Cybersecurity: Getting to Good for the Small Law Firm

Episode Notes

Transcript

Digital Detectives

Cybersecurity Getting to Good for the Small Law Firm

11/27/2018

[Music]

Intro Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 97nd edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity, and information technology firm in Fairfax, Virginia.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, ‘Cybersecurity: Getting to Good for the Small Law Firm.’

Sharon D. Nelson: Before we get started, I would like to thank our sponsor. We would like to thank our sponsor pinow.com. If you need a private investigator you can trust, visit pinow.com to learn more.

John W. Simek: Our guest today is Kellam Parks who is a managing member of Parks Zeigler, PLLC in Virginia Beach, Virginia, which is a paperless, technology driven law practice. Kellam frequently writes and speaks about the modernization and use of technology in the practice of law, including such topics as ethics, electronically-stored information, cybersecurity, and practice management/marketing. While his firm handles a wide variety of legal matters, Kellam focuses his practice on credit reporting, civil litigation and is soon launching a cybersecurity practice area.

Thanks for joining us today, Kellam.

Kellam Parks: My pleasure. Thanks for having me.

Sharon D. Nelson: Well, Kellam, tell us about your law firm, the number of lawyers, the practice areas, and as an expansion and I know I’m asking for a mega answer, how did you get to this place?

Kellam Parks: So, we currently have six attorneys and nine staff. We have a wide variety of practice areas. We do everything from family law, which includes high-end divorces. We also have a concentration of military family law matters, which we just wrote a book about. We do civil litigation as well, everything from medical malpractice, personal injury, defamation, those sorts of things, business litigation, we do some transactional work such as business formation and commercial lending.

And I’ll round that out by saying that I’m trying to start a cybersecurity practice area because I’ve written and lectured on it for years and it makes sense to dive into that area as a growing practice area in today’s legal market.

As to how we got here? I actually left a local firm and founded this practice in 2012 as a solo. I had the good fortune to have my sister as my office manager from the get-go. I’ve added some staff and an associate attorney along the way, and then my current co-owner, Brandon Zeigler, joined me in 2015.

Brandon and I had practiced together for many years at two different law firms and he was looking to leave, potentially start his own firm and after we discussed it, it made sense for him coming on-board, and I’m happy to say that we’ve exploded since and we’re still growing. Even today, we’re looking for another attorney and some more staff as you speak.

Sharon D. Nelson: Well, that’s wonderful news. And as a follow-up question, can you define cybersecurity practice? Are you going to be a data breach lawyer, a privacy lawyer how exactly are you going to move into that area?

Kellam Parks: Well, the answer is, yes. So, what I envision is really consulting and legal work, meaning that sort of this, the smart businesses will hopefully hire me to help consult and put them in touch with cybersecurity from the technology side, do the analysis, come up with response plans, and then if there is an incident then they have me ready to go to talk about breach notification letters. And in the event they get sued, obviously, we can get into the litigation part of that as well based on our experience and what I’ve done for almost 20 years of practicing law now.

Sharon D. Nelson: Fascinating. Thank you.

John W. Simek: Well, Kellam, I know you’re pretty tech-savvy and we’ve lectured together before and all that, but how did you get to be so tech-savvy relative to your peers?

Kellam Parks: So, I’ve always been a tech guy. I like to joke that I would have been so much cooler as a kid if I were a kid now back in the 80s, when I actually got into computers, it wasn’t nearly as cool then, and I’ve always enjoyed tinkering sort of my personal life with technology.

And although, I enjoyed working at my previous law firm, I looked at how we did things there. There were 30 attorneys and about 70 staff, so almost a hundred people — about a hundred people. And basically, with a law firm of that size, it’s very difficult to turn quickly and use modern technologies efficiently.

So, I wanted to integrate modern technologies and so I set out to learn everything I could about technology in the legal space and I’m still at it.

(00:05:01)

I spend a lot of my time running the firm from the management point of view and that includes finding new technologies and integrating them what makes best sense for what we do and how we do it.

