?

The panel discussion also touched how best to convey the magnitude of security and risk with the firm partnership.  One distinction they made was that the Chief Information Security Officer (CISO) must show that their investment in IT is directly related to retention and new business.  If there was a breach the harm to the brand could be irreparable.  When explaining security they suggested staying away from tech talk and painting a picture that non-technical people could understand.  Partnership tends to lean-in regarding financial discussions from the CISO.  When they do IT should state it in a fashion that “they know you know” the business is about making money.  The concept driven home was that security and risk is not a cost center rather a retention and new business play.

As the panel closed the session they emphasized that law firms are in a precarious position.  They are brokers of sensitive and important information (think IP and merger information), and to that end they are a massive target.  It is the responsibility of the Chief Information Security Officer (CISO) to put in place process, procedure and pound the drum for employee education and awareness.  The unseen enemy is really those employees that are uneducated, unaware, and unwilling to properly care for the firm’s tools and technology; thus exposing the firm to the outside attacks.

Law Departments and Cyber Security: Addressing the Scary Stuff

By Joseph Raczynski

Law firm security bears one of the softest underbellies within the world of professional services. This alarm was sounded during an ILTA panel discussion surrounding security with Michael Russell of Liberty Mutual, Brian Donato of Vorys Sater, and Natalie Fedyuk of KPMG.  The consensus from the group was that law firms have more possible exposure to threats due to their complicated handling of highly sensitive data that crosses the spectrum of (PII) Personally Identifiable Information.

According to the panel, a recent investigation called the Mandiant Report cited one of the largest threats to law firms outside of the United States is China.  The evidence supports that the Chinese Army is attacking law firms because of their traditionally low levels of security and their highly sensitive information.  In one example a law firm had been attacked and the email addresses released of military officers who were being investigated for atrocities in Afghanistan.

With countless successful breaches occurring, the panel focused on how to create better safeguards.


  • Manage Vendors: Do a risk assessment of your vendors. Make a security part of the RFP process so that there are tactical steps to support a management strategy.
  • Governance: while security software is important it is a small part of the whole. Make sure a process is in place to govern all aspects of data flow, access, audits, and compliance.

Establish informational audits for internal personnel and vendors which include the following:

  • Input/Intake
  • Issue Questionnaire
  • Conduct Review
  • Complete Questionnaire and Report
  • QA Review
  • Issue Questionnaire and Report
  • Closing meeting with Vendor

Ultimately all firms should seek out best practices to protect themselves.  They recommended beginning this process by adopting and enforcing a security controls framework.  The LegalSEC “Top Ten” was considered the place to start for implementing proper controls as well as audits.

Ultimately to eclipse the mounting threat of cyber assault on law firms, the panel stressed several salient points.  They stated that creating a very thorough risk assessment for all parties, and establishing a governance process was most important.  They also highlighted that diligently seeking out best practices for data destruction, incident response, and considering a cyber-insurance policy, just in case everything else fails was invaluable.