In this episode of The Geek in Review podcast, host Marlene Gebauer and co-host Greg Lambert discuss cybersecurity challenges with guests Jordan Ellington, founder of SessionGuardian, Oren Leib, Vice President of Growth and Partnership at SessionGuardian, and Trisha Sircar, partner and chief privacy officer at Katten Muchin Rosenman LLP.
Ellington explains that the impetus for creating SessionGuardian came from working with a law firm to secure their work with eDiscovery vendors and contract attorney staffing agencies. The goal was to standardize security practices across vendors. Ellington realized the technology could provide secure access to sensitive information from anywhere. SessionGuardian uses facial recognition to verify a user’s identity remotely.
Leib discusses some alarming cybersecurity statistics, including a 7% weekly increase in global cyber attacks and the fact that law firms and insurance companies face over 1,200 attacks per week on average. Leib notes SessionGuardian’s solution addresses risks beyond eDiscovery and source code review, including data breach response, M&A due diligence, and outsourced call centers. Recently, a major North American bank told Leib that 10 of their last breach incidents were caused by unauthorized photography of sensitive data.
Sircar says law firms’ top challenges are employee issues, data retention problems, physical security risks, and insider threats. Regulations address real-world issues but can be difficult for global firms to navigate. Certifications show a firm’s commitment to security but continuous monitoring and updating of practices is key. When negotiating with vendors, Sircar recommends considering cyber liability insurance, audit rights, data breach responsibility, and limitations of liability.
Looking ahead, Sircar sees employee education as an ongoing priority, along with the ethical use of AI. Ellington expects AI will be used for increasingly sophisticated phishing and impersonation attacks, requiring better verification of individuals’ identities. Leib says attorneys must take responsibility for cyber defenses, not just rely on engineers. He announces SessionGuardian will offer free CLE courses on cybersecurity awareness and compliance.
The episode highlights how employee errors and AI threats are intensifying even as remote and hybrid work become standard. Firms should look beyond check-the-box compliance to make privacy and security central in their culture. Technology like facial recognition and continuous monitoring helps address risks, but people of all roles must develop competence and vigilance. Overall, keeping client data secure requires an integrated and ever-evolving approach across departments and service providers. Strong terms in vendor agreements and verifying partners’ practices are also key.
Marlene Gebauer 0:07
Welcome to The Geek in Review. The podcast focused on innovative and creative ideas in the legal profession. I’m Marlene Gebauer,
Greg Lambert 0:14
And I’m Greg Lambert and I have been playing over the past couple of days with the new meta Twitter clone called Threads and so far it’s not too bad it’s it’s pretty simple but I think that’s probably the best way out of the box there. So Marlene, I don’t think you’ve joined in yet..
Marlene Gebauer 0:37
Not yet, but soon. Yep, yep, well do. We have an episode today that isn’t about Large Language Models and Gen AI. Believe it or not, it’s still about data. But today we’re focusing on how firms can do the best job possible to protect theirs and their clients. Law firms spend a great deal of time and money on security measures. They invest a lot of certification establishment a proper protocol and training. But as we see in the headlines, even all this may not be enough. And April both TechCrunch and Bloomberg Law reported that Proskauer Rose exposed client m&a data for six months, because a vendor they used to create an Information Portal on a third party cloud based storage platform failed to properly secure it.
Greg Lambert 1:21
Yeah, and I think there was actually another Bloomberg article that came out last night that expanded that to a to a third firm. But you know, if you think this is just a risk of doing business in our you know, this high tech world that we live in a you would be wrong. There are services and technologies that can even you know further reduce the risk by monitoring and preventing such errors. And our guests today are going to speak about it. So we would like to welcome Jordan Ellington, founder of SessionGuardian, Oren Leib, Vice President of growth and partnership there at SessionGuardian. And Trisha Sircar, partner and CO Privacy Officer at Katten. We’d like to welcome you all to the show. So Jordan, Oren, and Trisha, welcome to The Geek in Review.
Jordan Ellington 2:09
Oren Leib 2:10
Thank you. Nice to be here.
Marlene Gebauer 2:12
Jordan, can you tell our listeners a bit about yourself and how you came to develop SessionGuardian.
