Tom Lambotte is currently the CEO of GlobalMac IT. Before founding GlobalMac IT, he studied Business Economics at the...
Sharon D. Nelson, Esq. is president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. Ms....
John W. Simek is vice president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. He...
Virtual assistants market themselves by saying they will save you time and money, but the reality is working with them comes with its own set of cybersecurity risks. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to Tom Lambotte about the data dangers involved with using virtual assistants and what lawyers can do to protect themselves. They discuss the right questions to ask when seeking virtual assistance and the advantages of having contracts in place.
Tom Lambotte is currently the CEO of GlobalMac IT.
Is Working with Virtual Assistants Putting your Law Firm in Danger?
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 92nd edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, Is Working with Virtual Assistants Putting your Law Firm in Danger?
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Our guest today is Tom Lambotte, the CEO of GlobalMac IT, a national managed service provider providing complete end-to-end legal technology services to Mac-based law firms. They provide leadership and direction to transform law firm operations and boost profits by leveraging technology.
Tom’s methods are based on over a decade of research, testing, and real world refinement of best practices, working directly with Mac-based law firms and firms switching from PC to Mac.
As usual, Tom, it’s great to have you with us today.
Tom Lambotte: Thank you. It’s good to be here. I am honored.
Sharon D. Nelson: Well Tom, when we use the phrase virtual assistants in our title, I am pretty sure that many of our listeners don’t know what we mean. So this will probably be the longest question for you to answer, but please tell us what those are, virtual assistants are, which ones are likely to be most familiar to lawyers and why are they booming?
Tom Lambotte: So virtual assistants are essentially anyone that you don’t have on your payroll that is working virtually. That’s a pretty wide description. The most common that people would be familiar with would be outsource call center, for example, like Call Ruby or Call One, there are a lot of different services like this.
But it also goes into virtual paralegal services, so instead of hiring a paralegal that’s actually working and employed by your staff, you can outsource this to someone like that.
Another example that’s more popular, a service like Fiverr, for example, or Upsourced, where you need to have a website designed or a PDF form created or some advertising, it could be a lot of different things, you just create a job. You say hey, do this for $10 and someone can virtually create that, whether it’s someone here in the US or someone in a number of countries throughout the world.
And the benefit to it is that you can have odd jobs done here and there without having to hire someone full-time that’s working inside your office, or even part-time.
John W. Simek: Well Tom, I know you and I kicked around some notes about this subject, but can you let our listeners, give them a little insight about potential security implications of these virtual assistants and why lawyers should be concerned?
Tom Lambotte: Yeah. So the main thing is how you are choosing to work with a virtual assistant. This came up for us about a month-and-a-half ago, where one of our clients in Texas was entertaining the thought of hiring some virtual assistants to do a significant amount of work for their firm.
So far more than just Call Ruby where they are appointment setting and taking in incoming calls, but they were actually looking at giving them access to their Clio accounts, giving them access to their file management solution; I think they used Dropbox for Business. So when those kind of questions came up, that set off a number of red flags for my team, just thinking about security, saying, whoa, who are you giving access to, where do they live, what computer is it on, there is a lot of questions that came up.
And that’s when I reached out to you and Sharon right off the bat and I said, hey, I know you have an IT company as well, you focus in law, have you come across this and how have you treated it. So that’s what brought it on initially.
Sharon D. Nelson: So if you could Tom, paint for us a picture of some of the troublesome security scenarios involving virtual assistants, because I don’t think many people who are probably listening to the podcast actually have thought through the scenarios.
Tom Lambotte: Yeah. I mean it’s a real nice picture when you think about virtual services. I use multiple services. Probably every week I am using some kind of virtual service.
I used Fiverr to create an elaborate typeform just a couple of weeks ago. I wrote it out on paper, I said hey, build it. $10 and 24 hours later I had it built, which saved me a significant amount of time.
So the problem that you can run into is when you are giving access to your firm’s data to certain people that you are requesting to get the work done for you. Something that’s become more and more common for us is having security audits requested by our law firms’ clients, saying hey, we need to know that your law firm is doing all these security things. And one of the common questions is do you have access to control all the devices that the data is stored on. So that’s one of the things that comes up.
If you have got a virtual assistant that’s doing work for you remotely and they are accessing your Clio and all your accounts or accessing your company’s file systems and so forth, they are doing work on your actual clients, how can you actually secure those devices, what do you know about them, and it creates a whole bunch of questions that we started going through and thinking about.
And when I did some research online and I did my googling and googling around found me very little research. I was really surprised that this topic hadn’t been discussed any further. I found websites by virtual assistants and virtual paralegal services that are really focused on the legal niche and none of them really discussed the security aspect, which honestly I was shocked.
