Articles

Excerpt: We always look forward to the ABA Legal Technology Resource Center’s Annual Legal Technology Survey Report on the use of technology in the legal profession. The summary of the “Marketing and Communication” portion of the 2019 survey was recently published. It was written by our good friend Allison Shields and contains some fascinating (and worrisome) statistics.

Respondents to the 2019 Survey segment covering websites and law firm marketing were mostly solos or from smaller firms, consisting of 27% solos, 29% lawyers in firms of 2-9 lawyers, 18% from firms of 10-49 lawyers, 11% from firms of between 100-499 lawyers, 10% from firms with 500+ lawyers, and 5% from firms with 50-99 lawyers. The average age of respondents was 58 years old, with 55% of respondents identifying as 60+ years old, and another 24% between 50-59 years old. Wow, the graying of the profession is noteworthy – or do younger lawyers not participate in surveys?

Read the entire article here.

Excerpt:

WHY DO ONLY 25% OF LAW FIRMS HAVE INCIDENT RESPONSE PLANS?

One of the most striking findings of the ABA’s 2018 Legal Technology Survey Report was that only 25% of law firms had an Incident Response Plan (IRP). In a world struggling daily against cyber incidents and data breaches, that is a piteous statistic. We don’t know why so many law firm fail to create incident response plans, but it is time to come to grips with the necessity of having an Incident Response Plan. The last time we focused on this subject in an article was in 2015. It is definitely time to revisit the topic and issue a rallying cry for the adoption of IRPs.

Read the entire article here. Incident Response Plans Come of Age

Excerpt: In our line of work, we see a lot of law firms who have been breached. “Headless Chicken Mode” is our name for the reaction of those who have not prepared for a breach – they have no incident response plan. They run in circles, hysterical, with no idea what to do. Sadly, there are a lot of law firms without an incident response plan –a 2018 study by IBM Resilient and the Ponemon Institute revealed that half of all organizations described their incident response plans as informal, ad hoc, or completely non-existent.

Today, for law firms, not having a formal incident response plan is inexcusable – and unethical under these new opinions. With respect to cyberattacks, our own experience has shown:

• The faster you catch a cyberattack, the less it will cost you and the faster you can recover.
• You are no stronger than your weakest link (usually your employees).
• With a good incident response plan, preparation is 2/3 of the effort, and the remaining 1/3 is solving the problems when an attack occurs.

Read the entire article here.

We understand why lawyers have cybersecurity paralysis. They don’t understand cybersecurity, experts disagree on the best steps to take, the majority of cybersecurity measures involve spending time and money – and to top it off, the threats and defenses against those threats change daily. Here’s a brief roadmap to where you should be going.

By the Numbers: Where We Stand Today
Thanks to the ABA’s 2018 Legal Technology Survey Report, we have some solid numbers to ponder as we construct our roadmap. Looking strictly at the big picture statistics, these were the ones we found most significant.

• 23% of respondents reported that their firm had been breached at some point.
• Of those reporting that they had been breached, the percentage breached generally increased with firm size until you got to large firms – 14% were solos, 24% for firms with 2-9 and 20-49 attorneys, 42% with 50-99 attorneys, and 31% with 100+ attorneys.
• 60% reported that their firms had not experienced a data breach. It is important to note that it is extremely possible that many firms experienced a breach and never detected it.
• 9% of those breached notified clients and 14% notified law enforcement.
• Of those breached, 41% reported downtime/loss of billable hours, 40% reported consulting fees for remediation of the problems, 11% reported loss or destruction of files, and 27% reported replacement of hardware/software.
• 40% reported experiencing an infection with viruses/malware/spyware, with the greater number occurring in firms with 2-49 attorneys and the lowest in firms with 500+ attorneys.
• 34% reported having cyberinsurance coverage (the percentage is growing, but slowly).
• 24% reported using full-drive encryption, a low number in these days.
• 29% reported using encryption of email for confidential/privileged data sent to clients.

Without bombarding you with numbers, the smaller the firm, the less likely it was to have a policy covering document retention, acceptable computer use, remote access, social media, personal technology use and employee privacy.

Read the entire article here.

Excerpt: The Electronic Frontier Foundation (EFF) announced on May 20th that it had launched TOSsed Out, a new iteration of EFF’s continuing work in tracking and documenting the ways that Terms of Service (TOS) and other speech moderating rules are unevenly applied to people by online services. Sometimes, posts are deleted. Sometimes accounts are banned. For many people, the internet represents an irreplaceable forum to express their ideas, communicate with others, etc.

We have long been fans of the EFF and were delighted to hear that cybersecurity guru Bruce Schneier is leaving IBM, in part to focus on teaching cybersecurity to the next generation but in part to focus on his role as a public interest cybersecurity specialist. Since he is already on the board of the EFF, he is in a great position to be of help.

But back to TOSsed Out, which follows in the path of Onlinecensorship.org, which EFF launched in 2014 to collect reports from users in an effort to encourage social media companies to operate with greater transparency and accountability as they regulate speech. TOSsed Out will focus on the ways that people are negatively affected by these rules and their erratic enforcement.