John W. Simek: Admit it, Kellam, you just like to play with those cool toys?

Kellam Parks: Well, that is true, and then the firm can pay for them now, so that’s fantastic.

John W. Simek: I’ve seen your office.

Sharon D. Nelson: Well, photos of your office and it’s very cool and very high-tech, which I love and I love the Stormtrooper, not everybody has a Stormtrooper in their office.

Kellam Parks: No, absolutely. Look, if I’m going to be here as long as I’m here, I need to make it homey.

Sharon D. Nelson: That’s right, exactly. So, when and how did you come to the realization that cybersecurity was essential for your law firm?

Kellam Parks: So, before I started my firm because I never owned a business before, I’ve been practicing law in private firms since I started, but I dove into our attorney ethical rules. So, I practice law in Virginia and I looked at our ethic rules to ensure that I had a firm grasp on all the aspects of our duties.

And having done that, I immediately realized that if I was going to be — what I hope to be and what I am to a large degree is a paperless digital law firm, and if I want to utilize these modern technologies I’ve talked about that I had to pay particular attention to safeguarding our clients’ information.

So, this led me to explore the area of cybersecurity to meet what duties I have and it’s an ever — one of the reasons I want to go into it as a practice area, it’s only going to grow and the challenges only increase with new technologies as they come out and sort of the adjusting ethical duties for same.

John W. Simek: Great. Well, I know the whole world of cybersecurity, I have to ask you this question though, do you have an incident response plan, and if you do, tell us how you went about preparing it, kind of what’s the scope, what does it cover?

Kellam Parks: Sure, so we’re actually in the process of putting together a more comprehensive response plan. But what we have currently is I’ve created an outline for both, a data breach avoidance plan in essence as well as a response plan, because obviously, the best policy does minimize the chance of a breach.

So, for the data breach avoidance outline, I cover an inventory of what data we collect and then what duties we have to safeguard the data. So we categorize the information based on its sensitivity and severity of legal impact in case of a breach and then we go about and we implement administrative, electronic and physical data security guards, and this of course, includes training for our staff, which is actually one of the more important things that we do.

As to our response plan, we put into place who is responsible for what and as a technology leader of the firm I’m in-charge sort of at the top of all of this. We have our third-party IT professional looped in. I’m fortunate that I have a very good IT person that I happened to be friends with and helped us since day one of my law firm.

And then I have a list of outside vendors that need to be consulted in a non-shameless plug, for instance, if we have a serious breach, we’d be looping in your company since the enterprise as a forensics expert because obviously my IT guy is great and he knows a lot, but he doesn’t have the level expertise that a forensics firm such as yourself would have.

Sharon D. Nelson: I think we owe him dinner, John.

John W. Simek: Dinner and drinks.

Sharon D. Nelson: And drinks, okay, thank you for the kind words, Kellam.

Kellam Parks: Well, it’s very true.

Sharon D. Nelson: Okay. I’m interested in cyber insurance as you know that something that has come about recently as a big topic and a hot one, I know you have cyber insurance, can you tell us a little about your cyber insurance, what it covers and anything else about that subject that you think might interest our listeners from a small firm perspective?

Kellam Parks: Sure. So we do have some cyber insurance in place, though I’m in the process currently of evaluating options to pretty substantially upgrade what we’ve got. What we have is some limited coverage, there are existing legal malpractice policy, also our general liability policy has some coverage as well to sort of put on top of that and supplement what we really have.

But as we’ve grown, our needs have also grown and a separate cybersecurity policy is essential, I think at least for any law firm to ensure that you have the correct coverage to include both third party and first party coverage.

So, for instance, if there’s a breach of our system, most policies will cover that but if you have a third party briefs of another entities where your data is housed is breached, well, you have a problem with that. So definitions — from a legal perspective, definitions are everything when you talk about insurance policies and that’s Triple E so I would say in the area of cyber insurance which is a lot newer, a lot less established.

