Driver looking under the car hoodI had a nagging worry that something was wrong with my car, so I finally decided to take it to the dealer.  I couldn’t exactly describe my concern, except there was an intermittent, “funny noise” coming from somewhere in the front end.  An unscrupulous dealer would have taken me down a long path of parts replacement, beginning with tires, then wheels, then tie rods, and on and on, perhaps never fixing the real problem.  Fortunately, my dealer was honest and performed diagnostics, ultimately discovering that the rack and pinion was failing.  The part was under warranty, so the repair cost me nothing and my funny noise is gone.

Was my worry constructive?  Yes.  It also went hand-in-hand with my own risk assessment.  What were the chances that the noise foretold a failure that would cause an accident?   Would I or others be hurt in the accident?  As it turned out, a failure could have been catastrophic.   In this scenario, I could prudently act on my worry because I had a basic understanding and control of the situation.  But it’s not always easy to act on worries—particularly if you don’t understand the issues or potential risks.

It’s reasonable these days for everyone, particularly lawyers, to have a nagging worry about information security.  That’s where independent risk assessment comes in.  Most lawyers know just enough about accounting and finance to help them profitably manage their firms, calling in experts when needed.  The same should be true for information security.  An independent security risk assessment not only identifies risk, it also helps to educate regarding likely threats and vulnerabilities. Continue Reading Security Risk Assessment: You can’t fix what you can’t see.

Bear Chasing MenAs explored in last week’s posts, the bad news for law firms is their challenging data security threat environment.   On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.

Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.  Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.

Why are law firms so vulnerable?

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture:  computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
  • Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
  • 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

Why are so many firms behind the curve in their data security safeguards?  Here are ten factors to consider (warning – some of the below is not sugar-coated): Continue Reading Understanding law firms’ unique security vulnerabilities – the key to turning bad news into good news

Sunshine Breaking Through the CloudsLaw firms face significant data security threats.  But there’s good news for law firms on data security.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for higher revenue, lower and better-controlled expenses, and stronger client relationships.

As always, context matters.  The legal services industry has changed dramatically in the last decade, with private practice law firms facing (a) increased competition from nontraditional providers and technology-driven service models; (b) the Internet-driven dissolving of historic barriers to remote service delivery; (c) the post-recession tightening in companies’ outside legal spend; (d) the shift of work to in-house legal staff; (e) the ongoing consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and (f) the resulting pressure on mid-sized firms to scale/merge up or specialize/boutique down.  There’s no viable “let’s simply wait it out” option in the face of these trends.  In short, it’s now a far more competitive world for attracting and retaining clients.  There will continue to be winners and losers, but now the margin of difference is more slim.

And this is the “there must be a pony in here somewhere” epiphany – in this highly competitive environment, strategic improvement in a law firm’s data security posture can, more than ever before, make a huge difference.

Here are three examples of how better data security is a strategic win for law firms: Continue Reading Good news on law firm data security

Threatening dark clouds covering the skyIt all seemed so routine, so straightforward.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials? Continue Reading Bad news on law firm data security

Magnifier On Computer KeyboardSometimes one needs to zoom in to understand the big picture.  This year we’ll continue to explore Information Governance, but through the lens of a particular industry segment – law firms – and a particular focus – data security.

Why law firms?  Well, for a couple reasons.  First, a weak link for many companies is applying Information Governance to their service providers, and private practice law firms are key service providers to companies across all industries.  Second, many law firms have a ways to go in fully embracing Information Governance for themselves, and on their clients’ behalf.

And why law firm data security?  Law firms have highly valuable information, and they are especially vulnerable to security exploits and incidents.  Many firms are behind the curve in their security posture.  The resulting risks and exposures are significant, both to the firms themselves and to the clients they serve.  Also, law firms that take the steps needed for improved data security find themselves far down the road toward more effective Information Governance generally, which is a boon to the firms themselves and also to their clients.

So, here goes.  We’ll first look at the current realities of data security in law firms, touching upon both the bad news and the good news.  Next, we’ll focus on why security risk assessment is absolutely crucial for understanding the data security risks (threats, vulnerabilities, repercussions, and likelihoods) for law firms and their clients, and for prioritizing what must be done.  From there, we’ll take up essential components of law firm security, including security policies; data retention and disposal; technical, physical, and administrative controls; monitoring and testing; training and awareness; incident response preparedness; and cyber insurance.

Along the way we’ll explore key considerations for both on-premises IT configurations and cloud environments; the unrelenting rise in connectivity and remote work; and the explosion of new apps and tools, coupled with the increasingly consumerized expectations of law firm lawyers and staff.

Lots to cover, for the benefit of law firms themselves and also the clients they serve.  Stay tuned.

Security dial turned to highest settingHow time flies.  Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc.   Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com.  Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.

Lots has changed since then.  New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike.  We’ve all seen the scary statistics on increasing information volumes and the security risks that follow.  Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace.  Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.

During my years at CFI and since, I’ve found myself pondering “what if?” questions.  What if we only had to protect 20% of our information?  What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements?  What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible?  The promise of information governance is that we can answer these questions affirmatively.  This is good news, and more importantly, news you can use. Continue Reading Information governance – the foundation for information security

Fried egg on the sidewalk
“This is your information, ungoverned.”

2017 was rife with data dangers.  Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms.  Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics.  Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance?  So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond:  Continue Reading 12 reasons to govern your information in 2018

Charging ElephantOur firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions. Continue Reading Why govern your information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

Weird SportIt’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply. Continue Reading Why govern your information? Reason #3: “Your” information may belong to others … and you’re responsible to take care of it.

Zuzu's PetalsFacebook this week announced its new social media application targeted at children,  Messenger Kids.  Designed to be COPPA-compliant, the text, video chat and photo-sharing app combines parental controls with all of the quirky features that tweens and younger folks will simply love, thereby ensuring Facebook will enjoy a next generation of engaged customers … and also their data.

The new app drops smack into the ongoing cultural debate over the wisdom of young children being exposed to regular internet and social media use.  Detractors of the new Facebook app note concerns about data collection and use.  The Wait until 8th campaign advocates for no smart phone use until eighth grade.  Notably, both Bill Gates and Steve Jobs limited their children’s access to technology.  And studies regularly link social media use with increased rates of depression among youth.

The notion is that young people should be protected from unfettered exposure to social media and the Internet until they are old enough to use these tools with responsibility and moderation.  Fair point, but a flawed premise: when it comes to responsible and moderate use of technology, we adults still have a lot of work to do. Continue Reading Forget petals – Zuzu wants a smartphone for Christmas