Commercial content moderation practices negatively affects lots of folks, especially people who are marginalized. This includes black women who share their experiences of racism to sex educators whose content is deemed too explicit. TOSsed Out’s mission is to show that trying to censor social media ends up removing legal, protected speech.

Read the entire article here.

Excerpt: “We don’t believe in digital marketing. We believe in marketing in a digital world.” – Clive Sirkin, CMO of Kimberly Clark

And a digital world it is. We live in a world where three year olds have their own tablets (and operate them quite expertly, thank you very much) and people can work on a project across the globe from their kitchen table in their pajamas. While it is an exciting time, it is also a very challenging time to reach people and to stand out effectively in the crowd. Understanding Mr. Sirkin’s quote is a great first step. The basics of marketing have not changed (networking, creating/maintaining client relationships, word of mouth, etc), but the world in which we market has. It’s a fast-paced, ever-evolving digital world and lawyers must stay vigilant, educated, creative, and honest to stay in the game.

Read the entire article here.

Excerpt: There are thousands of stories of lawyers who ill-advisedly purchased technology or technology services. Let’s start with one such story – starring a very successful and highly respected lawyer who we will dub “Joe.”

Joe noted correctly that his website traffic was falling off a bit and determined that he would find a new website designer who could redo his site and take care of his search engine optimization (SEO). Off he went to a legal conference in Florida where he ran into a very personable salesman who worked for a website design/SEO company.

The salesman promised him the sun, the moon and the stars. Joe knew nothing about website design or SEO, but he really liked this fellow and he believed his promises. He signed an expensive contract and waited. It wasn’t long before his website, which had declined in Google searches under the previous vendor, absolutely hit rock bottom. Joe was losing the steady stream of clients previously provided by his website. Though we never investigated the reason, we suspect that “black hat” SEO may have been used – and that Google (which scans for prohibited SEO tactics) therefore punished Joe’s firm by dropping him in its rankings.

That’s when we got a call. Joe knew we didn’t do website design/SEO, but he knew we had a lot of knowledge about it. And by this time, his law firm was really suffering. So he contracted for a few hours of consulting work to locate a local firm (outsourcing to India for these services is usually a really bad idea).

We knew of a good local web design firm known for high quality SEO which had previously done such work for a number of law firms. We set a meeting with Joe and the web design company and attended the meeting as well. Why? We were there to ask the hard questions, to understand the technology being employed, to nail down the pricing and services offered and (always important) to act as a bulls*** filter.

The meeting went well. The firm made good on its promises and Joe’s website began soaring in the Google rankings. His stream of clients from the website increased steadily – and Joe was soon looking for new lawyers.

Read the entire article here.

Excerpt: As many readers know, we lecture a lot. A whole lot. So we thought it might be interesting to relate the questions we have been asked most often in the past several months. Always fascinating to see what is “top of mind” at conferences and CLEs.

“I’ve been thinking about cybersecurity – what’s most important? A security assessment, penetration testing or employee training?”

Well . . . let’s start with penetration testing. For most solo/small law firms, this is probably overkill unless you have major league clients or extremely high value data. In pen testing, you are asking a company to pretend they are the “bad guys” and attack you – it is scary stuff, and tends to be expensive. The company will generally require a “get out of jail” free agreement, saying that they are not liable for any damages resulting from a successful compromises of your network.

A security assessment (sometimes also called an audit) is far less expensive. The assessment is usually done using software tools and involves a thorough review of your network. The result is generally a report identifying your critical vulnerabilities, medium-level vulnerabilities and low-level vulnerabilities. As a rule, it tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. We believe it is wise to do these assessments, using a certified third party cybersecurity company, annually. Many clients and cyberinsurance companies are beginning to require these assessments as well.

There is no getting around the absolute need for annual employee cybersecurity training. It is generally fairly inexpensive and covers the basics of current threats and how to avoid such things as clicking on suspicious links/attachments, going to sketchy websites, giving information over the phone (duped by social engineering), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.

Read the entire article here.

Excerpt:
Background
Every year the American Bar Association sends out a survey to tens of thousands of attorneys requesting information about several area. The 2018 survey contained six questionnaires covering the following:

1. Technology Basics & Security
2. Law Office Technology
3. Online Research
4. Marketing & Communication Technology
5. Litigation Technology & E-Discovery
6. Mobile Lawyers

The complete survey is available for purchase from the ABA at https://www.americanbar.org/products/inv/book/353335439/. It’s not cheap, but packed with useful information. We’ll cover a few of the highlights here. Each volume is available separately, but you’ll need the complete publication to appreciate all the technology that lawyers use and the trends for the legal profession.

Read the entire article here.

Excerpt: Hacking can indeed be a passion, proving that you can outfox governments and big league corporations. The thrill of the chase can be addictive – and the addiction is fueled by the monies to be made.

Breaches come in many variants, far too many to cover in a single article. But there is a general flow to a breach. Since we make a living investigating breaches and remediating the vulnerabilities that caused them, let us take you on an anatomical tour of a typical breach, highlighting some of the common elements.

To make the reading more fun, we have offered up “quotes” from the players typically involved in a breach. Many are taken from real-life incidents.

Read the entire article here.