Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Where Is the Digital-Age Sweet Spot Between Business Growth and Data Security?

By Sanjiv Bawa
May 02, 2017

The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had.” — Eric Schmidt

Eric Schmidt is trying to upset us. And his thought here warrants close attention because as a software engineer and the CEO of Alphabet (Google), he arguably understands the Internet about as well as anyone on planet Earth. It's a probe that does for the Internet what Marshall McLuhan's famous probes did for television in the 1960's: it shakes us up.

McLuhan used his probes to remove the blinders from our narrow, naïve thinking about electronic media so we could see where they were actually taking us: toward the electronically connected global village that we inhabit today.

Schmidt's probe does likewise for the Internet, with the difference that his vision is markedly darker than McLuhan's. It dispels once and for all the puffed-up and endlessly marketed notion of the Internet as an unmitigated blessing for humanity. It nudges us to look past all this hype so we can see the Internet for what it is: a mixed blessing at best, replete with promise and fraught with peril for humanity.

That's not an easy task. Most people feel uncomfortable being nudged in this way. Perhaps law firms especially.

But there's a reason why law firms might be prone to neglecting the Internet's downside. This has to do with the hyper-competitiveness of all business today — the relentless drive for business growth that's being fueled (of all things) by the Internet. In this heady atmosphere, law firms risk succumbing to the temptation — indeed, the seeming necessity — to exploit to the hilt the Internet's huge upside — its massive growth and profit potential — while neglecting its huge downside: its immense threats to data security.

For law firms, such neglect is exceedingly consequential, for it puts at risk core principles and capabilities that make possible the very practice of law. These include the fundamental tenet of attorney/client privilege and the indispensable ability to conduct sensitive M&A negotiations in absolute confidence.

Dilemma: Growth or Security?

To put it mildly, a dilemma arises here. And there arises also a challenge that may be put this way: In a digital age, does there exist a sweet spot between business growth and cybersecurity? A valid answer to this question requires, first, an awareness of the actual consequences of lax cybersecurity.

On this score we need look no farther than to the 2016 hacking of partner emails — specifically, a number of spear-phishing attacks — that led to the enormous data breaches of the elite New York firms of Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. The stakes could hardly have been higher, for these firms, as the Wall Street Journal said, represent “Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations.”

Seven gigabytes of data were stolen. That's enough for tens or even hundreds of thousands of emails.

The three Chinese hackers recently charged with the hacks were smart. As targets, they chose partners whose practice areas included mergers and acquisitions and intellectual property.

The Chinese hackers are charged with using hacked data to make $4 million in profits from insider trading. That's bad. Worse yet is the possibility of hackers kidnapping M&A and intellectual property data and holding it hostage for huge ransoms. The worst-case possibility, as Fortune magazine reports, is that “the breach [of Cravath and Weil, Gotshal] took place as part of a larger initiative by the Chinese government.” See, http://for.tn/2pMY2W0.

Are Law Firms Taking Threats Seriously Enough?

So then, what's to stop breaches like these from occurring in 2017? Not nearly enough. In today's digital world there exist dozens of groups of expert hackers, be they Chinese or Russian, state agents, trained professionals or self-educated teens, that are entirely capable of doing to other firms what the Chinese hackers did to Cravath and Weil Gotshal.

And there exist dozens of law firms — including BigLaw firms — that aren't taking these hacker groups seriously enough.

At times, the legal profession's disregard of cybersecurity can be stunning. To take just one instance: the American Bar Association's 2015 Legal Technology Survey Report finds that nearly 40% of lawyers in the U.S. are using public Wi-Fi to access client data, but only 22% are using an encrypted connection.

All this raises the question of the actual state of law firm cybersecurity today. Several years ago, Jody R. Westby of the American Bar Association observed that “law firms have never been very good with technology, and now they are struggling, as breaches in firms have made headlines and clients increasingly are asking questions about their security programs.” “Cybersecurity and Law Firms: A Business Risk,” Law Practice Magazine, Vol. 39, No. 4 . Demand for data protection came, notably, from clients, not attorneys.

Recently, the 2016 Novitex and Association of Legal Administrators' (ALA) Report documented the extent of this neglect today. Based on a survey of hundreds of firms worldwide, the report found that “… law firms across the globe [are] primarily concerned with bolstering their business operations and financial viability above all else.”

The Report went on to say that “Only 8.4[%]of [800] firms [surveyed] were most concerned with reducing cybersecurity risk, compared to 7.8[%]of firms concerned with improving workflows. Around of half of those (4.1[%]) were also primarily focused on upgrading their technologies.”

These findings are alarming. In the long run, priorities like these one are invitations to trouble. There's a mantra going around these days that cybersecurity in a digital world isn't an IT problem, but a business problem. It's the right mindset, and it points the way to the sweet spot of data security as an actual driver of business growth.

Law Firm Response

Now let's see how law firms can strengthen their cybersecurity practices.

