Just about every week, there’s a reminder that cybersecurity remains important. But that doesn’t mean that many are taking it as seriously as they should. In the past month alone, Legaltech News has reported surveys that note how law firms are not adopting proper cyber protocols, companies haven’t mitigated third party risks, and attorneys are vulnerable to biometric, cloud and phishing attacks. This isn’t just a U.S. problem either.
Meanwhile, the focus on privacy seems to be ever increasing. Sometimes, it’s a renewed focus on privacy regulations following the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act of 2018. Other times, it’s a matter of court cases, like the U.S. Supreme Court’s Carpenter v. U.S. ruling. But in general, maybe it’s just public awareness, as consumers in both the U.S. and abroad become increasingly aware of how their personal data is used.
That’s why it’s important to be on the forefront of cybersecurity shifts and privacy changes. To get you ready for what 2019 has to offer, LTN has solicited predictions from top attorneys and experts in the field, gaining insight into what they’re looking out for in the new year. The quotes given here are in alphabetical order by last name.
LTN has also published predictions for 2019 in e-discovery, with more on new and innovative technologies coming on Thursday.
Cybersecurity and Privacy Predictions
Paige Boshell, Privacy Counsel: “Privacy may eclipse cybersecurity in risk management efforts in 2019. Consumers, regulators and courts are all aware that data breaches are commonplace. Unless the business has been deficient in its cybersecurity efforts, it is usually seen as a victim. Privacy scandals, however, are generally viewed as self-inflicted. So-called ‘data leaks’ or ‘data exposures’ are typically caused by lapses in management or the devaluation of consumer privacy. Losses caused by such events are not usually covered by cybersecurity insurance policies. Increasing liability and regulatory risk will highlight the need for a separate, executive privacy function.”
Nina Bryant, FTI Technology: “Data protection authorities now have much more power and oversight to investigate and correct issues relating to data privacy than ever before. We’re likely to see an increase in whistleblowing activity that is aimed at using GDPR violations to influence other legal matters, such as employment litigation, union negotiations, etc.”
Jared Coseglia, TRU Staffing Partners: “Ushered in by The Cambridge Analytica/Facebook scandal in America and cemented by the May 25th, 2018 GDPR deadline in Europe, privacy has instantly gone from a niche discipline to a socially understood and valued commodity that is creating jobs, if not careers, for thousands of legal and legal technology professionals. In 2018, there was an explosion of CPO and partner-level placements throughout the Fortune 1000 and Am Law200. In 2019, there will be an abundance of jobs a tier below these executives as corporate legal departments and law firm practice groups, big and boutique, aim to bolster the middle ranks with privacy associates and privacy program developers/executors.”
Adam Doblo, Adaptive Solutions: “In 2019, the frequency and intensity of law firm security audits by clients will increase, and will include greater emphasis on encryption at rest. Encryption of data at rest is a means of securing volumes of stored files and documents that may not have been recently accessed. In the event that a device is lost or stolen, or data on a network is breached, resting encrypted data will not be accessible without a decryption key.”
Stephen Ehrlich, The MCS Group: “The rest of the nation will follow California with privacy legislation like GDPR to further subject U.S. companies to protect their client’s data. Companies such as Microsoft and Amazon Web Services will enhance their tools to make it easier for companies to be audited and prove compliance.”
Simon Elven, Tikit: “Law firms are increasingly expected to be able to demonstrate ‘corporate-level’ security for their clients’ data as part of any bid process. Combined with the regulatory requirements around data privacy, and the catastrophic reputational consequences if these are breached, the law firm mind is firmly focused on data security. The key, though, will be to weave these elements into the fabric of the firm so that security and data privacy are just by-products of normal, everyday work without conscious thought or effort on the part of the users. Technologies that facilitate this approach will be the ones to look out for.”
Amanda Fennell, Relativity: “Phishing has long been the most effective entry point into any industry and it’s evolving with the use of social media. Dubbed Rose Phishing, phishers will create fake profiles on platforms like LinkedIn and Facebook to disseminate false information, ruin credibility, attack other high-value targets, perpetrate financial fraud, etc. These attacks are highly complex socially but simple to enact and will be plentiful in 2019. Mitigation relies on a change in behavior of social media users, which is often difficult.”
Lisa Hawke, Everlaw: “The EU’s General Data Protection Regulation coming into effect on May 25, along with several high profile data breaches that occurred in 2018, has paved the way for greater scrutiny on data security and privacy at the state and federal level. California, Ohio, and Colorado have passed data protection and security laws. GDPR helped make data protection a mainstream issue in 2018, and we will continue to see this heightened scrutiny and awareness grow in 2019.”