John W. Simek: You know Tom, I don’t know what your experience has been, but I am not so sure that a lot of firms are interested in the security aspects of their own employees first.
Tom Lambotte: Yeah, there’s a lot more that needs to be done. And for my team, and a lot of these questions were really brought up by my project manager that was working with our clients and they said hey, we can’t — they asked us to set up some systems for these virtual assistants and we said whoa, what are we looking to do, how can we control it. I am like we can’t ethically stand behind and tell you yes, go ahead and do it. Sure, we will set up a Clio and a Dropbox account and we will hop on their computer and set them up, because it’s just handing off the keys to who knows who — who knows where and who knows who.
So I think it’s a big issue that really needs to be thought about extensively. Again, this is beyond creating a digital webpage using Fiverr or using Call Ruby to do some appointment scheduling. But if you are looking to hire virtual assistants, virtual paralegal, services that are going to be handling client data, there’s a lot of things you need to think about to make sure your data is secure.
John W. Simek: You mentioned the where, where are these virtual assistants working and why does it matter?
Tom Lambotte: Because of laws. You have got some that are US-based, you have got — I mean they are all over. It makes perfect sense. You can get great coders, great graphic artists and all that in India and in Europe and Eastern Bloc countries and Brazil and the Philippines. I have worked with virtual assistants in all those countries, and there’s a great case for it.
However, when it comes to providing legal services and your clients’ data, there are many rules that really vary once you go into crossing international borders. Especially with GDPR, if you have clients that have anything going on in Europe.
So I don’t have all the answers, but I know the questions kind of make me stop and think.
John W. Simek: So it’s kind of a liability issue, is that where it’s heading?
Tom Lambotte: Yeah, it’s definitely a liability issue. I mean if we were to set up a computer for someone and grant them access and they don’t realize it, but their password is phished or one of the websites, let’s say they get access to Clio and Dropbox and they are doing some work for ABC Law Firm and ABC Law Firm asked them to do something else, so they create a login for another website. Like many people do, they use the same password.
And so they might not think about it, but let’s say a few weeks later that website is breached and those emails and passwords are now being sold on the dark web, that’s an entry point back into Clio or Dropbox and it puts the entire firm’s data at risk.
So if you don’t have control — and that’s only one scenario of dozens of different ones. What kind of computer is a virtual assistant working on? Are they on a PC? Are they on a Mac? How old is it? Is it being monitored? Is it being maintained? Does it have virus protection? So there are all these different questions.
Also, if they are working for five other law firms or if they are working for 10 different verticals, doing work for anyone that requests it, now you have got a commingling of information. Let’s say they attached the wrong file and they sent your client’s file to one of the other law firms accidentally. So it’s just a web of potential data breaches just waiting to untangle.
Sharon D. Nelson: Well, it is a complicated web and that is a fact. I think you might have answered the next question I was going to ask you, which is about the devices and networks that these virtual assistants are using and why that matters. Is there anything else you care to add to that?
Tom Lambotte: I mean it all comes down to control. When we are doing the security audits, which are becoming significantly more common; again, so a law firm’s clients is required to prove that the law firm’s security is up-to-date and secure, one of the questions is do you have control over the computer?
There are so many different ways. The cyber threats are continuing to evolve at such a rapid pace, you can’t just have virus protection and be secure. I mean that’s what Sensei does, that’s what GlobalMac IT does is we help our clients be secure and we lock down their system so we can see what’s going on. We can minimize all these risks.
And so if we are doing all this work for our clients on their network and their devices that they own, but then they say hey, yeah, go ahead and give a set of keys to this person over here. I don’t really know who he is. I don’t know where he lives or what kind of stuff he has done or what he is involved with, but he is going to do some work for me so go ahead and give him a set of keys is essentially what they are saying. So again, red alerts.
And again, I am not here to kind of pooh-pooh on all virtual assistants and kind of services, but it’s really, you have to face those questions. And we did a lot of internal research talking with our systems administrator, kind of highest security person on our team, and our project manager and working with our clients to try to find a solution that would work, but ultimately, we really couldn’t come up with one.
It’s just like hey, this is a risk and you are putting your law firm at risk, and to what end? How much money are you really going to save by not hiring someone, even part-time? And you can still have remote employees; you can have someone working remotely from home, but then you can control that device. You can send them a computer that’s got all your tools on it and you have a lot better access as opposed to a virtual assistant who you don’t know.
Sharon D. Nelson: No, that’s true. But really one of the points you are making is that we can help our clients if they listen, and I take it in this case you had a client who actually listened, right?
