The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part One

May 11, 2014

Cyber_security_wordsCybersecurity should be job number one for all attorneys. Why? Because we handle confidential computer data, usually secret information that belongs to our clients, not us. We have an ethical duty to protect this information under Rule 1.6 of the ABA Model Rules of Professional Conduct. If we handle big cases, or big corporate matters, then we also handle big collections of electronically stored information (ESI). The amount of ESI involved is growing every day. That is one reason that Cybersecurity is a hard job for law firms. The other is the ever increasing threat of computer hackers.

Chinese-cyber-warThe threat is now increasing rapidly because there are now criminal gangs of hackers, including the Chinese government, that have targeted this ESI for theft. These bad hackers, knows as crackers, have learned that when they cannot get at a company’s data directly, usually because it is too well defended, or too risky to attack, there is often a back door to this data by way of the company lawyers. The hackers focus their industrial espionage on the law firms that collect vast amounts of data from corporate clients as part of e-discovery and corporate due diligence. The hackers have found from successful intrusions that most firms are lax in cybersecurity, or as I have put it before: law firms are the soft underbelly of corporate cybersecurity. Best Practices in e-Discovery for Handling Unreviewed Client Data. Also see: China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012). According to Bloomberg’s 2012 article, cybersecurity experts estimated that at least 80 major U.S. law firms were hacked in 2011. Indications suggest the attacks have intensified since 2011. See eg. Law Firms Are Pressed on Security for Data (NYT, 2014); Big Law Firms Are Most Vulnerable To Hackers: ABA Panel (Law 360, 2013); Attacking the Weakest Link: BYOD in the Law Firm Culture (Huffington 2014).

Data_protection_Cyber-LiabilityThe legal profession needs to recognize this threat and take immediate action to defend against cyber intrusions of client data. One solution is the action that I recommend: outsource e-discovery data possession and cybersecurity of large collections of client data to trusted professionals. I follow my own advice on best practices. My law firm has outsourced e-discovery data possession and cybersecurity to trusted professionals, in our case, Kroll Ontrack.

FBI Warns Law Firms To Harden Their Cybersecurity

vmalware_wordsMary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office, is reported by Law Technology News as saying: “We have hundreds of law firms that we see increasingly being targeted by hackers.” Confidential client ESI can also sometimes be stolen by unethical competitors willing to engage in illegal eDiscovery by hacking. They may do so to try to crush a competing business, or even just to win a law suit. We have seen this ourselves in my firm and have successfully counter-responded in court. Foreign governments may also sponsor cyber attacks of a law firm to steal their clients’ trade-secrets that would help government backed business. Bloomberg’s Business Week quoted FBI agent Galligan as saying: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012).

Outsourcing

Data_SecurityRealizing the seriousness of cyber crime today, my law firm has taken extraordinary steps in the last few years to significantly strengthen its cyber systems. The focus of our efforts has been on protection of client ESI because, like every other law firm in the world, that is our high value target. That is what the crackers want to steal. That is one of the reasons we outsourced our non-legal e-discovery services to Kroll Ontrack in 2012, and recently renewed again with them this month. Losey, R., Five Reasons to Outsource Litigation Support (LTN, Nov. 2, 2012); Going “All Out” for Predictive Coding and Vendor Cost Savings. The five reasons I wrote about in 2012 for outsourcing remain the same for our renewed in 2014, except that cybersecurity is now much more important.

The five reasons I described before for any law firm, or corporate law department, to outsource their litigation support department non-legal e-discovery functions are Competency, Complexity, Cost Savings to Firm and Clients, Risk, and Ethics. Here is a summary of these five showing how cybersecurity fits into each.

NIST_5_Functions1. Core Competency. You are a law firm, or law department of a corporation. You are lawyers engaged in the practice of law. That is what you are trained to do. That is what you are good at. That is your mission. Why should you own and operate a non-legal e-discovery business within your walls under the guise of a Lit-Support Department? Why own and operate a data hosting company? Why should you assume the risks involved with protecting large collections of client data?

