By Jennifer K. Mailander, Associate General Counsel and Director, Compliance and Privacy, Corporation Service Company; Scott Plichta, Chief Information Security Officer, Corporation Service Company
Data breaches and cyberattacks aren’t just happening to other companies. They are real, constant threats to every company, brand, and bottom line. It’s no longer “if,” but “when” you’ll get breached. With this heightened focus on security, one of the biggest challenges faced by many in-house counsel is understanding what all the technology means and how to ensure your company is taking the proper actions to protect your company.
Why should corporate lawyers care about technology?
According to the FBI, law firms and law departments are amongst the most vulnerable targets for cyberattacks because of the types of information lawyers manage and access1—like information about mergers and acquisitions, new product launches, trademarks, patents, and domain names to be filed. According to the comprehensive ACC Foundation: The State of Cybersecurity Report published by the Association of Corporate Counsel (ACC) Foundation, more than half of the in-house counsel surveyed reported that their companies were increasing spending on cybersecurity, while one-third stated that their companies have experienced a data breach. The American Bar Association (ABA) Cybersecurity Handbook reports that lawyers are targeted because they have limited resources to dedicate to computer security, lack a sophisticated appreciation of technology risks, and lack an instinct for cybersecurity.
It’s really worth doing everything possible to protect against cyber threats. The good news is, you can do some simple things that have big impact on your cybersecurity. There may also be an ethical obligation for lawyers to know and care about technology. Most lawyers are familiar with the ABA’s Model Rules of Professional Conduct. Model Rule 1.1 defines competent representation, in part, as requiring the legal knowledge and skill reasonably necessary for representation. In 2012, the ABA added comment 8 to this Model Rule, requiring lawyers to keep abreast of changes, “including the benefits and risks associated with relevant technology.“
We identified the following top 10 technology tips for corporate lawyers. These tips can help you become familiar with technology and cybersecurity so you can provide the guidance needed to help protect your company’s business. We’ve provided general definitions to assist your understanding. The italicized terms throughout the article lead to definitions in the Technology Terms Desk Reference at the end.
1. Understand your company’s business and the technology your company uses
First, you need to understand your company’s business, and the services or products you provide, so you can fully understand what it is your company does. Closely related to this is an understanding of the technology behind your business and what is done with data that’s collected, stored, and shared. For example, does your company have a policy for data classification and storage? What does your policy say about storing data in the cloud? Learn and know the policies for implementing new technology and disposing of old technology. You may even want to become part of the process for buying and maintaining technology, so you can keep tabs on when shadow IT is being bought or used.
2. Know your vendors, and your vendor’s vendors
Know the vendors your company is using and what services they provide, including who they contract with, to avoid potential liability. If a vendor stores your data, you need your vendor to be as (or more) secure as your company. Determine what type of data they have from your company, how they manage it, and how secure their data management processes and systems are. Depending on the sensitivity of the data, you may want to require your vendor to agree to compliance training, and require they provide proof of security testing on a regular basis. Connect with your Security Team to put a process in place for vetting new vendors, and consider adopting standardized questionnaires like the Standard Information Gathering (SIG) or SIG Lite assessment.
3. Know your law firm’s security practices
Many corporate attorneys forget that law firms are vendors as well. You should know and vet your law firms’ security practices just as you do any other vendor to make sure your information is secure. The Association of Corporate Counsel (ACC) has created a Cybersecurity Work Group in conjunction with the ACC Litigation Committee to help companies identify what questions to ask, and what information to request from firms. In addition, ensure you have a secure mechanism to exchange files. Increasingly, many large law firms either have, or are in the process of attaining security certification, like ISO 27001 by the International Organization for Standardization, or other certifications.
4. Be a partner to the business
Learning about technology and how your company uses it, including who they contract with to provide services, will make you a valuable partner to the business. This knowledge gives you the ability to help the business understand how to identify potential risk, mitigate it, and achieve success. Hold regular “lunch and learns” with Technology, Marketing, Operations, and Sales counterparts to learn how your company works and stay abreast of potential projects on the horizon. Share information with this cross-functional team about how Contracts and Licensing, Technology, Sales, and Operations intertwine. Technologists often don’t understand the legal and privacy implications of using third-party vendors with sensitive data. Educating technology partners about how to mitigate vendor risk through contracts can go a long way. Having a reciprocal meeting to learn what technology the company is implementing can help you to be a better partner to the business—those connections can be key to an ongoing partnership with technology.
