A Troubling Observation from the American Association of Justice Annual Convention, Part 1

Last Updated on January 18, 2024

Pivot Point Security had the privilege of sponsoring and participating in the American Association of Justice Conference in San Diego a few short weeks ago.  Kudos to the AAJ team who put on the event—it was a great conference in a wonderful city. I spent a lot of time talking to “both sides of the aisle” at the convention, both the trial attorneys who litigate and the vendors that provide products and services to support their efforts.  Interestingly, they both shared the same concern, but with a 180-degree twist:

• Vendors are very concerned that the legal firms/trial attorneys they do business with are sending them a wealth of highly sensitive personal information (e.g., medical reports, financial data, SSNs, etc.) in very insecure ways (e.g., email, Dropbox).

• Trial attorneys are very concerned that key vendors are sending them a wealth of highly sensitive personal information (e.g., medical reports, financial data, SSNs, etc.) in very insecure ways (e.g., email, Dropbox).

Houston, we have a problem…
In this blog post, I am going to attack this issue from the vendor side of the equation. I’ll cover it from the trial attorney/law firm perspective in Part 2.
This is probably a good time to point out that out of the thousands of attendees, I was likely the only pure information security person at the convention. I was there to learn a bit more about litigation as one of the law firms for which I am the Virtual Chief Information Security Officer (vCISO) does a significant amount of personal injury work.

Trial attorneys are committed to ensuring that all people—individuals, families, patients, workers and consumers—can seek justice in our nation’s courtrooms. In order to do so, a very significant ecosystem of complimentary vendors has evolved to provide a diverse array of expertise on demand (e.g., structured settlements, life care planning, accident reconstruction, case management software, expert witness, jury selection, medical illustrations, etc.).
Because the expertise required to litigate different types of cases (e.g., marine, trucking, brain injury, nursing home, etc.) can be so specific, both the firms that litigate and the vendors that provides services are often smaller organizations (many are 50 people or less). That’s important because smaller companies often struggle with implementing robust information security practices because of the cost and challenge of hiring/retaining the necessary personnel and expertise to do so.
So what can/should a vendor to the Trial Attorney industry do?
1. Acknowledge the issue. You are processing a ton of sensitive information and you have a responsibility to your organization, your clients, and the plaintiffs to adequately protect it. With near daily breaches, regulatory agencies are increasingly mandating that responsibility. CCPA is the first of what will be a wave of new privacy regulations in the US. If you’re providing structured settlements or other insurance related services, you may already be encumbered by several state laws mandating your security controls (e.g., NYS DFS Part 500). The American Bar Association (ABA) is increasingly extending ethical guidance to include cybersecurity requirements (e.g., ABA 483). Law firms are also subject to client contractual obligations around information security. Embracing the “information security” challenge is a key step.
2. Understand its potential impact. Crap rolls downhill. Several of the vendors I spoke to have noticed an uptick in information security requirements in contracts and security questionnaires that need to be answered before work can be performed. As law firms implement privacy programs, vendors will be seeing Data Privacy Addendums (DPA) to contracts that will require you to meet their privacy requirements.
Apologies in advance, as that questionnaire and DPA request might have my name on the bottom or one of my colleagues at PPS as we work in 60+ law firms.
One last thing to consider is the impact of a data breach at your organization. At around $200 per name, a breach that impacts the records of 1,000 individuals adds up to a cost of $200,000.
3. Develop a plan. The plan is going to be notably different for a 3-person medical illustration firm than for a 100-person Case Management SaaS provider or a 500-person provider of annuities.
If you are strapped for budget, you have options and it starts with the basics. In rough order of priority, these are:

1. Exchange all data in an encrypted (Word/Excel/Adobe Password protection is strong encryption) format using a complex password.  Share that password with your client using another communication channel (e.g., text or phone).
2. Ensure your computers are patched regularly.
3. Ensure you are running anti-virus/anti-malware on your computers.
4. Use 2-factor authentication on every account possible (e.g., Office 365, G Suite, banking, file transfer sites, etc.)
5. Educate yourself on social engineering (e.g., phishing, vishing) and be exceptionally wary about opening emails without testing (download our 10 Tips for Detecting Phishing Emails infographic)
6. Use a good online password manager and make all of your online passwords different for each site, and also long (10+ characters)
7. As your posture and/or budget advance beyond the above basic steps, take a look at our blog post on applying the 80/20 rule to information security. I’m a huge fan of the Pareto Principle and eliminating 80% of the risk with 20% of the effort.
8. If you have requirements that go beyond our 80/20 recommendations, it’s often because of a client requirement, or a breach. In either case, you need a comprehensive approach to security. You have some good options:
   • ISO-27001 which is the “gold standard for proving you are secure.” It’s especially relevant in the legal vertical; SOC2 is a viable option as well, especially if you only have clients in the US.
   • OWASP ASVS is the gold standard if you are a Software-as-a-Service (SaaS) provider and you need to prove your application is secure. This option might be considered instead of or in addition to ISO-27001.
   • Other less comprehensive options include the CIS Top 20, the Shared Assessment SCA, and the NCSF, although these are less frequently seen in the legal industry.

As you might imagine, the above plans are not meant to be “definitive,” as information security is a lot like medicine: “prescription without diagnosis is malpractice.” (And as this article is intended for folks who know a lot of trial attorneys, I can’t be too careful!!!)
To the numerous vendors I spoke with at the AAJ convention—thank you! I am smarter for the time you all gave “the information security guy.” Please feel free to reach out if you need some thoughts on an appropriate plan.
P.S. Next time you are in San Diego, be sure to swing by the Belching Beaver Brewery and have a Peanut Butter Milk Stout… So good…