Usually in the insurance world, there’s been litigation over many years to sort of define. And for insurance — honestly for insurance companies to figure out risk and cost and all this is so brand-new that it’s really difficult to sort of pen that out.

(00:10:00)

So we’re looking at all those sorts of things. I’ll say that, Sharon, you actually introduced me to Judy Selby who’s a Virginia-based cyber insurance expert and she’s written literally a book on it. She has handled insurance matters throughout her career and I’ve looked at her materials, and that’s been just a great help as we navigate sort of what our options are.

Sharon D. Nelson: Well, I am glad that was useful for you.

Kellam Parks: Very much now.

John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is ‘Cybersecurity: Getting to Good for the Small Law Firm.’

Our guest today is Kellam Parks, who is a managing member of Parks Zeigler, PLLC in Virginia Beach which is a paperless, technology driven law practice.

So, Kellam, do you have encryption available for use, and if so, what kind?

Kellam Parks: Sure. So we have encryption of sorts. So we can password protect our documents if we’re using a Word document or a PDF, of course, which is a form of encryption certainly as you know.

We also have an encrypted form of communication through our practice management system, Clio, if we have that need. We don’t use a third-party solution like Mimecast or EdgeWave which has the cloud-based portals so that extra layer. We haven’t found the need for that yet because most of the sensitive data that we use or Social Security numbers or account numbers and those are easily enough password-protected.

John W. Simek: So what about backup systems, Kellam? What do you have — I know you have something since you’re technology driven but what do you have and is it engineers such that it would protect you from ransomware?

Kellam Parks: What we do is we keep all of our firm data on the cloud. We use — we’re Microsoft-based firms. So we have Microsoft SharePoint is our repository for all of our digital files and that product has synced backups different geo locations backed up within that platform. We also keep some information, primarily some client information on the Clio system which is another — which is also in the cloud and that’s also backed up to their system. We have the option to Escrow it through a third party which we’ve elected not to do because we don’t keep all of the data on Clio. Basically all the data that we have on Clio is simply a copy of what we have in our own system that we’ve shared with the client.

We also keep up — if we have a archived client, so if we have a closed client file, we actually bring that off the cloud and keep that in-house as well as our accounting information and the way we have our system set up right now is we have a sort of a hybrid where everything is on the cloud but we can also — we have local copies of active files that we’re working on and we backup all of our local data on portable hard drives. So, we have a portable hard drive plugged in, every 12 hours we cycle in a different drive and then we have a third drive that I rotate in every week that I keep in my house and that way the two non-plugged in drives are kept off-site. If our building were to burn down we have 12-hour old information, and what that allows us to do is it allows us to avoid ransomware issues because if they’ve locked down our entire server or if they’ve locked down a particular cloud base we have backups on the cloud which I don’t think that would be vulnerable, but in any event, I have a local copy on a separate hard drive.

Sharon D. Nelson: Well, it sounds like you’ve engineered that pretty well. I know another thing that you’ve engineered pretty well is you’ve made sure that you have a client portal via Clio. A lot of folks are interested in smaller firms and getting a client portal, but they are a little confused about it. They really don’t understand what it is and what it does, so perhaps you could describe some of the basic features, costs, security, et cetera.

Kellam Parks: Sure. So when I started this firm in 2012, there really weren’t that many cloud-based practice management solutions out there of any sophistication. Six years later, I think last count there are over 85 that are of some sort. So your choices really have expedition grown in recent history. So, one of the things that I wanted to do right out of the gate is, I wanted my clients to be able to access their data 24×7. I want it to be as convenient as possible for my clients, and especially, because we represent a lot of military members.