Tom Lambotte: They did. I mean we kept coming back to them and we said hey, honestly, the only way we can see this working is by buying a computer and shipping this virtual assistant one of our devices that we have our tools on, that we can control, because otherwise we kind of had to say we are not getting involved.
We actually have a denial of service letter that we use for clients on occasion where they don’t listen to our recommendations, then we say okay, well, if you don’t want to listen to us, that’s fine, go ahead and sign here. Absolve us of any liability because when something happens; we hope it doesn’t, but if it does, it’s not going to be on us.
So it’s really important to think of all the different angles, how can you best protect the client-attorney privilege, how can you regain and stay in control of all your data. And if you can’t ensure your clients who are asking you to do one of these security audits, I mean from looking over — I read over a few security audits in getting ready for this discussion today and all of them have questions that would make the security not pass, essentially, if you are working with virtual assistants in this manner.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients’ peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, Is Working with Virtual Assistants Putting your Law Firm in Danger?
Our guest today is Tom Lambotte, the CEO of GlobalMac IT, a national managed service provider, providing complete end-to-end legal technology services to Mac-based law firms.
John W. Simek: Well Tom, I think we danced around this a little bit in the first segment and I think I know where your answer is going to go here. But do you think we can control or at least put something in place to manage some of these virtual assistants by using contracts and policies or are we kind of stuck with technology and something hard and fast?
Tom Lambotte: This isn’t legal advice, right, I have to give my own disclaimer here. For all of our clients we recommend that they need to have acceptable use policies in place with everyone on their team. They need to have mobile device management policies in place and these dictate what is and is not okay to do on a computer essentially, that’s a short version.
So we thought about some ideas like how can we add security, how can we reduce the risk for the clients, and I don’t know if a virtual assistant would be willing or able to sign an acceptable use policy that essentially says, hey, here is how I will use the data, here is how I will use my computer, but there’s just so many different factors at play that we cannot control.
And again, I keep going back to the same thing, but you have to think, where can you control? Perhaps some policies in how you would set this up would be really granting minimal access so they can only access what you are asking them to work on rather than opposed to, hey, here is the Clio account. But even then, if they are seeing client information, how can you ensure it’s not going into the wrong hands.
So policies might be a start, but you would really have to talk to an employment professional to find out how far that policy could be withheld. Let’s say someone does sign an acceptable use policy and they say yeah, sure, I will sign this, but then there is some kind of data breach. How can that be upheld? Where does the liability actually stop? Can they enforce that with someone who is a virtual employee?
I don’t know the answer to that, but again, it’s hard because a lot of my answers are questions, questions for more information, but it’s really — my purpose is to cause the users to think instead of just diving in and just opening an account, hiring this person, sending them all this work and just thinking about rainbows and unicorns. You have to think about what are the negative things that can happen. What can happen if I am not careful here, if I don’t think about these different things.
Sharon D. Nelson: Indeed. There are some unicorns that are evil out there and they do seem to crop up from time to time when you get yourself in one of these situations.
So suppose you have a virtual assistant working for a number of entities and we talked about that a little bit, but what kind of questions should people ask to make sure that the data is secure, especially from a technological standpoint?
Tom Lambotte: How can we ensure there is no commingling would be one of my questions? If they are using Microsoft Outlook on their computer and they have got five email accounts, it would be too easy to accidentally send an email from one account to another.
Same thing with files; if they are getting files and they are going into their downloads folder, how do they keep track and ensure that they will never accidentally send the wrong file to someone.
So one idea I had would be creating a separate user account just for when you are working for us; us being the client could be one idea.
So these are security suggestions, but I don’t know how far they will go in securing the client.
John W. Simek: So Tom, let’s talk a little bit about the due diligence. What should an attorney, I guess the steps they should go through and we are kind of talking around some of that already, but investigating the security of a virtual assistant, certainly the lawyers have an obligation to perform due diligence, and I am sure that’s kind of what started this whole conversation between you and your Texas client, right, was that’s what they wanted to do.
Tom Lambotte: Yeah, they had an idea and they said hey, we want to do this, but how can we do it securely, how can you support us in doing that.
First would be, I mean you have really got to do your research into the company as a whole. If you are considering a virtual assistant company, you have got to do your homework. Just because they have a nice pretty looking website, don’t sign up right away.
We judge a book by its cover way more than anyone likes to think. I remember 10, 15 years ago I worked for a consulting firm and I was calling on CEOs of half a million to five million dollars in revenue and before I called them I would check out their website. And instantly I would judge them. Sometimes you would have these 1989 websites and like the fourth website ever created and it was for a company that was doing $10 million in revenue.
