From start to finish, a key theme on the first day of Legaltech 2018 centered on the issue of cybersecurity. From the opening keynote with former Secretary of Homeland Security Jeh Johnson, to the final speech by reporter and security expert Brian Krebs, the message was clear: data security is something that must be inherent throughout the very fabric of a legal organization.
Different Perspectives, but the Same Overall Message
Johnson noted every company has a responsibility to share information about threats. He applauded the formation of the Legal Services Information Sharing and Analysis Organization (LS-ISAO), which he called a model for other industries on how to share timely, relevant cyber and physical security threat information and analysis.
While he did not make connections to specific threats facing the legal industry, Krebs repeatedly cautioned that every company must plan for the inevitable attack. He particularly emphasized the threat that distributed denial of service (DDOS) attacks, which directly target websites, pose to corporations and their brands. Krebs knows what he’s talking about, too: his industry blog was hit with the largest ever DDOS attack in history in 2016.
Encryption and Protection Are Two Different Things, but Both Are Important
Throughout the day, most Legaltech attendees appeared to be looking at security primarily as it relates to the sharing of information between corporate legal departments (CLDs) and outside firms. Encrypting data both in transit and at rest is just as essential to data protection as is securing the data when it is shared. This is an important distinction that should not be overlooked.
A very basic level of enforced encryption goes a long way toward protecting data, and panelists in the cybersecurity session I moderated agreed both sides should see this as table stakes. As resources are allotted and expectations made clearer for CLDs, best practices will likely manifest, eventually resulting in the conduction of two-way, initial, and ongoing assessments of data security. These assessments will take place throughout the relationship with outside counsel.
Cybersecurity is Everyone’s Responsibility, but Roles Remain Undefined
Our session was about the need to focus on cybersecurity responsibilities throughout the organization, not just in IT. Studies have identified that law firms and their corporate legal counterparts are simply not spending enough time planning for security threats. That’s worrisome, especially considering cybersecurity threats rank as the greatest level of concern among GCs in the area of privacy and data security, according to the General Counsel Up-at-Night Report.
Part of the problem is that both in-house and outside counsel are not given clear direction on how their roles impact their organizations’ security initiatives. It is often vague as to where data security falls in their realm of responsibilities, or what resources are at their disposal to address privacy and data security. There is also confusion as to where cybersecurity responsibilities start, stop, or overlap with other departments – IT in particular.
This indicates a need for C-level leadership that gives all relevant parties a seat at the security table. Leadership must establish clear roles and direction for all parties involved so they can effectively support their organizations’ cybersecurity approach.
The very least corporate legal teams alongside their legal partners should do is address data security in their mutual relationships. At a minimum, firms and CLDs should embrace the insertion of security-specific expectations in their engagement letters. Beyond that, it does not take significant effort to outline the levels of sensitive data each matter may contain. Organizations can easily set guidelines detailing who can access that information.
Early Stages, but Certain Progress
While each of ELM Solutions’ cybersecurity panelists had different approaches to assessing and certifying their legal partners, all agreed that data security practices are still in very early stages. Policies on data need to be set and should address not only what needs to be done, but by whom and how often. It should be noted, technologies that give maximum mobility to legal teams cannot do so at the expense of data security.
Thank you to our panelists -- Zach Schroeder, Assistant VP, Legal Third Party Manager at PNC Bank and David White, Director of Law Firm Management for Accenture -- for sharing their respective journey with Legalweek18 attendees. Their perspectives show how everyone in the legal organization must embrace data security, while also emphasizing a sense of shared responsibility for cybersecurity policies across the organization.
Given how much attention was paid to this issue, you can expect to see much progress by the time we gather again at Legalweek 2019. To get started on your cybersecurity initiatives, take a look at this Whitepaper: Managing Third-Party IT Exposure.