LAW FIRM SECURITY AWARENESS
As is becoming the new normal, an afternoon session on law firm security at the annual industry gathering brought a packed house.
Lathrop and Gage's Carlos Rodriguez, and Rogers Townsend & Thomas' Mark Brophy both of whom lead their security operations at their firms explained to their audience that risk awareness training, not technical security training itself, is the best way to get through to attorneys who handle valuable client data.
Rodriguez said he and two others run security for the 320-attorney firm. Brophy handles that task alone for his 64 attorneys. "The ultimate goal is to modify their behavior and create a culture for learning," Rodriguez said.
Both experts gave a variety of advice for security awareness training. Rodriguez's attorneys get continuing legal education credit for attending awareness training, although he tends not to call it training, for fear of scaring users away. It's important that all information technology employees at a firm deliver the same message, he added. "We're trying to move from just having a compliance checkmark into transforming our organization," he said.
Brophy noted that his firm's clients, many of whom are in the financial industry, demand security audits. "They are holding our feet to the fire. You have to have an awareness program and you have to provide materials about what you are teaching," he said. "You may have a partner who's a rainmaker and generates $1 million for the firm, but if he causes a breach, that's a $7.2 million liability."
Brophy also said it's not just a matter of protecting the firm revenue it's a matter of each attorney's professional responsibility. American Bar Association Model Rules 1.1 and 1.6 require attorneys to understand technology and to keep data confidential, he observed. "Golf outings and business lunches won't help when a bean counter says no" [to hiring your firm], he stated.
Complicating the matter, Brophy said, is that cybercrooks aren't even sending their best talent to break into law firms. "The law firms are the soft underbelly to our clients," he said.
Rodriguez, who is among the leaders of the International Legal Technology Association's LegalSEC committee, said the committee is having a one-day law firm security conference this summer. That's scheduled for June 13 in Chicago, he said.
Behind the scenes, law firms are learning from the financial industry's best practices, he added. Several major New York firms met with Goldman Sachs earlier this month to learn additional security techniques, he said. Such meetings will probably recur on a regular basis, he said.