Even in big-firm Lit-Support departments, most of the services provided are not legal review; they are non-legal services by techs. The non-legal services performed by litigation support departments include the processing of electronically stored information in various ways, ESI collections, forensic analysis, database creation, hosting, software configuration, management and non-legal expert advice of all kinds and varieties. It also includes the intake, storage and accounting of billions, if not trillions, of computer files that belong to law firm clients. It also should include, although truth be told often does not, cybersecurity infrastructure and experts to protect this information, to protect it from accidental loss and intentional theft. Is anyone in your tech-support department  an expert in the five basic functions of cybersecurity? Do they have a well funded plan to implement?

These are not the practice of law under anyone’s definition. No one contends that the five billion dollar a year e-discovery vendor industry is engaged in the practice of law. These are computer related technical services. EDRM type technical services are the core competency of e-discovery vendors. It is not the core competency of any law firm or law department.

CIA_triadTo be honest, with a few notable exceptions, most e-discovery vendors do not have cybersecurity expertise either. It is not within their wheelhouse any more than it is within a law firm’s. Most vendors can process and host all right, but can they protect? Do they even have a CISO, much less one with a PhD? What do they really know about the CIA, the holy trinity of cybersecurity? The CIA Cyber Security Triad and 9ec4c12949a4f31474f299058ce2b22a (e-Discovery team, 2014). Good e-discovery vendors know how to hash and dedupe, but do they know how to set up network segmentation, virus and intrusion monitoring, and the latest host-based intrusion detection technology. What speciality cybersecurity firms do they employ to guide their efforts? Have they had penetration tests done?

2. Complexity. Non-legal e-discovery services are difficult and complex to perform correctly. They require a high degree of special skills and training. This is not like making copies or performing other simple technical tasks. ESI processing and forensic work is very technical, and it is easy to make mistakes if not done properly. So is management of these tasks in large projects. The complexity and difficulty of this work is increasing daily.

NIST_function_categoriesThis is especially true when it comes to cybersecurity skills to protect against hackers. Again, is anyone in your tech-support department, or even your IT Department, an expert in the categories of the five basic functions of cybersecurity? Do they have a well funded plan to implement them? Do you even have a CISO? Have they studied the new NIST framework for cybersecurity that came out this year? National Institute of Standards and Technology Creates Cybersecurity Standards Framework. Do you have defined cybersecurity processes and an integrated risk management program? What is your Current and Target Security Profile? Do you have an action plan to address the gaps identified between the Current and Target Profile as NIST recommends? When is the last time you had penetration testing done on your systems? How did you do? Did it take more than an hour for the hacker team to take root control and own your system? Are you 100% sure there are no trap doors in your software?

We are living in an age of information explosion and rapid technology advancements. We are also living in the age of computer hackers where in 2013 there were an average of 315,000 new viruses released every day! The only norm in technology is constant change and increasing threats. For most law firms the review software they bought three years ago is now hopelessly obsolete, and so are the skills of their techs, unless they are constantly re-trained. The same applies to virus protection systems.

computer-virus-warning-signYou do not really think that buying a piece of malware detection software is adequate, do you? That is just one step in an overall cyber risk management program, and it is a minor one at that. See eg the May 2014 report in the Wall Street Journal, including a statement by Brian Dye, senior VP for information security at anti-virus pioneer firm Symantec, which supplies Norton AV software, that anti-virus “is dead, and “the era of AV-only is over.Also see Anti-virus is dead – but ghosts get chased (SC Magazine, 2014). An overall program is needed, beginning with assessment. National Institute of Standards and Technology Creates Cybersecurity Standards FrameworkYou need to constantly monitor and remove malware and other artifacts of intrusions, such as back doors and software defects. The virus detection and removal process alone is complex, as the chart below indicates.