Jordan Ellington 2:17
So my career started in the early 90s at Weil, Gotshal in New York, and continued for the last for the next 30 years, focusing on what I call secure document collaboration systems. This basically sharing sensitive documents on extra debts with outside parties. And that resulted in me having an ongoing focus on cybersecurity and making sure that only the right parties had access to sensitive information. Many of my colleagues for awhile, landed jobs at other parties over the years, whenever they needed to build a special matter specific application, they would give me a call. Often this would result in a new client. And this is really the story that led to the creation of SessionGuardian. About five years ago, they started working with an analogue 50 firm to develop a security system that they could use with ediscovery vendors, specifically providing contract attorney staffing agencies. And they had found that there were a variety of security postures, some staffing agencies, so worked on premise, some staffing agencies had remote users, some staffing agencies rented space in a Regis center and their computers. So there was a significant cybersecurity disparity across the agencies. So the goal of SessionGuardian was simply to normalize these security posture. So regardless of the agency that the firm was working with, they would be able to have a high security standard. So we realize the technology could be leveraged to provide secure access to sensitive information anywhere. So we pursued a plan to continue that vision and marry facial authentication as a way of validating that the physical user logging in was the intended user. So ultimately, we want to create a system that will enable firms and corporations to engage staff securely remotely with an with an appropriate information security posture anywhere. To be honest, there was pushback. So when we suggest that SessionGuardian could be used on sensitive matters remotely, we were told no. sensitive matters could only be worked on premise in a supervised document review setting. And then COVID came the phone started ringing in the rest of the history. I’d like to say that COVID accelerated the future at some point we would have reached this work from anywhere environment, and SessionGuardian overnight became the only game in town with a solution specifically focused on addressing cyber threats of users working remotely on their home computers.
Marlene Gebauer 4:57
And Oren, how did you get involved?
Oren Leib 4:59
Yeah, well, first of all great to be with everyone. I would say, you know, as an attorney and legal innovation evangelist, I like to describe myself at times. What really appealed to me about SessionGuardian. Frankly, the reason I came on board is that this is truly a privacy first company. And as Jordan mentioned, we’ve created technology, I think that truly walks the walk in that regard. I think we can all agree that data privacy is a fundamental and sacred, right. We live in a country where a court of law recently ruled that the All Writs Act couldn’t compel Apple to unlock an iPhone belonging to an accused terrorists. I don’t think that demonstrates just how greatly we value our privacy rights. That said, when I first came across SessionGuardian, I was Alm and I was astonished to learn that basically, you know, as we’re moving into a remote work based environment, any attorney on a project could come into a live session access privilege regulated data, without anything more than an MFA to quote unquote, authenticate. Now, keep in mind that anyone could share credentials with an unauthorized user. And that’s a simple and common way to circumvent MFA as users could take a screenshot or photograph sensitive data residing on the screen during the course of a doc review or translation, basically, any scenario where they’re in a remote work environment, and they have access to privilege regulated data. So I mean, from our perspective, these are the kinds of non negotiable security gaps that SessionGuardian protects against. And ultimately, and I love this about what we do, our solution enables our partners, law firms, corporations, and third party service providers to basically go out there and hire the best talent anywhere on the planet without ever compromising security. And frankly, that’s a huge net positive, not just for our customers, but the overall job market writ large.
Greg Lambert 6:43
We talked a little bit about this in the introduction, law firms spend a great deal of time, and probably a lot more money on complying with security requirements and keeping the client’s data safe, as well as their own. So Trish, I want to turn this to you, you know, what’s the perception of security in the market? And do you think that, you know, we’re all doing a good job?
Trisha Sircar 7:12
Yeah, look, you know, I can’t speak to law firms generally. But I do know for a fact that data security and privacy is top of mind, for law firms and all industries, especially as cyber attacks have increased in the pandemic, the digital economy is here to stay and just growing. And the hybrid workplace, which is, it’s still persisting, you know, for law firms, keeping data security and privacy at the core of their practice is especially important, because they are handling client confidential information and intellect intellectual problem. So it is I know that at the core of our most authentic culture,
Greg Lambert 7:51
yeah. And we’ve joked for many years here that it is job used to be about maintaining the network. And now it’s almost, I would say, probably half the job is security. And you’re just seeing so much in the securities operations of the firm is, does it feel a little overwhelming to you, Trisha?