(00:15:02)

A lot of times they’re on the ship or they’re deployed, in their hour, they may be in a different time zone. So, it really was important for me if I’m going to go digital to have that access. Clio had that built-in, in 2012, which was great, and what it does is when you open a file each client has their own login and password, and once they log in we’re able to in essence upload files that they are able to see and they stay there for as long as the matters open. It also allows that secure communication that we talked about. We share invoices with the clients through this portal as well so they get an email from Clio saying, so we’ll upload a document, for instance, we hit a Share button. They get an email that says, hey, you have a new document or you have an invoice. They can then log in and they can look at it, download it, it stays there if they need to download it again, and so a lot of the different practice management systems now have that ability, and I think it’s vital. As far as — and I’m always evaluating, I will say I’m always evaluating. We like Clio, there’s challenges as we grow and we have different needs. We’re always evaluating new options obviously the more invested we are and the more time we have and the harder it will be to switch and it’s not cheap.

Clio as we’re sitting here today, in November of 2018, they have three tiers. They said to start, boutique and elite. We need boutique which is in the middle, based on the features and it’s $59 a month per person per seat at the firm, if you pay it annually $1,600.00, if not and we have 15 people so that adds up pretty quickly.

John W. Simek: And this one thing I think a lot of people don’t realize, Kellam, is, they need to do the math. Always going to the cloud isn’t certainly — always the cheaper solution, but certainly cost-effective in a large number of times.

Kellam Parks: Absolutely, I mean, when I started as a solo, much different cost structure than 15 people.

Sharon D. Nelson: Yeah, it’s amazing how that works.

John W. Simek: It adds up quickly as you said. Well, tell our listeners a little bit more about the — any other cloud services that you use and how you go about doing due diligence so on those services?

Kellam Parks: Sure, so primarily as I mentioned before we use SharePoint for our physical repository of documents, physical meaning digital. That’s where we host the digital documents, and in Clio we use really to communicate with the client, so there’s our copies.

So those are our two main cloud systems that we utilize that really takes care of everything we need from the cloud side, and before committing to them I basically slog through their Terms of Service, which obviously takes some time to get through and I determined that they complied with our ethical duties and how we operate. So, for instance — for Clio for instance basically as some cloud providers are zero knowledge-based, I think SpiderOak might be one where they encrypt everything on their end, you have the master passkey, nobody can open it on their end even if they wanted to. So if they got a subpoena from the government, they could turn over all the information it wouldn’t do them any good.

Most systems are not that way, Clio is not that way. So, we can obviously encrypt if we need to going on to the system, but Clio would notify you before they comply. So they’ll tell you, hey, we got the subpoena so that you have the option to quash it if that’s what you want to do, which was important. They also have options where I think I indicated earlier that you could escrow the information so if I wanted our information copied to say an Amazon account or another cloud system that we could do that so that we’re not relying on Clio because if Clio blew up one day, my date is somewhere else.

So, basically I just went through step by step, tried to analyze what they have, how they work, and make sure that it handles our needs, and like I said, we don’t handle overly sensitive information. We’re not representing Edwards’ note or anything.

Sharon D. Nelson: Yeah, you would have to have some pretty strong cybersecurity measures there.

John W. Simek: I think it’s two things, Kellam, I want to comment on. Number one, I think you’re probably the first lawyer I’ve heard that admitted they read the Terms of Service.

Sharon D. Nelson: True.

John W. Simek: And number two, you’re correct that in Clio — because I read them all. That Clio’s Terms of Service as well as Microsoft’s, they both specifically say that they’ll notify you and not turn the data over, so that you have an opportunity to file that Motion to Quash, but the majority of cloud providers don’t have that provision stated in there at all.

Kellam Parks: Right, and that’s very concerning, and so, yeah, I’m that guy that actually goes to the Auto Body Shop and they say, hey, just sign here, and I’m like, well, no, hold on, I need to read all four pages. So, I am that guy.

Sharon D. Nelson: Yeah, you are that guy.

Kellam Parks: It drives my wife.

(00:19:56)

Sharon D. Nelson: I am sure it drives those people, that’s two, on the other side.

Well, tell us about some of your other cybersecurity measures that you take at your law firm, the employee training, maybe physical security, anything that you can think of that a small firm should be thinking about.