Response_Cyber_attack

An e-discovery business, especially one that includes effective cybersecurity, is simply too complex for most law firms or in-house law departments to run properly. Although I once met a lawyer who was a good businessman, most of us are not, which goes back to the core competency issue. E-discovery and cybersecurity are complex businesses, which, as lawyers, we are ill equipped to run. My advice to 98% of the lawyers and law firms in the world, stick to law and partner with the best experts in other fields that you can.

Data_breach_cost_impact3. Cost Savings to Firm and Clients. Lit-Support departments, like any business, cost substantial sums of money to properly set up and operate. This is especially true if state of the art cybersecurity protocols and infrastructure are included. In my experience significant cybersecurity protection is almost never included in a law firm lit-support department. In fact, it is even rare in e-discovery vendors. The reason for that is simple. Cybersecurity is very difficult to do properly, and requires significant expenditures in infrastructure and experts. Before you hire an e-discovery vendor, be sure to include cybersecurity issues in your due diligence, including the vendor’s cyber-liability insurance.

Few law firms are willing to invest substantial resources in new technology for their Lit-Support Departments. Yet, unless they outsource and thereby eliminate this expense entirely, they have no choice. Outsourcing is a cost-effective solution to the dilemma of constantly changing technology and ever growing threats of data theft. If you continue to keep your e-discovery work in-house, you have no choice but to keep writing big checks for the latest technology. You cannot give your lawyers yesterday’s technology and expect them to keep up and compete in the world of e-discovery. Your lawyers, and most importantly, the clients they serve, need the cost-savings benefits of the latest technology and software, including my personal favorite, search and review software power with predictive coding type search engines.

scary_skullIf you stay in-house, and hold your clients’ data, you also have no choice but to continue to pour hundreds of thousands of dollars, if not millions, into cybersecurity. Otherwise your clients data may be stolen by crackers. Cyber attacks are now a part of daily life – by a lone wolf, organized crime, and even governments, especially the Chinese (although some say the Russians are an even bigger threat). China Expands Cyber Spying (The Diplomat, 2014); Chinese Motivations for Corporate Espionage – A Historical Perspective (Mandiant, 2013). We live in very uncertain times. But one thing is certain, lose their data, lose the client.

Outsourcing is not the only solution to the technology change problem. You have a choice. You can get the latest tools, and keep your Lit-Support department business, if you decide to go all-in, instead of all-out like my law firm has done. You can spend more and more firm money to buy all of the latest toys for your lawyers and hire teams of cybersecurity experts. But, if you do that, you will have to pass those expenses on to the clients. Often the expenses charged by law firms to their clients for these non-legal services are far more than vendors. If you go all-out with one vendor like we did, you can leverage your mass buying power and negotiate a low rate for all of your clients who use that vendor. Outsourcing, if done right, can be win/win and result in cost savings for both law firms and their clients. It can also make your client’s data a whole lot more secure. That’s priceless.

_____________________

To be continued ….. Next weeks blog will complete this article. In the meantime, check out the many links in this blog, if you have not already. Also, please take a look at my newest web: eDiscoverySecurity.com.




Scientific Proof of Law’s Overreliance On Reason: The “Reasonable Man” is Dead, Long Live the Whole Man

January 19, 2014

brain_gearsThe Reasonable Man on which the law is based is a fiction of our collective legal imagination. He does not exist. Never has, never will. We humans are much more complex than that. Although reasoning is important, it is only one of our many capacities, including imagination. Most of our decisions are not even based on reason. Quaint notions to the contrary from the 18th Century Age of Reason are out of touch with reality. They are contrary to what science today is telling us about how humans process information and reach decisions.

Scientific research shows that the cornerstone of the Law – Reasonability – is not solid granite as we had thought. There are no hard gears in our head, just soft, gelatinous, pinkish-beige matter. (Our brain is only soft grey matter when dead.) The ratiocination abilities of the brain are just one small part of its many incredible capacities. (For example, recent experiments at MIT have shown that we can identify images seen for as little as 13 milliseconds, 13/1,000ths of one second.) We are far more than just rational, and that is a good thing.