Trisha Sircar 8:13
Look, sometimes it does, you know, we we are an AmLaw 100 national law firm. And, you know, our clients are very varied. And across all sectors. So know, as a data privacy and data security, and IP lawyer, I have to access a lot of data of different clients across different industries. So, you know, sometimes Zscaler, or other ad networks pictured when we access certain websites, and had subtypes be a challenge. But again, I think it’s very important to take those extra steps and get those provisions from IT security, to enable access. I know we can get frustrated, because everything in light of the pandemic DEI has not stopped. It’s a seven day work week for most law firms from partners. And speed is important, but it’s good to take a minute. I’m sure you had the right provisions, the right access the right it’s, the data is in the right people’s hands.
Greg Lambert 9:12
I think we all saw a senior associates, PowerPoint that talked about how just how long those weeks are for everybody.
Marlene Gebauer 9:21
So Jordan, or Oren, or both of you, and I’m very interested in hearing the answer to this this question because, you know, just we’ve heard so much about these certifications in the past. But you know, why do you think ISO and sock two certifications are not sufficient anymore for law firms?
Jordan Ellington 9:42
Thanks Marlene. So an ISO and a sock certification means that a you have policies and procedures and be that you’re following them at a certain point in time so they represent a snapshot in time. They do not represent the reality of what’s happening. On a matter that’s outsourced to perhaps a service provider as to how that information is being treated at that point in time. And so our perspective is that ISO and sock is the trust, right? It’s to establish trust with the vendor with the partner, that they have certain policies and procedures in place. But then we need to verify we need to make sure that ongoing, that information is treated appropriately. And that’s, that’s why we suggest using technology to enforce these policies and procedures in real time.
Oren Leib 10:38
Yeah, thanks, Jordan. I just wanted to take a moment to talk about the lawyer’s ethical responsibilities around safeguarding sensitive client data. I mean, especially when that data is accessible remotely, I know it’s not talking about Rules of Professional Conduct really aren’t a very sexy topic and, you know, sort of get dwarfed by the regulatory regimes out there, and the usual suspects like GDPR, since the PAP been a host of others. But I recently came across an ABA formal opinion for 77 R, and I want to read it verbatim, because it talks about the lawyers responsibility when it comes to security information. And it says and I quote, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information, when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. I think that last part where a higher degree of security is triggered is always a red flag for us lawyers to heed. But what does that mean, practically speaking, right doesn’t really give you a prescription on how to do that. It’s pretty vague. Well, I mean, I would pause if MFA says we’ve established aren’t sufficient in authenticating credential users, for example, we’re safeguarding sensitive data that lawyers need to take extra precautions with both continuous identity authentication technology, and implementing security measures in a practical way that prevent things like screenshots and screen shares of sensitive data, which again, I think are you know, we mentioned non negotiable security gaps. So I think that becomes part of the lawyers evolving set of obligations and technical competency requirements as it relates to cybersecurity, that maybe the certifications that we talked about, don’t comprehensively address enough.
Marlene Gebauer 12:23
Trisha, what are some of the challenges firms face in keeping data private? I imagine the various and changing regulatory requirements in different jurisdictions are an extremely large complication. Do regs address the real world problems in a practical manner?
