My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.
Law firms across the country rely on information systems for everything from research to case filing. How many law firms have removed physical books in exchange for online research resources? How well are those information systems protected?
The Presidential Commission on Enhancing National Cybersecurity published its “Report on Securing and Growing the Digital Economy” on December 1, 2016. One of the key challenges identified by the Commission is the lack of focus on cybersecurity by many organizations. As the report says:
These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will.
On July 14, 2016 I testified to the Commission, there are several impediments to sharing risk mitigation strategies, including:
- The perceived risk of sensitive information becoming available under a Freedom of Information Act (FOIA) or state level “sunshine law”;
- The fear of sensitive information being used in regulatory enforcement; or
- Waiver of attorney-client privilege.
The Commission addressed these concerns with a recommendation they be addressed under the Protected Critical Infrastructure Information (PCII) protections administered by the Department of Homeland Security (DHS).
It is unclear whether this recommendation will be implemented by the current or future administration, but we should all watch what happens.