Law firm security breaches are grabbing headlines, and the Wall Street Journal reports “there is no such thing as a non-security IT staffer.” Staying current about rapidly-emerging threats and best practices can be overwhelming for IT staff, let alone law firm partners. Gartner recently estimated over $81.6 billion is being spent on cybersecurity, an indication that organizations are in search of a fix.
ILTA Radio recently hosted a discussion with cybersecurity experts knowledgeable about the specific threats faced by law firms. We connected with Mark Olvey and Phil Miller of Taft Stettinius & Hollister LLP for their recommendations and insights on working with lawyers, from named partners to newly-minted associates. Olvey trains the firm on best practices for document and technical security, while Miller oversees the security program for the national firm.
Lesson 1: Identify Trusted Experts
Taft Stettinius & Hollister (Taft) belongs to the Financial Services Information Sharing and Analysis Center (FS-ISAC) and their Legal Services Information Sharing and Analysis Organization (LS-ISAO). The duo use resources from these organizations as their frame of reference for screening security threats, as their lists reference the FBI key list of threats.
Olvey and Miller find this a useful starting point to design their security program. Using a trusted resource allows them to filter only the most critical threats in their response and communication within the firm. Lawyers are people first, and it’s essential to communicate the security program in a way that makes sense to associates and partners alike. Attorneys are focused on client work, and may find technical or infosec priorities to be an unwelcome distraction from daily tasks and responsibilities.
Lesson 2: Connect Cybersecurity to Key Practice Priorities
Document security is an essential part of daily operations at any firm. The expectation of confidentiality in the legal practice is much older than any modern security program, and creates a starting point for lawyers to buy into common-sense security protocols. Savvy firm partners understand and support cybersecurity programs as a natural extension of attorney responsibility for confidentiality. Examples of best practices to preserve confidentiality include avoiding leaving sensitive client data on an unencrypted mobile device like a laptop, or transmitting client documents outside the firm in a format without encryption.
Lesson 3: Build Your Program on Trust
The security team at Taft has found that ISO 27001 certification (certified since 2015) creates a basis of trust with clients and partners. It also provides a foundation for a healthy security program. Most outside counsel guidelines (OCGs) include common requirements to protect client and partner data. This allows them to respond to security and encryption audit requests more efficiently.
Taft sees audits vary in their requirements, depending on the client and its sector of business. They have seen a trend toward client audits having more stringent requirements in the last twelve months, particularly financial clients, whose audits were already demanding. In addition to tightening requirements, the Taft team has seen a greater volume of requests (more than double) for clients to audit their security program in the last year. They attribute this to publicized attacks and more frequent reporting, which has exposed legal operations as a vulnerable point for data breaches.
Lesson 4: Get Buy-In from Attorneys
Olvey leads the firm’s efforts to both educate the team about the security program, as well as train team members about security protocols. He recommends trainers and security managers start with the “Why” for the program and emphasize the serious need for a strong security protocol. When partners and associates take the security program seriously, as a separate kind of training (distinct from HR, operational priorities, etc), this can lead to a greater sense of personal investment and a higher value placed on team protection.
Olvey emphasized that the few tech-savvy, eager team members within most firms don’t represent the weak link within a security program. Therefore, he recommends that trainers and security managers design their programs so that non-techies can access and value the information presented.
CLEs are another way to ensure that attorneys take their security program seriously. Many states now offer CLE credit in legal security (distinct from securities law). By creating a sense of buy-in and personal benefit before introducing the specifics of the program, Olvey finds attorneys are more likely to take an interest and be serious about enforcing security protocols.
Data loss can have enormous consequences. However, with careful planning, research, and attention to attorney motivations, trainers and security managers can build a robust program that protects the firm and client data.