The FBI has warned the nation’s top law firms about beefing up internal security practices and the threat posed by nation states looking to swipe sensitive data from their networks.
Law firms are ripe targets for hackers seeking private data to trade on or information that will give them commercial or military advantage, David Stanton, a partner at Pillsbury Winthrop Shaw Pittman LLP, told a packed room of International Legal Technology Association educational conference attendees on Monday in Nashville, Tenn. Stanton, who works in his firm’s Los Angeles office, noted that lawyers are also soft targets for hackers, and IT is charged with protecting lawyers against their own weaknesses.
But what happens when the first major hack against a law firm is discovered and made public?
“None of you, nor do I, want to be that law firm,” said Martin Metz, CIO of Nashville-based Pillsbury Winthrop Shaw Pittman, who also spoke at the ILTA session. “Can we all say that we’ve closed every door and battened down every hatch? No.”
Even firms that think they have addressed every security risk will quickly find there are other vulnerabilities they weren’t aware of. That’s why Metz says cybersecurity is a journey, not a destination.
The Rise of Information Governance
As law firms amass and retain more data, securing information becomes more difficult. The volume is greater than it has ever been, and there is pressure on firms to better understand where data are produced as well as if data have been moved or accessed and by whom, speaker Jeffrey Brandt, a principal at PinHawk LLC, told the ILTA audience. Brandt is also editor of PinHawk's Law Technology Daily Digest.
When Brandt asked how many firms have petabytes of data, only a couple of people at the session raised their hands. “This is the future,” he said. “Smaller firms, this is the future. You’re going to end up with petabytes of data. You’re going to need methodology to manage and control it, and that’s going to be information governance.”
The truth is that law firms’ IT departments helped to facilitate some of the chaos that has come from the creation of more data and more silos of information, Brandt noted. “What happened when partners wouldn’t delete emails?” he asked. “We went and got bigger servers.” Technology professionals made it easier to keep the status quo as the amount of data grew.
But that’s changing, Brandt explained. Information governance empowers IT departments to take a tougher stance against attorneys and ensure that convenience does not trump good security hygiene. Some firms have reached a tipping point and are saying no to partners, he said. At those firms, “there are no exceptions when you’re talking about security, when you’re talking about management and processes.”
Information governance is critical for legal IT departments, Metz said. “Information governance is probably the most important thing we can do. It was our past, although we lived in a world of chaos. It is here. It’s now. And believe me, what we do beyond here today, information governance is going to be central to.”
“The word governance is going to create some controversy because lawyers don’t want to be governed,” he said.
But IT departments must find a way to bridge the gap with lawyers and other staff at their firms. “Ultimately, lawyers find a way to serve their clients,” Metz told the audience. “We either make it easier to serve their client or … harder.”
Solutions can’t be created in isolation by the IT department. There must be buy-in from users, according to Stanton. At his firm, he said, specialists and technical experts worked with attorneys and staff on a steering committee to guide the adoption of a holistic document management environment.
Using Standards to Measure Security Practices
Metz recommended that firms use security standards developed by organizations such as the International Organization for Standardization or the National Institute of Standards and Technology. He encouraged law firms to have independent auditing firms measure security practices against those standards because it gives them a benchmark.
Firms should look at any exposures identified and prioritize countermeasures that will give them the biggest win, Metz said. Enforcing two-factor authentication may be one of those priorities.
“If you’re not doing encryption, if you’re not closing off USBs, if you’re not doing things to prevent data leakage, those will be high on your list,” he added.
Security audits used to be three pages long at most, Brandt recalled. Today, they are 30 to 40 pages long. There’s also more pressure from clients, such as banking institutions, to beef up law firm security and prove it.
The good news is that IT departments are starting to see a greater willingness from their firms to invest in security. The massive data breach discovered by Target last year and other major events has put the spotlight on cybersecurity.
“What was the expression that was used by [President Barack Obama's former chief of staff] Rahm Emanuel?… ‘Never let a good crisis go to waste.’” Metz told the audience. “And we have that crisis now in our industry.”
To get more news on what's happening at ILTA, follow all of BizTech's coverage from the show by visiting our ILTA 2014 content hub.