We recently posted a legal Q&A after two New York Times articles sparked an interesting discussion about data security measures at law firms. Zix General Counsel Jim Brashear often contributes and speaks on the significant need for data protection in the legal community, and he served as our Q&A expert.
During the discussion, Jim provided responses regarding the hurdles law firms face in implementing additional data security measures, how those hurdles could be avoided and who determines when a law firm’s data security measures are adequate. After the post, he received some interesting follow-up questions. Here are his responses:
What types of law practices are likely to implement additional data protection?
Law practices that serve clients who have heightened sensitivity and demand additional data security are most likely to take additional measures. Those clients include:
•Companies working in industries that are targets of commercial espionage, such as energy and technology
•Businesses with commercial trade secrets
•Companies that have already been victimized by hackers that gained entry through an outside vendor’s or consultant’s systems
•Organizations subject to privacy regulations, such as HIPAA for healthcare clients and GLBA for financial services clients
For legal professionals just getting into data security solutions, where should they start?
The ABA’s Legal Technology Resource Center has some good information. The ABA Cybersecurity Task Force has published the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals. There are also some good data security consulting firms who have practices that focus on the special needs of law firms.
What other industries are next in facing similar data security pressures?
Any third party services providers that have access to their clients’ confidential information may face similar pressures. Examples include accountants, auditors, investment bankers, consultants and outside directors. These providers may become targets, because data thieves have learned to use a weaker point of access to acquire sensitive data.
For example, recent large data breaches resulted from lateral entry through a vendor that had access to a client’s network. Other breaches resulted from malware in spear phishing email that appeared to come from a trusted vendor. But the thieves may not need to penetrate the client’s network if the data they seek is stored within a services vendor’s servers or if it can be intercepted in transmission between the client and their outside service providers. That can occur when a man-in-the-middle attack spoofs a vendors DNS server.
Have an additional question for Jim? Comment on our post or contact him through Twitter at @jfbrashear.