Published in the New Hampshire Bar News (3/22/2019)
Part 2 of a special three-part series on cybersecurity
Information security needs to become an operational function of every law firm, just like accounting, human resources, and firm management. Large firms commonly employ non-attorneys with specialized training to handle certain business functions, while other firms rely on a mixture of general business managers, attorneys, and outside service providers. Though a firm's attorneys and business leaders are critical constituents in this process, almost all firms lack the expertise in-house to develop a meaningful information security program for themselves, particularly those just starting the process. Firms should assemble a qualified information security team, consisting of (1) firm leadership, (2) legal counsel with information security expertise, and (3) an outside information security consultant.
Commitment by firm leadership is vital to the success of this process. Developing a meaningful information security program requires both capital investment and cultural change. Firm leaders should be tightly integrated in the project to understand why specific investments in technology and modifications to business practices are necessary to avoid or mitigate certain cyber security risks. Committed firm leaders are also critical for ensuring that all attorneys and staff adhere to security procedures and accept the cultural changes inherent in this process.
An experienced information security attorney provides the necessary subject matter expertise and project leadership. Just like a company would hire an M&A attorney and valuation expert for a corporate transaction, or a couple would hire a T&E attorney and financial advisor to structure their estate plan, firms need an attorney with information security expertise and an information security consultant to develop a meaningful information security program.
Seasoned counsel will help a firm decide which of the myriad cyber security laws it must or should address. For example, firms often fall under federal regulations like HIPAA, Gramm-Leach-Bliley, IRS Publication 4557, and SEC Regulation S-P. Similarly, an ever-expanding body of laws from other states and countries apply extra-territorially to firms that obtain personal information about residents of those jurisdictions — like the Massachusetts data privacy law, New York financial cyber-security regulation, California Consumer Privacy Act, European General Data Privacy Regulation, and Canadian Personal Information Protection Act. Once the scope of the firm's legal compliance is decided, experienced counsel helps the firm choose whether to use a recognized industry standard to achieve compliance and, if so, implements that standard such as the NIST Cybersecurity Framework or ISO 27001.
Practical experience is necessary to shepherd a firm through information security compliance. This process is not like anything most firms have ever done before. For example, conducting a risk assessment requires in depth knowledge of applicable law, industry regulations, technology infrastructures, business operations, and information security best practices. Similarly, creating a report that is useful for the firm to remediate its vulnerabilities requires counsel with the subject matter expertise to weigh and categorize the risks and recommend discretionary actions in light of budgetary constraints, legal practice considerations, and workplace challenges.
Just as important as providing subject matter expertise and project leadership, legal counsel ensures that certain records created in the information security process remain privileged. That is vital, since the work product and the report generated during and after the risk assessment enumerates all of the firm's cyber security gaps and weaknesses. In the event of a breach or an audit, unless privileged those records are a roadmap for adverse claimants and regulatory fines. An experienced information security attorney also can render a legal compliance opinion, which can be used as a defense in such legal and administrative actions.
The third team member is an information security consultant. Information security differs from information technology. In-house IT departments and outside managed IT providers serve the user base, and therefore necessarily focus on ensuring that technology systems are operating and accessible. By contrast, information security professionals focus on identifying cyber risks and implementing systems to eliminate or mitigate those risks. While most IT personnel have some knowledge of security measures, the expertise and skill set of an information security professional differ significantly from most IT personnel.
Qualified information security consultants also have technology tools that in-house IT departments and most managed IT providers do not. For example, specialized software should be used to scan the law firm's internal network and computers to identify vulnerabilities and insecure personal information, crack weak employee passwords, penetration-test the firm's external defenses, and scan the dark web for employee credentials and firm IP addresses. The diagnostics produced by such technology are valuable both during the risk assessment as well as for the firm to remediate the vulnerabilities identified by the tools.
While some IT departments and managed IT providers resist another technology professional scrutinizing their systems, most welcome the expertise and independence an outside information security consultant adds to the process. Moreover, after the risk assessment has highlighted the firm's vulnerabilities, IT personnel frequently need help from an information security provider to identify and implement measures necessary to remediate those risks.
Building a qualified team is the first step to begin developing information security as a business function. Once firm leadership commits to the process, the firm should retain an experienced information security attorney to outline the details and costs of the project and identify a suitable information security consultant.
The last article in this three-part series will address the details of the process for a law firm to develop a meaningful information security program.
Cameron G. Shilling is a Director at McLane Middleton, where he founded and chairs the firm's Information Privacy and Security Group. His full biography and a summary of the services performed by the Group are available on the firm's website at www.mclane.com. Cam can be reached directly by phone at 603-628-1351, cell at 603-289-6806, or email at [email protected].