Belatedly, the legal profession is responding to market demand for data safety. Belatedly. Consider the ILTA Technology Review graphic of 2012:

bawa graphic_color

As abysmal as these numbers are, what matters for our purposes here is the eight activities they measure. As an IT professional whose job it is to protect Chi Networks' customers from the downside of Internet anarchy, I see the need for these eight activities, in more comprehensive versions of them, to be as familiar to all members of a business as the rules of the road are to drivers. That's saying a lot. But in the digital world, computer security should be second nature.

My own updated and more comprehensive list of eight focal points for business protection looks like this:

  1. Emails. For emails, end-to-end encryption is the gold standard. But it requires both ends — your end and, say, your client's end — to be encrypted. In any event, use a provider that supports strong encryption. If you host your own emails, use encryption software.
  2. For passwords, use two-factor authentication. Require employees to use a modern password manager that can create complex passwords, change passwords automatically and show you have to improve password security.
  3. Require employees to use only firm-approved mobile (BYOD) phones. Have your IT staff partition BYOD phones into separate encrypted compartments that securely wall off company from personal data. At my company, Chi Networks, we call this the Work Wall.
  4. Secure computers with firewalls and virus protection. Keep operating systems and software up to date.
  5. Ensure employee mastery of company cybersecurity policies. Update them based on the findings of periodic risk assessments.
  6. Implement ongoing, firm-wide employee education on the latest cyber threats. By trial and error, create learning environments — group sessions, fun contests with prizes, self-paced individual tests, one-on-one interactions with IT staff — that work best for your employees.
  7. Have penetration tests on your IT system conducted by outside firms or your own security team. Hack yourself before someone else does, then fix the hacks.
  8. Conduct regular practice drills testing everyone's ability to respond correctly in the event of an actual data breach.

So, will these eight steps, effectively implemented, make cybersecurity second nature for your colleagues? They won't. But they are solid steps in the right direction.

Conclusion

Eric Schmidt has it right. The Internet is an experiment in anarchy. It's taking humanity deeply and inexorably into a brave (and dangerous) new world of creative disruption on a global scale. That much we know for certain.

This awareness gives the legal profession in particular, as a primary guarantor of societal order, the responsibility of ensuring that data security becomes an actual driver of business growth. There's your sweet spot. If these words don't strike a chord, maybe six others will: Cravath Swaine & Moore, Weil Gotshal & Manges.

*****
Sanjiv Bawa
is the CEO & founder Chi Networks in Chicago. This article originally appeared in Corporate Counsel, an ALM sibling of Internet Law & Strategy.

The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had.” — Eric Schmidt

Eric Schmidt is trying to upset us. And his thought here warrants close attention because as a software engineer and the CEO of Alphabet (Google), he arguably understands the Internet about as well as anyone on planet Earth. It's a probe that does for the Internet what Marshall McLuhan's famous probes did for television in the 1960's: it shakes us up.

McLuhan used his probes to remove the blinders from our narrow, naïve thinking about electronic media so we could see where they were actually taking us: toward the electronically connected global village that we inhabit today.

Schmidt's probe does likewise for the Internet, with the difference that his vision is markedly darker than McLuhan's. It dispels once and for all the puffed-up and endlessly marketed notion of the Internet as an unmitigated blessing for humanity. It nudges us to look past all this hype so we can see the Internet for what it is: a mixed blessing at best, replete with promise and fraught with peril for humanity.

That's not an easy task. Most people feel uncomfortable being nudged in this way. Perhaps law firms especially.

But there's a reason why law firms might be prone to neglecting the Internet's downside. This has to do with the hyper-competitiveness of all business today — the relentless drive for business growth that's being fueled (of all things) by the Internet. In this heady atmosphere, law firms risk succumbing to the temptation — indeed, the seeming necessity — to exploit to the hilt the Internet's huge upside — its massive growth and profit potential — while neglecting its huge downside: its immense threats to data security.

For law firms, such neglect is exceedingly consequential, for it puts at risk core principles and capabilities that make possible the very practice of law. These include the fundamental tenet of attorney/client privilege and the indispensable ability to conduct sensitive M&A negotiations in absolute confidence.

Dilemma: Growth or Security?

To put it mildly, a dilemma arises here. And there arises also a challenge that may be put this way: In a digital age, does there exist a sweet spot between business growth and cybersecurity? A valid answer to this question requires, first, an awareness of the actual consequences of lax cybersecurity.

On this score we need look no farther than to the 2016 hacking of partner emails — specifically, a number of spear-phishing attacks — that led to the enormous data breaches of the elite New York firms of Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. The stakes could hardly have been higher, for these firms, as the Wall Street Journal said, represent “Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations.”

Seven gigabytes of data were stolen. That's enough for tens or even hundreds of thousands of emails.

The three Chinese hackers recently charged with the hacks were smart. As targets, they chose partners whose practice areas included mergers and acquisitions and intellectual property.