Trisha Sircar 12:42
Yes, I’ll answer your first part of that question. Number one is and will consistently be employee related issues, employee security threats, human errors across the board, in all industries and sectors are the number one reason that fail to keep private information, private, continuous employee education and training are vital. Number two, I believe, is data retention, particularly for US law firms in the US, we have a culture of retaining data for longer than is necessary. And law firms maintain a lot of data. And as we’re seeing these new laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act. I know there’s some proposed laws by the FTC. And the SEC as well regarding data retention requirements, as we see more of these laws develop, I think, is going to promote a culture in the United States of data minimization. So that’s important. Number three, physical security, particularly in the hybrid world. I don’t know, I do know, one law firm. I only know really a 1am law 50 wall firm that’s fully remote. Every amlaw 50 law firm that I know that’s quite a manual, every am law 50 law firm, or am law 100 wall for my nose, generally hybrid. And I think when you take documents home, you share a house or a condo with other people, when associates have roommates in New York City, physical security is imperative. And I think, really, really have to educate and continuously, you know, alert employees to this, you know, made sure there’s, you know, safe document destruction when data is done, you know, we all print out documents to read them as lawyers. So I definitely think data. Physical security is another big issue more so the fifth in the remote world and hybrid world. I mentioned employee errors, but also insider threats. Right. As we’re seeing, you know, the macroeconomic factors at play right now. We may be seeing some reductions in force, and other issues that we already saw in the pandemic, but again, we’re going through that cycle again, macro economically. We’ve all seen the headlines about law firms doing layoffs and roofs. You want to just make sure that you don’t have a disgruntled employee. and all access and any kind of devices that they are now wiped clean and denied immediately. So, again, tying that to employees and insider threats. And then answering the second part of your question, did the regs address the wheel real world problems in a practical manner? You know, they do. Generally however, it’s hard for global law firms right that sometimes have to compete with conflicting regimes. The General Data Protection Regulation prescribes a time limit to keep certain data us regs require that to be kept for for a different period of time, certain standards regarding customer data, employee data, so they can be quite conflicting. And particularly in the US, we have a patchwork of regulations, whether it’s the gramm leach Bliley act for financial institutions, Children’s Online Privacy for companies that are in the EdTech space, then there’s the consumer protection laws. Now we have, I believe, the 11 state that has a consumer protection law with Oregon, so it can be challenging that the regulations can be competing. And we don’t always invest resources in understanding them and adopting them. But I think the biggest challenge with the regulations that we are seeing is in AI, as law firms and clients using AI more and more, we’re still waiting for the regulations to really provide the proper guardrails to use AI ethically and responsibly. Yeah, we’re having a hard time keeping up writing off and complying with, you know, the current privacy laws. It’s it’s just moving too fast. And I think, you know, the EU has made some great developments in that area of regulation. But other jurisdictions are still catching up. So I think AI is really an area where the regulations are lagging.
Greg Lambert 16:54
I know we’re really good at advising our clients on how to comply with these regulations. In just in your experience, or, you know, as you’ve talked with peers, our law firms good at taking their own medicine on this. Are we good at it complying with these regulations?
Trisha Sircar 17:12
I think so. I will read things. So, you know, I can only speak to can, and we have a great team. So it is front and center a priority. I’m in regular contact with my general counsel and my seaso an IT security as a career Privacy Officer of the firm, also my HIPAA officers. So yeah, absolutely. You know, we’ve we’ve heard the headlines, but there are a lot of law firms. You know, you’ve mentioned a couple of names that are only a couple, one hand. So I do think, generally, the more sophisticated and more 200 law firms or sophisticated boutique offense, do a good job.
Greg Lambert 17:55
Yeah, well, we’ve kind of set the stage here on where we are in the industry and kind of what the floor should be on complying with regulations and security issues that we should all be looking for. But, you know, the reason we brought Jordan and Oren on here was to talk about how do we go above and beyond what just is the basics here. So I’m gonna turn it over to the two of us and describe how SessionGuardian specifically addresses things like cybersecurity gaps, what are some additional protections that you provide beyond that floor that we just said, so, kind of give us some real bass introduction to SessionGuardian? And then kind of tell us what it is that makes you guys unique?
Jordan Ellington 18:44
Absolutely. Thanks, Greg. I think the first thing to address also is before a cybersecurity gap is a cybersecurity posture, and who’s actually responsible for for cybersecurity, of your client. So the client will have their set of cyber security rules and postures, and certainly they will be coordinating and working with a trusted law firm that also certainly has a high level of cybersecurity postures. But what we’ve noticed is that as there is what I’d call a delegation of responsibility downstream to a service provider, for example, from a practical perspective, they do not have the the budget and the IT resources leave most of them do that the clients a law firm says, and then further downstream, they will often hire a contractor who will often be working on their own device, their BYOD device, and certainly they have zero budget from a cybersecurity posture. When we’re looking at a cybersecurity gap, we try to look at it from the bottom up, where is the risk and the risk is at the end of the line. It’s who’s actually accessing it. information. And, and we will look at some very, very basic things such as, can a user take screenshots of the information they see on their screen? Can they copy and paste? Can they accidentally share this information on an evite on a web meeting, and you’d be surprised to find out that most vendors will ask for direction from their clients as to whether to enforce screenshare and screenshot protection. But I would submit that most most clients that are engaging vendors probably think that screenshot and screenshot protection is table stakes. So that is what we try to provide, we try to provide a minimum basis of security so that if even someone didn’t think about it, that security is is there.
