Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Build a Qualified Information Security Team

Written by: Cameron G. Shilling

Published in the New Hampshire Bar News (3/22/2019)

Part 2 of a special three-part series on cybersecurity

(Part 1, Part 3)

Information security needs to become an operational func­tion of every law firm, just like accounting, human resources, and firm management. Large firms commonly employ non-attorneys with specialized train­ing to handle certain business functions, while other firms rely on a mixture of general business managers, attorneys, and outside service providers. Though a firm's attorneys and business leaders are critical constituents in this process, almost all firms lack the ex­pertise in-house to develop a meaningful information security program for them­selves, particularly those just starting the process. Firms should assemble a qualified information security team, consisting of (1) firm leadership, (2) legal counsel with information security expertise, and (3) an outside information security consultant.

Commitment by firm leadership is vi­tal to the success of this process. Develop­ing a meaningful information security pro­gram requires both capital investment and cultural change. Firm leaders should be tightly integrated in the project to understand why specific investments in technology and modifications to business practices are necessary to avoid or mitigate certain cyber security risks. Committed firm leaders are also critical for ensuring that all attorneys and staff adhere to security procedures and accept the cultural changes inherent in this process.

An experienced information security attorney provides the necessary subject matter expertise and project leadership. Just like a company would hire an M&A attorney and valuation expert for a corporate transaction, or a couple would hire a T&E attorney and financial advisor to structure their estate plan, firms need an attorney with information security expertise and an information security consultant to develop a meaningful information security program.

Seasoned counsel will help a firm decide which of the myriad cyber security laws it must or should address. For example, firms often fall under federal regulations like HIPAA, Gramm-Leach-Bliley, IRS Publication 4557, and SEC Regulation S-P. Similarly, an ever-expanding body of laws from other states and countries apply extra-territorially to firms that obtain per­sonal information about residents of those jurisdictions — like the Massachusetts data privacy law, New York financial cyber-security regulation, California Consumer Privacy Act, European General Data Privacy Regulation, and Canadian Personal Information Protection Act. Once the scope of the firm's legal compliance is decided, experienced counsel helps the firm choose whether to use a recognized industry standard to achieve compliance and, if so, implements that standard such as the NIST Cybersecurity Framework or ISO 27001.

Practical experience is necessary to shepherd a firm through information se­curity compliance. This process is not like anything most firms have ever done before. For example, conducting a risk assessment requires in depth knowledge of applicable law, industry regulations, technology infra­structures, business operations, and infor­mation security best practices. Similarly, creating a report that is useful for the firm to remediate its vulnerabilities requires counsel with the subject matter expertise to weigh and categorize the risks and rec­ommend discretionary actions in light of budgetary constraints, legal practice con­siderations, and workplace challenges.

Just as important as providing subject matter expertise and project leadership, legal counsel ensures that certain records created in the information security process remain privileged. That is vital, since the work product and the report generated during and after the risk assessment enu­merates all of the firm's cyber security gaps and weaknesses. In the event of a breach or an audit, unless privileged those records are a roadmap for adverse claimants and regulatory fines. An experienced information security attorney also can render a legal compliance opinion, which can be used as a defense in such legal and administrative actions.

The third team member is an information security consultant. Information security differs from information technology. In-house IT departments and outside managed IT providers serve the user base, and therefore necessarily focus on ensuring that technology systems are operating and accessible. By contrast, information security professionals focus on identifying cyber risks and implementing systems to eliminate or mitigate those risks. While most IT personnel have some knowledge of security measures, the expertise and skill set of an information security professional differ significantly from most IT personnel.

Qualified information security consultants also have technology tools that in-house IT departments and most managed IT providers do not. For example, specialized software should be used to scan the law firm's internal network and computers to identify vulnerabilities and insecure personal information, crack weak employee passwords, penetration-test the firm's external defenses, and scan the dark web for employee credentials and firm IP addresses. The diagnostics produced by such technology are valuable both during the risk assessment as well as for the firm to remediate the vulnerabilities identified by the tools.

While some IT departments and managed IT providers resist another technology professional scrutinizing their systems, most welcome the expertise and independence an outside information security consultant adds to the process. Moreover, after the risk assessment has highlighted the firm's vulnerabilities, IT personnel frequently need help from an information security provider to identify and implement measures necessary to remediate those risks.

Building a qualified team is the first step to begin developing information security as a business function. Once firm leadership commits to the process, the firm should retain an experienced information security attorney to outline the details and costs of the project and identify a suitable information security consultant.

The last article in this three-part series will address the details of the process for a law firm to develop a meaningful information security program.

Cameron G. Shilling is a Director at McLane Middleton, where he founded and chairs the firm's Information Privacy and Security Group. His full biography and a summary of the services performed by the Group are available on the firm's website at www.mclane.com. Cam can be reached directly by phone at 603-628-1351, cell at 603-289-6806, or email at [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.