Kellam Parks: Sure. So, I think even with one or two employees, I think it’s important to have an employee manual. Obviously, if you’re a really small firm, you don’t need to have a 60-page manual or anything, but from the perspective of cybersecurity in our employee manual we have a whole section that talks about what our procedures are, what our policies are, we have periodic reminders of these policies. We update them as necessary. Training is absolutely key for the staff to follow the policies and recognize potential issues.

Obviously in today’s world it’s phishing through emails or malware and they get attachments so they know not to click those things, they know not to click links. So it’s important for them and we have the staff now sort of policing other staff, hey, you should — don’t click that and so they recognize and bring to people’s attention, which is huge.

For our systems we use pass phrases, so we have long passwords which is what’s recommended nowadays for accessing our systems. Everybody knows if they walk away from their desk, it auto locks after a certain amount of time, but then it will lock their system. Our physical space is locked and we have keypads that identify the users as they come in and out, so we know, well, in, I guess — so we know that who’s in here and when they are in here.

We use Microsoft 365 for our systems and up until recently we used Intune to monitor the basic security but we’ve upgraded in recent history to the Enterprise Mobility and Security two levels, there is E3 and E5, we use the lower level E3, it includes Intune, but what also that does is we added — because Microsoft is, I’m sure you’re both aware is, you can get a lot of things ala carte.

So, we did the E3 level and then we added their advanced threat protection as a $2 a month per user add-on, and what that does is it allows us on the administrative side to catch phishing attacks, malware attacks, sensitive information, it’s got safe linked protection. So, people that click without thinking at least, will catch it hopefully at this time, and then we have cell phones for attorneys and we have paralegals want to access some information from their cell phones and we have — we have our own laptops for the attorneys.

And so, the Enterprise Mobility Security also allows us, Device Management allows us to lock that down, do authentication, sort of all of the security methodologies, which I think are vital for any law firm, especially one that is going to be digital in nature.

John W. Simek: Well, my last question for you, Kellam is, what are your impressions of a solo small firm cybersecurity awareness and preparedness, and I’d be interested to see what if your impression is the same as ours?

Kellam Parks: So, I suspect it will be, but as you know I travel across Virginia and speak on technology in the practice of law pretty frequently and that’s everywhere from the East Coast all the way out near Roanoke and beyond, and as part of that topic and cybersecurity and I try not to get too technical as I’m sure you both do, because obviously they are not going to be as aware as we are maybe, but unfortunately, I had a lot of blank and sometimes panicked looks when I talk about this topic.

I get the sense that solo lawyers and small firms really just aren’t up to speed and they don’t know what they don’t know. And so they go, well, I have an IT person. Okay, well, that’s fine and actually our ethical rules say that you can’t have other people be in-charge of this stuff, because the Bar doesn’t expect lawyers to be IT experts. I think that’s smart. But you have to at least know the topics of what you’re — what’s important.

So, part of what I feel like my mission is and I said on a couple of State Bar Committees and just honestly I feel like what my mission is since I know this stuff is to educate my fellow lawyers, and hopefully, get them to be to get up to speed and understand to at least recognize the issues and then take the necessary steps to protect their data because their data is their client’s data and the ethic rules state, if you basically take absolutely no steps to protect your client data in the digital world, you’re going to get in trouble.

Sharon D. Nelson: Well, and that’s certainly true. So, I think this has been a very useful exercise for solo small firms to listen to how you got there and you did get to good in fact, you got to better than good, which is better still. So, I really think that was very helpful for them.

I want to thank you for joining us today, Kellam. Kellam is a good friend and we’ve enjoyed lecturing with him many times and hope to do so many times in the future. As you can hear he knows a lot for a practicing lawyer. He knows pretty much as much about legal technology as any other lawyer I’ve met in the State of Virginia.

(00:25:09)

So, it’s been a real pleasure, Kellam. Thanks. I know you have a lot of stuff going, thanks for taking the time out today.

Kellam Parks: Thanks for having me. It’s always a pleasure, guys.

John W. Simek: Well, that does it for this edition of Digital Detectives; and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts. If you enjoyed our podcast, please rate us on the Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.

We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]

Continue Reading