Rob Hanna and Elisa Arko, Tucker Ellis: “With news of cyber breaches bombarding us daily, we anticipate the continued growth and implementation of blockchain technology to address cybersecurity and privacy threats in 2019. Blockchain technology contains inherent features that make it a natural solution to mitigate these risks. Its key features include: (1) decentralized architecture (no longer able to attack a centralized database); (2) consensus validation (continued validation of the integrity of the data); and (3) encryption (sophisticated monitoring of the computers authorized to transact on the blockchain). As we continue to search for ways to combat cyber risks, and we are searching, blockchain technology is a potential solution. The cyber risks continue to evolve in complexity and intensity. So must we.”
Tim Helming, DomainTools: “A set of security standards for consumer and small business-grade IoT devices will be drafted. This proposal could include something analogous to the UL listing for electrical devices—it would state that a device with the certification meets specific minimum standards for ‘securability.’ Example criteria could include forcing strong administrative passwords, hardening of the OS, not listening on any ports except one or two that require encryption and authentication, etc.”
Erin Illman, Bradley: “Public sentiment, and impending legislation, on privacy will cause companies to reconsider how they handle data. In an effort to stand out, companies will build their brand around transparency of their data collection practices and the acknowledgment that data is valuable. Companies will start providing customers with large-scale financial incentives for data collection and use.”
Joe Kelly, Legal Workspace: “As cyberattacks increase and malicious programs proliferate, there’s no room to ignore technology updates or enable systems that compromise your firm and its clients. There’s no more set it and forget it. The evaluation of law firms’ tech in 2019 will have to be mandatory, constant, and proactive. Ensure that tech providers keep up with the latest attacks and address vulnerabilities quickly. Also, if your firm isn’t compliant with regulations like HIPAA, start that process now. Not only will you be able to market that compliance, but the additional safeguards associated with HIPAA will help protect your firm.”
Mark Mao, Troutman Sanders: “Before the end of 2019, ‘edge computing’ might force lawyers and regulators to rethink the current paradigms of data privacy law. With machine learning/artificial intelligence (AI) and advances in processing, we are ever less reliant on far away servers. As the world becomes more connected (e.g., IoT), businesses also realize that they cannot be over-reliant on the cloud. But if more data is processed locally by AI (i.e., edge computing), are users surrendering their confidential data when proprietary AI processes and uses that information, even if the information is never technically further transmitted? The answer is unclear under current paradigms.”
Darrell Mervau, FileTrail: “Information governance will continue its ascent up the priority ladder in 2019 as firms move beyond simply having a written policy to automating its execution. Clients are putting IG requirements into RFPs. This includes the ability of firms to demonstrate a commitment to data security and the enforcement of a defensible IG program that manages data through its lifecycle (but not longer.) Firms that can prove their compliance with both their own IG policies and client outside counsel guidelines will attract and retain clients at a higher rate than those that don’t.”
Eli Nussbaum, Keno Kozie Associates: “2019 is the year that it will become universally accepted that the lack of strong password policies and multifactor authentication within an organization are akin to leaving the office unlocked outside of business hours. Even the most change averse partners will come to understand that the ‘inconvenience’ and ‘added work’ of these tools are the new normal and comprise the bare minimum to protect against the ever-changing cybersecurity threat.”
Joe Raczynski, Thomson Reuters: “With an increased ownership of cryptocurrency wallets—allowing complete control of money, tokenized real estate, health records, and state issued documents for individuals—legal professionals and corporations must be prepared for the ‘kidnapped for crypto’ scenario. Criminals will target individuals/legal professionals, forcing the victim to send their currency to an address and then vanish, the funds impossible to retrieve. The distributed nature of blockchain places the onus of protection, privacy, and security on the individual, but organizations and government agencies need to prepare for this and leverage technology to serve and protect customers.”
Wayne Stacy and Cynthia Cole, Baker Botts: “Data protection continues to captivate headlines: breaches, surveillance, senate hearings, local legislation and drafts of federal policies. And Margaret Atwood, author of The Hand Maid’s Tale is headlining the 2019 IAPP Global Privacy Summit. Ultimately, we will see that innovation in data protection leads us back to old-fashioned sound human judgment. Away from the infinite application of machines and algorithms in processes and procedures. Technology is a tool that is only as good as its master. And the master of data is king.”