Jim Brashear of Zix Corporation addresses cybersecurity issues in this guest post:
At the ABA’s 2014 annual meeting earlier this month, delegates approved a resolution that “encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program.” When you consider that some pundits characterize lawyers as technology Luddites and law firms as “the soft underbelly” of data security in corporate America, it may seem odd for the legal industry to be lecturing other organizations about getting their cyber houses in order.
Law Firms Are Targets of Cyber Attacks
The ABA Cybersecurity Legal Task Force report accompanying the draft resolution warns that “the threat of cyber attacks against law firms is growing.” It notes that law firms collect and store large amounts of critical, highly valuable corporate records. The report points out that “lawyers and law offices have a responsibility to protect confidential records from unauthorized access and disclosure, whether malicious or unintentional, by both insiders and hackers.” Unfortunately, many lawyers don’t fully appreciate the scope of that responsibility, particularly as it applies to data transmitted via the internet or stored in the Cloud.
Data in Transmission is At Risk
A survey conducted in March 2014 by LexisNexis found that 89% of law firms use email daily for business purposes, but only 22% of law firms are encrypting email. A recent post in Law Technology News urges that It’s Time to Secure Privileged Communications. The post notes that “attorneys should be concerned about the general uncertainty of privacy expectations for email.” Those risks to email confidentiality are not merely a theoretical concern.
For example, in February the New York Times reported that a foreign spy agency intercepted email messages between a large U.S. law firm and its foreign government client and then shared the information with the U.S. National Security Agency. In a carefully worded statement, the law firm said: “There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm.” The statement misses the point, because unencrypted email is intercepted, undetectably, while it is being transmitted or stored outside the firm’s internal network.
That news report prompted the ABA to ask the NSA to explain how the agency deals with attorney-client privileged communications. As discussed in the post, Law Firm Email Security Questions The ABA Should Be Asking, the ABA was conflating legal privilege with client confidentiality and asking the wrong questions of the wrong organization.
Standards of Care
The fundamental question is whether the firm’s lawyers were taking reasonable steps in the circumstances in order to secure sensitive email communications. The ABA report acknowledges that “law firms are businesses and should take special care to ensure that they have a strong security posture and a well-implemented security program.” Many lawyers say the NIST Cybersecurity Framework can serve as a general guide for information security oversight and risk assessments, in order to establish that reasonable care was taken. The NIST Cybersecurity Framework includes an assessment of whether “data-in-transit is protected.”
Email fundamentally is a convenient but unsecure method of transmitting and storing data in the Cloud. There are many simple steps that lawyers can take to protect sensitive data that they exchange with clients and third parties, including email encryption. State bar associations, however, continue to draw an unfounded distinction between the data security measures required when transmitting and storing data “in the Cloud” versus those required for email.
Be sure to tune into our pair of cybersecurity webcasts coming up soon: “Cybersecurity: Working the Calm Before the Storm” (9/16) and “Cybersecurity Role-Play: What to Do & Who Does What, When” (9/22).
GC’s Skill Set Should Include Understanding of Technology
This article argues that – as processes in every function of the business are being increasingly automated, the list of the GC’s key competencies needs to include an understanding of the automation side of the business. Here is the author’s suggested list of technology tools and concepts that every GC should be familiar with:
LAW DEPARTMENT PRODUCTIVITY AND ADMINISTRATION
- Cloud resources vs. local servers and storage.
- Work flow systems to control legal review processes.
- Document assembly and contract management programs.
- Document management systems.
- Secure remote access systems.
- Audio and video meeting apps and services.
- Matter and budget management systems.
- Secure mobile device management.
- Legal hold management system.
SUBSTANTIVE LAW GOVERNING E-BUSINESS
Are you familiar with the laws governing e-business in each of the areas where the company operates?
- Securities laws
- Tax laws
- Identity theft
- Children’s online access
- Trademark and copyright
- What is the corporate records management system?
- How are compliance inquiries (e.g., hotline) managed?
- How is risk assessment conducted? Updated?
- How are reports generated on issues for board or audit committee?
- Are policies available to all employees?
- Is there an automated procedure in place to ensure that policies are current?
- Is there a system to demonstrate compliance with each requirement of the Federal Sentencing Guidelines?
- Are there rules regarding employee use of social networks?
- Are there internal social networks and how are they managed?
- Are there corporate rules for management of personal devices?
- Are their rules of personal use of company email?
- Are their retention rules for company email?
- Are corporate automated marketing and sales tools reviewed for compliance with laws and regulations (e.g., the Federal Trade Commission and the Food and Drug Administration)?
- Are the computers in the company (particularly in the law department) compliant with ISO security procedures?
- What procedures are in place to prevent company systems from being penetrated by viruses or spyware?
- Does the company have a robust computer security policy for its data, including the data of customers, consumers?
- Do third parties (such as dealers or franchisees) have access to company computer systems that could give rise to security breaches?
- Does the company follow privacy rules of the US and other countries?
- Is business done electronically (e.g., ordering, payment)? Are safeguards in place?
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Auditor Engagement Letters: No Company Intervention in Auditor-Directed Work
– PCAOB Roundtable: Mixed Views of Proposed Changes to Auditor’s Report
– Perceived Board Effectiveness Linked to How Board Allocates its Time
– FINRA: Pre-IPO Selling Procedures Need to Be Adequately Supervised
– Board Trends at the S&P 1500
– by Randi Val Morrison