Oren Leib 20:50
Marlene Gebauer 22:46
People again. Just what Trisha said.
Oren Leib 22:49
Yes, exactly. And recently, I think everyone’s probably seen the Coca Cola IP theft story where a Chinese operatives snap photos of a series of trade secrets and formulas on our computer screen that she was going to use for a copycat operation in China. She found her way around all of the military intelligence grade data tracking software, by simply pulling out this thing called a mobile device and snapping photos, it was just that easy. So for example, you know, our mobile detection software was designed to prevent these kinds of instances from occurring. So just so practical examples in terms of the use cases that go beyond legal in into an enterprise wide environment,
Marlene Gebauer 23:28
Jordan and Oren Can Can you explain what you see as the role of SessionGuardian in ensuring business continuity and minimizing the impact of cybersecurity incidents on law firms operations?
Jordan Ellington 23:41
Yeah, absolutely. So cyber hacking has become a, it’s not just a question of continuity, it’s a question of survival. So it is a threat to a business, when their information or their clients information get gets breached. And this is compounded now, with a work from anywhere environment, where you’re no longer sure if if the person you have authorized to look at information is in fact, that user, what SessionGuardian tries to do is establish a physical security posture regardless of where the user is located, and ensures that they’re coming in from a known device at the appropriate time, from the appropriate location. And by keeping these types of controls and providing a security log that allows you to verify what areas of a system a person has been in and what levels of access did they have? Where did they log in? Were they by themselves or were they having heard they have someone looking at the screen with them for example. These types of controls greatly limit the risk of a cyber breach, and when it occurs it provides you a roadmap as to what areas of the business may have been breached, you know, by where and by whom?
Marlene Gebauer 25:08
So, I mean, is this Does this mean I can’t like log in at like, you know, four in the morning and start start working? You know, are they going to be like, Why is she on so early?
Jordan Ellington 25:18
That’s exactly right. So so that really depends. So it could it could be an observed behavior. So perhaps if it’s just starts happening before a large round of layoffs, what’s happening? Is there data being copied? Or is something strange happening? So visibility into at the end of the day, human behavior that is not normal? is what helps prevent or limit the scope of a breach?
Greg Lambert 25:46
And do you do this in a way that is seamless on the end user side? Because I can see, you know, if we, if the security guy had his druthers, you know, we may not be able to get to actually log in and do our work, you know, unless we, you know, do 10 things before we log in. So how do you how do you kind of build that level of security and, but not hampered the actual work productivity of the user?
Jordan Ellington 26:19
Yeah, that’s a great question. So the important thing is to tailor or customize the security posture based on the information that’s being looked at. And so, you know, in this way, you can achieve a context sensitive security where through, you know, most of your transactions, maybe you don’t need to have the webcam only on or maybe you only need to have it once. And then as you graduate into more sensitive information, you can dynamically be prompted to go through additional checks. The good news is that a lot of these checks are automatic. So for example, where you’re logging in, from what time you’re logging in, at, you know, can you perform a screen share a screenshot? All these things happen automatically? Do you have an a malware running? Do you have a vile anti virus running, these are all automatic, passive checks that don’t take any time. So, you know, it’s really important to balance you know, the security requirements that the firm has your obligations to your clients with the practicality of doing work. So the appropriate configuration, we do this as part of our service, we will consult with our clients to provide a recommended set of security policies in the system based on what needs to be protected.
Greg Lambert 27:40
So we’ve kind of laid the groundwork here on how to prevent any kind of cybersecurity. But as everyone knows, it’s probably not a matter of if but when this happens to a law firm, so what specific features or functionalities and SessionGuardian assists law firms in an incident response and the remediation after a cybersecurity breach happens.
