September 10, 2019

Last Updated on January 18, 2024

As I mentioned in Part 1 of this post, Pivot Point Security had the privilege of sponsoring and participating in the American Association of Justice Conference in San Diego a few weeks ago. Kudos to the AAJ team who put on the event—it was a great conference in a wonderful city. I spent a lot of time talking to “both sides of the aisle” at the convention, both the trial attorneys who litigate and the vendors that provide products and services to support their efforts. Interestingly, they both shared the same concern, but with a 180-degree twist:

  • Vendors are very concerned legal firms/trial attorneys they do business with are sending them a wealth of highly sensitive personal information (e.g., medical reports, financial data, SSNs, etc.) in very insecure ways (e.g., email, Dropbox).
  • Trial attorneys are very concerned that key vendors are sending them a wealth of highly sensitive personal information (e.g., medical reports, financial data, SSNs, etc.) in very insecure ways (e.g., email, Dropbox).

Houston, we have a problem…

In Part 1, I looked at this from the vendor side of the equation. I’ll cover it from the trial attorney/law firm perspective in this post.
This is probably a good time to point out that out of the thousands of attendees, I was likely the only pure information security person at the convention. I was there to learn a bit more about litigation as one of the law firms for which I am the Virtual Chief Information Security Officer (vCISO) does a significant amount of personal injury work.
Trial attorneys are committed to ensuring that all people—individuals, families, patients, workers and consumers—can seek justice in our nation’s courtrooms. In order to do so, they need to work with a very significant ecosystem of complimentary vendors to garner the diverse array of expertise they require (e.g., structured settlements, life care planning, accident reconstruction, case management software, expert witness, jury selection, medical illustrations, etc.). Because the expertise required to litigate different types of cases (e.g., marine, trucking, brain injury, nursing home, etc.) can be so specific, both the firms that litigate and the vendors that provides services are often smaller organizations (many are 50 people or less). That’s important because smaller companies often struggle with implementing robust information security practices, including managing the risk associated with vendors processing sensitive data (i.e., Vendor Risk Management).

View our free cybersecurity resources »

What can/should a small law firm do?

1. Acknowledge the issue. You are processing a ton of sensitive information and you have a responsibility to your firm and your clients to adequately protect it. With near daily breaches, regulatory agencies are increasingly mandating that responsibility. CCPA is the first of what will be a wave of new privacy regulations in the US. If you’re working closely with insurance firms, they may already be mandating certain security practices. The American Bar Association (ABA) is increasingly extending ethical guidance to include cybersecurity requirements (e.g., ABA Opinion 483). Embracing the “information security challenge” is a key step.
2. Understand its potential impact. Crap rolls uphill (contrary to popular belief). A security breach at a vendor that discloses a client’s data may impact a case and/or trigger notification laws. At around $200 per name, a breach that impacts the records of 500 individuals adds up to a cost of $100,000.
3. Develop a plan. The plan is going to be notably different for a 3-partner firm than for a 150-partner firm with other non Personal Injury Practices. If you are strapped for budget, you have options and should start with the basics. In rough order of priority, these are:

  1. Exchange all data in an encrypted format using a complex password (Word/Excel/Adobe Password protection is strong encryption). Share that password with your vendors using another communication channel (e.g., text or phone).
  2. Ensure your computers are patched regularly.
  3. Ensure you are running anti-virus/anti-malware on your computers.
  4. Use 2-factor authentication on every account possible (e.g., Office 365, Google Suite, banking, file transfer sites, etc.).
  5. Educate yourself on social engineering (e.g., phishing, vishing) and be exceptionally wary about opening emails without testing (download our 10 Tips for Detecting Phishing Emails infographic).
  6. Use a good online password manager and make all your online passwords different for each site, and also long (10+ characters).
  7. As your posture and/or budget advance beyond the above basic steps, take a look at our blog post on applying the 80/20 rule to information security. I’m a huge fan of the Pareto Principle and eliminating 80% of the risk with 20% of the effort.
  8. Implement a basic Vendor Risk Management program which ensures that key vendors handling sensitive litigation materials are following good fundamental security practices.

If you have requirements that go beyond our 80/20 recommendations, it’s often because of a client requirement, or a breach. In either case, you need a comprehensive approach to security. You have some good options:

  1. ISO-27001, which is the “gold standard for proving you are secure.” It’s especially relevant in the legal vertical. SOC 2 is a viable option as well, especially if you only have clients in the US.
  2. Less comprehensive options include the CIS Top 20, the Shared Assessment SCA, and the NCSF, although these are less frequently seen in the legal industry.

As you might imagine, the above plans are not meant to be “definitive,” as information security is a lot like medicine: “prescription without diagnosis is malpractice.” (And as this article is intended for firms that employ trial attorneys, I can’t be too careful!!!)
To the numerous trial attorneys I spoke with at the AAJ convention—thank you! I am smarter for the time you all gave “the information security guy.” Please feel free to reach out if you need some thoughts on an appropriate plan.
P.S. Next time you are in San Diego, be sure to swing by the Fall Brewing Company and have a Jinx Remover… an unusual and enjoyable combination, a dark lager aged in a bourbon barrel. I’ll be returning for another round.

CCPA Compliance Roadmap PDF

CCPA Compliance is achievable for anyone! It’s a process made up of things you things you may already be doing. Discover your path to CCPA compliance!