Going Beyond the Age of Enlightenment
Into the Modern Era of Science

This blog will offer proof that the Law’s Reasonable Man is dead. Then I will encourage the profession, starting with you dear readers, to transcend the mere rational. We all need to change our work to include more of our human capacities. This does not mean a return to the Dark Ages and the discovery of truth by torture and combat. It means following the inevitable dictates of the Age of Reason, that we be guided by the findings of science and objective repeatable, experiments, no matter how irrational these findings may at first seem. To refuse to accept the truth, no matter how different it is from your current beliefs, is itself an irrational carryover from the Dark Ages. We must boldly go where science and reason takes us. The world is not flat and we are not governed by reason alone. We are far more than a thinking machine. We must open our eyes and see the truth. That is the true meaning of the Age of Enlightenment.

quantum-physics_headScience, based on reason and the experimental method, has taken Man beyond the rational, has shown the limitations of reason. Just as the evidence from physics experiments forced scientists to go beyond Newtonian Causality, and required them to embrace the seemingly irrational truth of Relativity and Quantum Mechanics, so too must the Law now evolve its thinking and procedures. As proof for this proposition in this blog I will proffer the testimony of one expert witness, a noted MIT and Duke University Psychologist and Behavioral Economist.

The Legal Profession Must Awaken from the Daydream of Rationality

My last blog, The Psychology of Law and Discovery, laid the foundation for the introduction of this evidence. I noted how law is based on the assumption that people make reasoned decisions and are capable of acting in a reasonable manner. I offered preliminary evidence that this assumption is contrary to the findings of research psychologists. I referred to a recent article by one such psychologist, Herb Roitblat, who is also an expert in legal search: The Schlemiel and the Schlimazel and the Psychology of Reasonableness (Jan. 10, 2014, LTN). I will now offer further, more detailed proof that humans do not act out of reason. I will do so by use of videotaped expert testimony of sorts. I will then argue that these findings require us to make fundamental reforms to our system of justice.

The consequences to the Law of the new experimental findings are profound. They raise many questions for which I have only a few preliminary answers. Many more questions will arise I am sure. This is much bigger than any one lawyer, or one or two blogs. The entire profession will have to awaken from the daydream of rationality. This is just the start of the discussion. We need to work together to change our system of justice to conform to the evidence of irrational behavior that science has uncovered.

This evidence is abundant. With only a little search I am sure you will find much more proof than I will now proffer. This is solid scientific evidence based on verifiable experiments. The evidence proves that our assumptions made in the law as to human reasonability, assumptions built centuries ago when the Age of Reason first began, are false assumptions. The evidence shows that the Reasonable Man is a legal fiction.

As Exhibit “A” to the assumption busting proposition I rely on the work of Dan Ariely, a Professor of Psychology and Behavioral Economics at Duke University. As an introduction to his work I offer a TED video of Professor ArielyAre We In Control of Our Own Decisions? He refers to his many scientific experiments at MIT, then Duke, that show we are not in control of many of our own decisions, even seemingly simple ones. These experiments prove my point. Listen carefully.

Predictable Irrationality and Swearing on Bibles

Need more proof? Then please consider additional testimony from Professor Ariely on predictable irrationality. This discourse even mentions every e-discovery lawyer’s favorite company, Enron, and examines our basic moral code, our personal fudge factor. Dan has conducted many experiments on the all too human tendency to cheat and lie, if only just a little, and the moving grey line between acceptable and unacceptable behavior. This is the line that the Law is constantly asked to draw, and to evaluate. These psychological insights are important to all lawyers, especially discovery lawyers, of the “e” only type like me, or not. Again, please listen carefully and consider the implications of these findings on the Law.

One interesting finding from Professor Ariely’s scientific experiments on cheating, one that you can easily miss in the video (see around frame 8:15), even if you can see 77 frames per second, is that asking people to swear on a Bible significantly reduces cheating. This even works for atheists! I kid you not. Perhaps we should bring back the old tradition of requiring all witnesses to swear on a bible before beginning their testimony?