Jordan Ellington 28:07
By far the most important feature that SessionGuardian provides is an extremely granular audit trail of again, who was logged in, where, when, what type of device and what were they doing what was happening in their environment. So that that audit trail paints a picture or a roadmap as to what may have happened very, very quickly, I think the scariest thing that can happen in a cyber breach event is just not knowing what was hit. And so understanding the you know, where that attack occurred is helpful. Secondly, by using technology, such as SessionGuardian, you greatly limit the freedom of movement of what happens when you get inside. If you have security set up properly. Zero trust is kind of like the the new buzzword. Well, you know, if in order to get that credential and start doing something that’s extremely sensitive, you need to show your face and show that it’s actually you, you make it that much harder for an attacker to run wild in an organization. Lastly, you know, if, if it comes time to pay the piper, and there are damages, being able to demonstrate that you took all the reasonable steps that you could have to limit and there’s an audit trail that shows that you have these security features in place. And I’m not a lawyer, but I would think that that would help limit your liability in these types of cases, or
Oren Leib 29:44
I am a lawyer, but I would definitely defer to Trisha on this one. I mean, I would I would presume that you’re right, you know that those would be mitigating factors. Some things just you know, as as Greg said, you know, it’s not a matter of if but when these attacks occur and liability is going to be based on whether or not you took all the reasonable precautions in terms of technical competency and resources to prevent that as best you could, knowing the software environments not perfect, but I would definitely defer to Trisha on more specifics on that if she likes to delve into it.
Trisha Sircar 30:18
In terms of, you know, if you’re doing everything by the book and dotting your I’s and crossing your T’s, in terms of any liability that you might experience, when you do face a breach, you know, there’s, of course, as you know, notification costs, ID Protection costs, and all those kinds of costs that most companies will provide. Not all, I believe only one or two state laws in the US require it. But it’s really a commercial decision. But again, given the amount of law firms there are, and how important reputation is and goodwill is, you know, I do think that’s where that that comes into play. So really, I think the biggest issue is really those kinds of costs, any mitigation costs, you know, forensics always cost a lot of money to do a deep dive and root cause analysis. And then the reputational costs that, you know, that might impact the law firm. However, again, it’s not if it’s when you do it. So it really those reputational costs will be minimized. If you’re doing everything, right, obviously, you know, consumers can bring a private right of action under the California Consumer Privacy Act. However, if reasonable, it’s based on a reasonableness standard based on the information security practices, so yes, there’s a cost to defend that. But generally, hopefully, you know, the firm will come out on the right side. And of course, you know, there’s other penalties and fines that can be imposed. But again, when we’re seeing those kind of enforcement actions, we’re really, you know, the Attorney General’s of California, New York, the FTC, and other the GDPR enforcement tracks, they all provide examples of what those fines and penalties look like. So that can give you a good understanding of where it’s based on negligence or no assault or be competent.
Marlene Gebauer 32:16
So we we touched a little bit about WFE, earlier and Jordan, you know, that’s another area where the cybersecurity landscape has changed, you know, because we have this incredible need for mobile access, you know, to be able to work from from anywhere. So why is multi factor authentication no longer adequate in this evolving landscape?
Jordan Ellington 32:41
Thanks, Marlene. That’s a really interesting question. And it’s, it’s a subject that’s I spent quite a bit of time thinking about. So want to take a step back down down memory lane in terms of information, security standards, when we just had usernames and passwords. So we had usernames and password. That’s how you accessed sensitive information. And then someone realized that, well, we need to have complex passwords, they need to have a certain level of complexity. So okay, now we have usernames and slightly more complex passwords, and everyone couldn’t figure out how to create that complex password. And then we figured out that that wasn’t enough, either, we need to have an MFA because there are ways to even find out what it complex password is. So that we had usernames, complex passwords, and MFAs. And then COVID happened and everybody started working remotely. And what we found is that that MFA was really designed to protect my password from being used by someone else. But if I wanted to actually have someone else use my password, I can give them my MFA code. And so from a remote work scenario, the MFA by itself, no longer gives the assurance of whoever is responsible for protecting the information that that the individual using the MFA is actually the user that you expect them to be. You know, we think that the next step now is to provide assurance of correct usage of of the information, who is the user is? Pardon the cliche, the answer is staring us in the face. It’s the face, it’s the person the person needs to become the factor of authentication to access information. And so, you know, we built a business around it, we have adoption, we think that this is the appropriate way to secure information remotely, and ensure that you know, who’s about to log on to secure system.