5. Conduct a data audit
Again with your cross-functional team, identify your data practices. Generally speaking, who has control of your company’s data, what is the nature of the data, where is it stored, who has access to the data, how long is it stored, and where does it go when you are done with it? Depending on the size of your company or the resources at your disposal, you may want to start with reviewing the data practices of one department at a time. For your initial audit, it’s okay to keep your analysis at a high level to help you begin to understand the processes you use and determine whether or not you need policies to help ensure better data management. With the decreasing cost of storage, there is little financial incentive to delete or remove data from systems. Explaining the legal, compliance, and breach risk to business counterparts can help the business understand the need for retention policies and aid your compliance efforts.
6. Assess your own data protection practices
Assessing your own individual data practices should be an ongoing security measure that you personally undertake. Where do you store your personal and professional data? Is your home computer secure? Are you secure across desktops, laptops, and mobile devices so that if a personal device was ever lost or stolen, it’s encrypted and you’re sure no confidential data can be extracted? Do you use complex passwords and a two-factor authentication system to protect yourself from phishing attacks? Do you keep paper copies of your bills and dispose of them in a secure manner? Do you access your personal bank account from your cell phone and is it secure? How do you manage all of your passwords?
For any data that you truly want to keep secure, you should implement two-factor authentication and not just rely on username/password. Complex and unique passwords are one of the most important things that you can do to protect your data. Consider a reputable password management system protected by two-factor authentication to store your passwords. While you should not re-use passwords between systems, your email password should be unique and the most secure of all passwords—as email is the gateway for most password reset mechanisms on all other accounts.
7. Conduct employee training on technology, security and privacy
Do it. Ponemon Institute®4, a leading cybersecurity research firm, has reported that a significant number of data breaches are due to corporate employees or contractors—whether intentional, or through careless actions. It’s paramount that employees are trained routinely on how to recognize cyberattacks like phishing or spear phishing, and are tested by IT through real-life drills. Phishing attacks work by exploiting a lack of awareness. With the amount of data available on social media, it is possible for cybercriminals to create an authentic-sounding email. We have seen a rise in well-crafted spear phishing attempts. Without appropriate controls, a single click on a malicious link can compromise an entire organization. Responding to this risk goes hand-in-hand with making sure employees know the privacy practices of your company, and regularly educating the workforce on any changes to those policies.
8. Know your company’s breach and incident response plan and practice it
Change your corporate mindset around breach, it’s not “if” but “when.” Know your company’s breach/incident response plan. If there is none, consult the cross-functional team to determine if you need one, and create one together. Having the perspective of Legal, Compliance, IT, Marketing, Human Resources, Operations, and Sales will ensure you cover all the bases. Then practice, practice, and practice that plan, assigning roles and responsibilities to everyone on the team. Conduct incident response drills that draw on real-life examples of how your company’s data can be breached. Practice this annually so that you can tweak areas as technology and your business change, allowing you to quickly and efficiently respond to any real crisis. It will never be just as you planned it, but practice helps you prepare for the real event.
9. Get comfortable with technology
Getting comfortable with technology is essential, because technology is everywhere and it continues to evolve. Invest in continued education. Meet regularly with your IT department to share knowledge and ask questions. Get involved in professional associations focused on cybersecurity, get clarification on things you don’t understand, and read up on the latest technologies—through blogs or otherwise—to be aware of how new technology works, and where the potential risks and benefits lie.
10. Network inside and outside your organization
Network inside and outside your company to stay current on best practices regarding technology. Develop a core team of company contacts to assist you when it comes to technology issues. Join your local bar association and talk about technology with your peers outside of your company. Technology, and the laws and regulations governing it change very quickly, and you need to stay current on this ever-evolving area of the law. With cyberattacks on the rise, understanding technology and how to protect your company is an essential part of your job.
To further reading about the data security and privacy practices of six companies with operations spanning the globe, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this Profile described practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.