26 Feb 2019

I sat down with Alex Pearce of Ellis & Winters LLP, the current chair of North Carolina Bar Association’s Privacy & Data Security Committee to discuss the current trends he sees in security for lawyers. 

PETRONELLA: What is the biggest threat to firms that already have cybersecurity systems in place?

PEARCE: One of the biggest threats is phishing. That’s because defending against that threat relies in large part on the vigilance of the employee as opposed to a firm’s investment in technological safeguards. For that reason, employee training on cybersecurity in general, and phishing, in particular, is critical. As part of that, companies are running phishing exercises on their employees. Law firms should consider that. To my mind, tricking someone into clicking on a phishing link as part of a training exercise is a great way to teach them a lesson that sticks.

PETRONELLA: Other than a failure to train employees properly, what are the two most common other vulnerabilities law firms face concerning cyber breaches other than going bare?

PEARCE: Two other common issues include not being careful with cloud storage and communications services; and failing to implement appropriate controls on the use of mobile devices. As to the first, our State Bar, and the state bars of several other states, have issued ethics opinions that outline the steps lawyers should take when using cloud services to store and transmit client information. As to the second, the rise of “BYOD” creates risks that I’m not sure all lawyers understand when it comes to the confidentiality and security of client information.

PETRONELLA: What does the landscape look like for cyber threats to law firms?

PEARCE: For some time I think law firms have been identified by cybercriminals as a “soft underbelly” of corporate America. Criminals have figured out that law firms tend to be places where sensitive, high-value information is collected in one place, and some law firms historically, have been behind the curve in terms of cybersecurity. I think law firms are getting better about this, but the fact remains that law firms are targets, like any other business that handles valuable information.

PETRONELLA: How about firms that don’t have cybersecurity because they don’t know where to start, who to ask, or what to ask?

PEARCE: There are plenty of good resources out there that provide basic steps to shore up security. They aren’t specific to law firms, but a few that come to mind are the Center for Internet Security’s Critical Security Controls and the Federal Trade Commission publication “Start with Security: A Guide for Business.” Professional liability insurers can also be a good resource in this area. They often make information on this topic available to their insureds.

PETRONELLA: What’s your guidance for attorneys who say, “I’m not making enough to pay my electric bill, why should I spend money I don’t have on cybersecurity?”

PEARCE: There are obviously lots of reasons why attorneys need to pay attention to cybersecurity. But for folks who might be inclined to think it’s not a high priority, I’d point them to the increasing attention being paid to this issue by our state bar and other ethics authorities. The rules of professional responsibility and several recent ethics opinions make clear that the ethical duties of competence and confidentiality include an obligation to use reasonable efforts to prevent unauthorized access to client information.

PETRONELLA: A few liability insurance experts told us that some firms would rather go bare, declare bankruptcy and re-organize in the event of a major breach. Good idea? Bad idea?

PEARCE: Terrible idea. This strategy does not account for the ethical obligations that lawyers have to protect client information, nor for the consequences to a lawyer’s reputation of a breach that happens because the lawyer hasn’t done anything to protect that information.

PETRONELLA: What are some the minimum standards set by the ABA and the state bar?

PEARCE: The ABA’s formal ethics opinion on Securing Communication of Protected Client Information provides a high-level framework for evaluating and addressing cybersecurity threats—I’d highly recommend that folks familiarize themselves with that opinion. Beyond that, the ABA and our State Bar don’t set forth specific “minimum standards” for cybersecurity per se. Rather, they require lawyers to take “reasonable” measures to protect client information. What’s reasonable can vary, depending on the circumstances, but the point is that lawyers have to think about the information they handle and the specific risks that they face, and then to tailor their security program accordingly using a risk-based analysis.

Originally on https://attorneyatlawmagazine.com/ncba-privacy-data-security-committee

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top