Greg Lambert 34:51
And, Trisha, let’s get your opinion on that from your view. You know, are there regulations being updated? Did is there? Or is there not kind of this clear guidance from from the regulations on on what, what law firms and clients should be doing?
Trisha Sircar 35:10
Yeah, look, I think in terms of privacy and data security regulations, it is quite clear. However, you know, they’re not always, they sometimes conflict, right. And they’re also, they’re expensive to comply with, especially for smaller law firms are, you know, smaller, even a solid practice, law firms really need to take the time, like any industry, you know, it’s not just a checkbox compliance, it really, you know, it has to be a culture of privacy by design, especially, again, given the digital economy that we live in the hybrid world, and just how the cultural shift from the pandemic, to this kind of, especially in the US, with this mainstay hybrid world. Again, I’m going to reiterate it again, and again, employees are still our biggest assets, but also our biggest threats. So any kind of work from home, policies and procedures need to be regularly updated and enforced. And it’s those, you know, penalized penalties for non compliance should include termination, when developing these policies and procedures for work from home, where it’s complete remote, where it’s hybrid, where it’s in the office, you know, legal IT and HR need to work this together. California employees will have different rights to New York employees. We have law firm partners that have worked between London and New York, or Chicago in London, you know, different countries require different things. This is a dynamic process that has to be constantly reviewed and updated, not only for the laws, but also the changes in the threat landscape, and has to involve senior management leadership, legal IT and HR.
Marlene Gebauer 36:55
Trisha, we’ve we’ve talked about the need to follow regulations and need to be aware of ethical considerations. We’ve talked about using technology to prevent things from happening when they happen. But that’s only part of it. Right? General Counsel risk, IT departments, they still have to address things like terms and conditions with vendors, ownership of security keys, building strong remote file inclusion and master service agreements. So from a negotiation standpoint, what are some things to look out for when negotiating with a vendor?
Trisha Sircar 37:38
Yeah, no, I look, again, I think most law firms will tell you, especially the larger law firms, nationally and global law firms, typically, if a vendor is handling personal data, or confidential data goes through an IT security process typically won’t even get to legal to review the document until it goes through that process. If a firm doesn’t do that, they should absolutely do that. Okay. And then, in terms of when he gets to legal, when we negotiate the MSA and the provisions in that MSA, the law sets the minimum requirements, other provisions in the GDPR, or the California Consumer Privacy Act, or gramm leach Bliley Act, or HIPAA commercial provision. That includes you know, who bears a cost for data breaches. Audit who pays for an audit, when negotiating these agreements, these are commercial requirements, you should appropriately allocate risk based on which side of the agreement you’re in, you know, the law firm can be the client or it can be the service provider. So depending on that relationship, your risk posture will change. And, you know, you obviously, wouldn’t negotiate terms and conditions favorable to you. But that includes limitations on liability, indemnification audit rights, in addition to what the regulation requires additional commercial requirements. And then you also want to, I always ensure that any vendor that we use for my clients have locaton have minimum cybersecurity insurance requirements, in addition to other types of insurance, and get those certificates of insurance. Those are really the big ones, you know, a limitation of liability, indemnification insurance, and then, you know, appropriately tailoring, you know, communication when there is a breach, and repays, what’s the cost? How is that quarterbacked that should all be in the MSA.
Marlene Gebauer 39:37
So this is the time when we ask our crystal ball question to everybody. So looking out at the next two to five years. Tell us what changes or challenges lay in store for us in the area of cybersecurity. Trish, you want to start?
Trisha Sircar 39:54
Sure, like again, number one is not going to change. It hasn’t changed in my career. Employee Leave. So we just we just have to consistent with trading and the bring education and making it at a very rudimentary level that old generations plan process and understand that and also tailoring employee training based on the work from home, but the hybrid, and there are complete in the office model. So again, I cannot emphasize that role that will not go away. The second biggest issue, and we’ve mentioned it again before is the ethical use of AI, and how we use AI and cybersecurity in a compliant way and managing privacy as well. So AI is a hot topic. So I think it’s going to be in cyber privacy, in machine learning everything.