The Chinese hackers are charged with using hacked data to make $4 million in profits from insider trading. That's bad. Worse yet is the possibility of hackers kidnapping M&A and intellectual property data and holding it hostage for huge ransoms. The worst-case possibility, as Fortune magazine reports, is that “the breach [of Cravath and Weil, Gotshal] took place as part of a larger initiative by the Chinese government.” See, http://for.tn/2pMY2W0.

Are Law Firms Taking Threats Seriously Enough?

So then, what's to stop breaches like these from occurring in 2017? Not nearly enough. In today's digital world there exist dozens of groups of expert hackers, be they Chinese or Russian, state agents, trained professionals or self-educated teens, that are entirely capable of doing to other firms what the Chinese hackers did to Cravath and Weil Gotshal.

And there exist dozens of law firms — including BigLaw firms — that aren't taking these hacker groups seriously enough.

At times, the legal profession's disregard of cybersecurity can be stunning. To take just one instance: the American Bar Association's 2015 Legal Technology Survey Report finds that nearly 40% of lawyers in the U.S. are using public Wi-Fi to access client data, but only 22% are using an encrypted connection.

All this raises the question of the actual state of law firm cybersecurity today. Several years ago, Jody R. Westby of the American Bar Association observed that “law firms have never been very good with technology, and now they are struggling, as breaches in firms have made headlines and clients increasingly are asking questions about their security programs.” “Cybersecurity and Law Firms: A Business Risk,” Law Practice Magazine, Vol. 39, No. 4 . Demand for data protection came, notably, from clients, not attorneys.

Recently, the 2016 Novitex and Association of Legal Administrators' (ALA) Report documented the extent of this neglect today. Based on a survey of hundreds of firms worldwide, the report found that “… law firms across the globe [are] primarily concerned with bolstering their business operations and financial viability above all else.”

The Report went on to say that “Only 8.4[%]of [800] firms [surveyed] were most concerned with reducing cybersecurity risk, compared to 7.8[%]of firms concerned with improving workflows. Around of half of those (4.1[%]) were also primarily focused on upgrading their technologies.”

These findings are alarming. In the long run, priorities like these one are invitations to trouble. There's a mantra going around these days that cybersecurity in a digital world isn't an IT problem, but a business problem. It's the right mindset, and it points the way to the sweet spot of data security as an actual driver of business growth.

Law Firm Response

Now let's see how law firms can strengthen their cybersecurity practices.

Belatedly, the legal profession is responding to market demand for data safety. Belatedly. Consider the ILTA Technology Review graphic of 2012:

bawa graphic_color

As abysmal as these numbers are, what matters for our purposes here is the eight activities they measure. As an IT professional whose job it is to protect Chi Networks' customers from the downside of Internet anarchy, I see the need for these eight activities, in more comprehensive versions of them, to be as familiar to all members of a business as the rules of the road are to drivers. That's saying a lot. But in the digital world, computer security should be second nature.

My own updated and more comprehensive list of eight focal points for business protection looks like this:

  1. Emails. For emails, end-to-end encryption is the gold standard. But it requires both ends — your end and, say, your client's end — to be encrypted. In any event, use a provider that supports strong encryption. If you host your own emails, use encryption software.
  2. For passwords, use two-factor authentication. Require employees to use a modern password manager that can create complex passwords, change passwords automatically and show you have to improve password security.
  3. Require employees to use only firm-approved mobile (BYOD) phones. Have your IT staff partition BYOD phones into separate encrypted compartments that securely wall off company from personal data. At my company, Chi Networks, we call this the Work Wall.
  4. Secure computers with firewalls and virus protection. Keep operating systems and software up to date.
  5. Ensure employee mastery of company cybersecurity policies. Update them based on the findings of periodic risk assessments.
  6. Implement ongoing, firm-wide employee education on the latest cyber threats. By trial and error, create learning environments — group sessions, fun contests with prizes, self-paced individual tests, one-on-one interactions with IT staff — that work best for your employees.
  7. Have penetration tests on your IT system conducted by outside firms or your own security team. Hack yourself before someone else does, then fix the hacks.
  8. Conduct regular practice drills testing everyone's ability to respond correctly in the event of an actual data breach.

So, will these eight steps, effectively implemented, make cybersecurity second nature for your colleagues? They won't. But they are solid steps in the right direction.

Conclusion

Eric Schmidt has it right. The Internet is an experiment in anarchy. It's taking humanity deeply and inexorably into a brave (and dangerous) new world of creative disruption on a global scale. That much we know for certain.

This awareness gives the legal profession in particular, as a primary guarantor of societal order, the responsibility of ensuring that data security becomes an actual driver of business growth. There's your sweet spot. If these words don't strike a chord, maybe six others will: Cravath Swaine & Moore, Weil Gotshal & Manges.

*****
Sanjiv Bawa
is the CEO & founder Chi Networks in Chicago. This article originally appeared in Corporate Counsel, an ALM sibling of Internet Law & Strategy.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.