Law firms can learn from other industries' missteps on cybersecurity awareness and prevention
Equifax. Yahoo. Anthem. Sony.
In the past few years, these companies experienced some of the most significant data breaches to date. And all of these companies found themselves subject to intense worldwide media coverage over their failure to secure their information.
The industries affected—from health care to entertainment—know all too well that the struggle to secure data in the digital age never ends. While individual businesses within these industries will continue to find themselves vulnerable to breaches, they have an advantage over law firms. They have been fighting this battle for a long time.
The legal industry is lagging well behind when it comes to data security, says Rich Santalesa, a member of the boutique cybersecurity firm SmartEdgeLaw Group and of counsel to the New York City-based Bortstein Legal Group.
“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” says Santalesa. “Unfortunately, other industries have had to learn their lessons the hard way—by having breaches that have received media attention.”
Santalesa says data security involves three different, simultaneous focuses: “the technology, the people you have, and needs of the industry in which you work.”
In addition, data security can’t be a one-size-fits-all situation. The cybersecurity needs of a small law firm will be different than the needs of an international firm, just like the needs of Target are different from the needs of a small retail website. However, all law firms, just like all businesses, must pay close attention to the applicable privacy laws, Santalesa says.
The legal industry needs to pay special attention to the changes in privacy law coming from the European Union. Companies worldwide are responding to the General Data Protection Regulation, which sets guidelines for the collection and processing of personal information of individuals within the European Union.
The GDPR is “scaring everyone because the penalties for failing to protect personal data are high,” says Charles Gold, chief marketing officer for Virtru, an encryption and data protection company.
“If you are doing business with Europeans, you need to be very conscious about GDPR and the requirements for protecting personal data,” he says.
Gold points out that Europe tends to blaze the trail when it comes to privacy laws, so “even if you aren’t doing business in Europe, you need to know that the same kind of regulation as GDPR is coming soon to a country near you.
“Giddyup and get ready,” Gold says.
Encryption is Key
Law firms of all sizes have failed to properly invest in the technology needed for data security, according to cybersecurity experts.
“Your law firm’s data, just like other organizations’ information, is no longer sitting in one place,” Gold notes. “It’s moved to the cloud. It’s on multiple servers, client devices, third-party devices. It’s out there in the world, so how do you protect it?”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Law firms can look to financial institutions, which have long struggled with protecting data as required under the Gramm-Leach-Bliley Act, says cybersecurity expert Yong-Gon Chon.
Both Chon and Gold say the lesson learned from other industries is that encryption is a good investment to help secure end-to-end protection. Chon says industries such as financial services and casino gaming have long used encryption to protect data.
While encryption can’t prevent all cyberattacks, it makes stealing information a lot harder, says Chon, who’s a board adviser for RiskRecon.
“When you have pervasive use of encryption, even if someone does get access to a server or a cloud archive, they then have to break the encryption,” says Chon.
Gold emphasizes that encryption helps protect not only consumer information but also other precious data that law firms don’t want leaked, such as intellectual property. Media companies like Home Box Office use the encryption software available from Virtru, he says.
“HBO encrypts scripts that are sent via email,” says Gold. “If you think about it, if a script was leaked, that would be a big deal for any media company.”
This article was published in the September 2018 ABA Journal magazine with the title "Outside Help: Other industries are well ahead when it comes to cybersecurity awareness and prevention. What can the legal industry learn from them?"