Greg Lambert 40:47
So, Jordan, same to you the crystal ball question, what do you see as a change or a challenge for the next two to five years,
Jordan Ellington 40:55
I would say that the change is going to be also within the next few months, let alone the next two to five years. And I would say that the unethical use of AI in hacking is by far the biggest danger and threat to cybersecurity today. And we’re going to see increasing incidences of AI impersonating individuals, even within an organization. You know, sending an email from the CEO that sounds like came from the CEO with topics and click on this and it’s game over. I think the importance of establishing that a person is real is going to become ever more important. And I think we’re also going to see a separation between personal emails and work emails and matter specific emails that perhaps do not include the ability to email in and out of a closed group of people. Just because it’s going to be too simple to have an email impersonating a topic that you think is relevant. You click on it, and then you have a breach. And Oren,
Greg Lambert 42:09
how about you?
Oren Leib 42:10
Yeah, that’s a great question. I definitely agree with Trisha and Jordans insights on the future cyber threats and the increasing role of AI powered hacks and deep fakes. You know, look, we know the pandemic hyper accelerated digital transformation without any time error. But I think we need to step back, think about how lawyers who handle some of the most sensitive data out there need to step up their cyber defense game. I mean, it’s no longer voluntary. It’s obligatory. You know, we’ve seen ABA formal opinions about this that suggests that lawyers need to take special security precautions when it comes to sensitive data that includes privileged, confidential and regulated information. And as lawyers, we just can’t simply pass the buck to cybersecurity engineers and experts in the event that there’s a data breach. I mean, I understand there’s no such thing as a perfect cyber defense. But we need to demonstrate his lawyers that we’ve undertaken all reasonable efforts to safeguard data. That includes technology and tools and methodologies that need to be employed in our clients, the regulatory enforcement agencies out there, and even the attorney ethics boards, they won’t accept an excusable neglect in this regard. And by the way, this isn’t just a call to action for big law players out there. All attorneys, regardless of their firm size, or raking are equally accountable. And that includes law companies as well. LSPs LSPs, all of them must comply with data privacy regs, and RPCs. Where applicable. I mean, just think about this, virtually every day, multiple times a day, privileged and sensitive information becomes exposed to subcontracted attorneys working in BYOD environments somewhere out there in the world. When that happens, the level of data protection exponentially recedes. And there’s a cyber hacker waiting to pounce, I don’t mean to sound overly dramatic. But we already covered some of the alarming stats earlier in the conversation on this. What we’ve noticed is there’s a lack of cybersecurity awareness amongst attorneys. To that end, SessionGuardian is not only committed to providing a robust cybersecurity defense, but also educational awareness. And I think that’s the best way to tackle some of these issues that are present day and in the future. To that end, we’ll be offering free on demand CLE courses that fulfill mandatory cybersecurity CLE credits. And for more information, feel free to ping us at firstname.lastname@example.org. Yeah,
Greg Lambert 44:35
well, if it does play out, I hope most of the firms learn from the mistakes of others and then from their own mistakes. Absolutely. All right. Well, I want to thank Jordan Ellington, Oren Leib, and Trisha Sircar, for coming on and taking the time to speak with us. Think thank you all very much. Thank you.
Oren Leib 44:54
Thanks a lot,
Trisha Sircar 44:55
Jordan Ellington 44:56
Thanks for having us.
Marlene Gebauer 44:58
And of course, our audience thanks to all of you for taking the time to listen to The Geek in Review podcast. If you enjoy the show, share it with a colleague. We’d love to hear from you. So reach out to us on social media. I can be found at @gebauerm on Twitter,
Greg Lambert 45:11
And I can be reached @glambert on Twitter, everyone, Trisha where if they want to reach out to you? Where can they find you?
Trisha Sircar 45:20
Know, you can find me on my Law Firm bio page or LinkedIn
Greg Lambert 45:23
Jordan Ellington 45:25
You can find me on LinkedIn.
Greg Lambert 45:27
Oren Leib 45:28
you can also find me on LinkedIn.
Greg Lambert 45:30
I’ll make sure we get all this LinkedIn links.
Marlene Gebauer 45:33
LinkedIn it is listeners if you want to leave us some feedback. You can also leave us a voicemail on our geek review Hotline at 713-487-7821 and as always, the music you hear is from Jerry David DeCicca Thank you Jerry.
Greg Lambert 45:51
Thank you Jerry and talk to you later Marlene.
Marlene Gebauer 45:54