At the Legal Executive Institute’s 5th Annual Law Firm CFO/CIO/COO Forum, held last week in New York, law firm leaders, corporate counsels and cybersecurity experts gathered to discussed one of the most potentially impactful—and frankly, scary—problems that law firms face, cybersecurity breaches and the loss of firm and client data. We spoke to Behrooz Shariati, General Counsel of Segway, about how to protect your company and most importantly, motivate your law firms to enact similar safeguards.
LEI: Let me ask you about how Segway approaches a law firm or vendor in regards to its cybersecurity protections. How do you convey to them that you need certain standards of cybersecurity to be met?
Shariati: It’s basically in the retention process. We work with a lot of firms over and over again. Once we work with a firm, then they know our requirements. But with a new firm, in the retention process, we have to review their data storage practices and how they handle the data and their personnel that handle data.
I don’t want to generalize too much, but I think, in my experience, the younger associates tend to be more comfortable with email and I don’t think they really give the security aspect of it much thought. Obviously, they’re lawyers, so they’re very well educated and they’re very smart people, but this is a discipline like anything else. The more worrying aspect is that they think of text messages or instant messaging as the same as talking. They don’t think of it as leaving a record, which is not true. There’s a record.
LEI: In your panel, you spoke of the cybersecurity concerns of mobile devices and cloud technology. How different of a problem does that present than standard cybersecurity?
Shariati: There are fundamental differences between desktop technology that firms generally use and mobile technology. Your desktop can only show that you’re sitting in your office, but if you’re an M&A lawyer, for example, and you happen to be in the offices of Acme Inc. in Allentown, Pennsylvania, and someone can figure that out… then, they can determine that you’re in Allentown and maybe talking to a client about buying ABC Steel or whatever. That’s a fundamentally different thing.
The prospect of gaining a big case, and the revenue involved for such a case, can push firms to spend the money putting together whatever [cybersecurity] protections the client may need. Unfortunately, it has to be a compelling business reason and it has to be a client-driven process. I think the law firms on their own will not embrace the new technology.
Another thing about mobile technology is these are very, very personal devices. I use it for my personal use, communicating with my family, for looking things up—the relationship I have with this device is extremely different than the relationship I have with my desktop at the office.
LEI: How do you feel the law firm community is viewing this? Is this something they’re taking more seriously?
Shariati: I think the law firm community is concerned about what the clients are concerned about. Depending on how long they’ve been practicing, some lawyers would prefer to not have email at all—have just personal email, but not business email and things like that. But when I was in a law firm, we had to be responsive to our clients. We couldn’t be Luddites.
But the law firms—and I don’t want to speak for all of them—but the ones that I’ve had experience with… let’s just say, they’re not trail-blazers. They trail, but they’re not trail-blazers. The clients can push them, but they move very slowly and very cautiously into new technologies. The whole debate around cloud storage is one example. Cloud storage is actually far more secure than doing e-discovery with an outside vendor, but they don’t think of it that way.
So, right now, much of law firms’ commitment to cybersecurity is really being driven by the client and the kinds of matters that the firms are handling. That’s where the progress is going to come from. The law firms are not going to move on their own because generally, as far as I know, there hasn’t been any major breach of a law firm that’s become known.
LEI: Of course, as we learned at the Forum, law firms, unlike public companies or government agencies, are not required to disclose data breaches.
Shariati: Still, CTOs and CIOs talk to each other. In the years that I was practicing law in large law firms, it was not even whispered about that so-and-so was breached, so I would like to think that it’s pretty rare. Plus, if some law offices were catching fire, you’d think they’d be putting sprinklers in, but if there’s no actual perceived risk or a competitive disadvantage, they’re going to be reluctant to spend the money on doing whatever it is…
LEI: Unless a client pushes them.
Shariati: Exactly. If a client comes in and says, “I’m not going to give you this case, unless you have these cyber-protections in place.” And this has happened. We did work for various well-known Silicon Valley companies, and they basically said, “We need email encryption. We need this. We need that.”
The prospect of gaining a big case, and the revenue involved for such a case, can push firms to spend the money putting together whatever protections the client may need. Unfortunately, it has to be a compelling business reason and it has to be a client-driven process. I think the law firms on their own will not embrace the new technology.