Ralph_swearing_oath_bibleI have done this myself long ago when I was out taking depositions as a young lawyer. In the early eighties many court reporters in rural counties of Florida would still pull out a Bible before a deposition began (they all used to carry them around for that purpose, and yes, that was way before they started carrying around computers). The court reporter would then ask the deponent to raise their right hand and put their left hand on the Bible. All the witnesses I saw instantly complied, thinking erroneously that this was a legal requirement. They placed their hand on the Bible, some nervously, and some like they did that all the time, and then were asked to solemnly swear on the Bible that they would tell the truth, the whole truth and nothing but the truth so help me God. They did as asked by the serious court reporter, and some seemed pretty impressed by the whole ceremony. I recall that overall the testimony from these witnesses was pretty good.

Flying Spaghetti Monster

I only saw this done a few times, and, as a typical arrogant big city lawyer (yes, out in the rural areas where they were still doing this, they all thought of Orlando as a big city), I dismissed it as a quaint old custom. But now science shows that it works. Science shows that this quaint custom works, even for members of the Church of the Flying Spaghetti Monster.

What are the implications of these findings about human behavior? Maybe we should bring back Bibles into the court rooms? Or at least bring back a bunch of solemn oaths? If we do not require swearing on or to a Bible, due to Church and State, or whatever, then perhaps we should ask people giving testimony to swear on something else. Most anything seems to work, even if it does not really exist. Dan Ariely’s experiments found that it even worked to have MIT students swear on an honor code that didn’t exist. Maybe asking lawyers to swear on their ethics codes would work too? Maybe that is the reform in the procedural rules we should be pushing for, instead of Rule 37(e)? Maybe we should update Rule 603 of the Federal Rules of Evidence:

Before testifying, a witness must give an oath or affirmation to testify truthfully. It must be in a form designed to impress that duty on the witness’s conscience.

prisoner_ralph_chainsWe need to work on forms designed to impress today’s savvy witnesses. Maybe bringing back Bibles will work for some, or something custom-fit to the particular witnesses. Who knows, for a chemist, it might be the periodic table. For others it might be a picture of their mother. Maybe the oath should be administered by prisoners in chains and mention the penalties of imprisonment for perjury. I think that would be pretty effective. Have you ever seen prisoners in chains up close in the court room? A few judges I know used to handcuff and shackle fathers who were delinquent in child support payments like that before their hearings. I am told it had a very sobering effect. Some experiments with this should be conducted because our current systems are not working very well. We rarely impress witnesses enough to awaken their latent conscience, much less our lawyers.

Maybe we should also amend Rule 26(g) to add swearing and a reference to ethics codes? Maybe stronger, more impressive oaths by lawyers signing 26(g) discovery requests and responses would work. Perhaps that would magically make more all too human lawyers start taking the requirements of the rules more seriously.

Lord Phillips 2009Maybe we should follow the British and make our judges wear fancier robes and make our lawyers and judges wear wigs? (One of Ariely’s experiments found clothing had an impact on honesty.) Let us build even more impressive court rooms while we are at it, and let’s not only say Your Honor, but how about Your Lordship too? Or Your Grace? Maybe all lawyers should start adding courtly formalities to their 26(f) conferences? I can just imagine defense attorneys beginning every one of their responsive statements with things like: “The right honorable attorney representing the plaintiffs in this proceeding has made a point with some validity, but …” Maybe that would motivate lawyer conduct that would in fact please the court?

Of course I jest, but Ariely’s work shows that irrational approaches have a better chance of success than appeals to abstract knowledge alone. Forget about using reason to appeal to lawyers to cooperate, we have all seen how far that gets us.

END OF PART ONE.
Part two will follow next Sunday. I swear.


Follow

Get every new post delivered to your Inbox.

Join 3,528 other followers