So just because they have a good website doesn’t mean they are a good company. You have got to find out who is behind the company, where are they based out of, how do they protect your data, how do they secure your data.
One good question that just popped in my head right now actually is take one of these security audits and send it to them and say hey, can you complete this security audit and tell me how you are securing our data, how can you make sure that there won’t be data breaches. That hadn’t occurred to me until right now, but I think that’s a really solid idea for starters.
Sharon D. Nelson: Well, I am about to ask you a legal question, so feel free to turn it right around on me after you give me your thoughts, fair warning there Tom, but who is liable in a data breach that involves virtual assistants?
Tom Lambotte: I am the wrong person to ask. I would say it’s the client. I mean if they choose to hand data to this party and then that party ends up getting into the wrong hands or having a data breach, the client made the choice to hand over the data.. So again, I in no way, shape or form have an ounce of legal knowledge.
Sharon D. Nelson: Well, when you say client, you mean law firm, right, the law firm that is your client?
Tom Lambotte: Yes.
Sharon D. Nelson: Yeah. And I think that you are going down the right path. First off, if there is a data breach everybody is going to get sued. So you have a virtual assistant, they are going to get sued. But are they the deep pocket? No, they are not the deep pocket. So they will be named in the suit more than likely, but the law firm is certainly going to get sued, because that’s where the money is. And are they going to be liable? These things always end up settling, that’s what happens, but the bigger the suit, the bigger the settlement.
So this business of having virtual assistants is far more dangerous I think than most law firms realize and they pay vastly insufficient attention to exploring both the policies and the technology involved in protecting the client data when they employ a virtual assistant.
So I think their liability risk is huge and you can’t just — not everything is covered by a cyber policy and their regular insurance, if they don’t have a cyber policy, they are certainly going to be in a world of hurt. So this is something where we have to, and I know you lecture, like we lecture all the time, we have to keep telling them, this is very significant. You manage your risk by a combination of doing all this reasonable investigation, using technology, using policies and then you cover the rest of the gap with cyber insurance and that’s the best you can do.
Do you agree with that Tom, being a non-lawyer?
Tom Lambotte: Absolutely, 100%. I mean in this case the reward does not justify the risk. You have talked about the lawsuit and the suing or whatever, but outside of that, there is so much more; the cost to you, the reputation, and the costs to mitigate a data breach and the time and energy you are going to be spending doing this instead of practicing law and billing hours and to save how much money, right?
So again, virtual paralegals out there are going to hate me right now and probably all of us because of the discussion we are having, but if they can bring back and tell me how they can secure the data, I would love to hear it. But the sad truth is we did the research, we looked online and we found virtual paralegal websites and we looked around and there was nothing ever brought up about security. And so until you prove me otherwise, I am not going to be a believer in using outsourced legal virtual services.
John W. Simek: Well Tom, finally, we have been talking a lot about security, but what can we do to improve our security posture with virtual assistants? I think Sharon kind of touched a little bit on cyber liability policies and that’s a good way to go.
And I know a lot of law firms probably don’t realize that they don’t have coverage and/or the rider, but I am glad she mentioned that, because I am in the process right now of renewing our cyber liability coverage and they talk about first party and third party and do you have control or does the third party have control of the data, and that’s radically, I think, going to impact premiums, but that’s just one item. Are there other things that we can consider to improve that security posture?
Tom Lambotte: I would consider all the different ideas we have brought up. So the best idea I have brought out of this discussion is asking them to complete a security audit.
I would ask the cybersecurity company that’s issuing the policy, asking them specifically what would happen in this scenario. That’s something that hadn’t hit me until today when you brought it up again. But say hey, I know we have got the cybersecurity policy, if we worked with virtual assistants and there was a data breach, would that be covered? Would that be included?
They might outright say, nope, you are on your own. We don’t know. I don’t know which way. I would be really interested to find out what they would say in response. But again, it’s you are giving up control. You are just opening the door to a whole bunch of things that you have zero control over.
So in my mind, if I was the insurance company handing out that policy, I would cover myself from that, because that’s a huge risk that otherwise they are not open to.
Sharon D. Nelson: Well, we sure have appreciated you joining us today as our guest, Tom. It’s always such a pleasure, always a good conversation and really some of our best friends are strictly speaking sort of competitors, but isn’t it funny, there’s plenty of fish in the ocean and we all get along beautifully and isn’t that the way it’s supposed to be?
Tom Lambotte: Absolutely. It’s all about mindset, it’s an abundance mindset and if you have that, everyone can get along just great.
Sharon D. Nelson: Well, thanks, your expertise is always so valuable and we just enjoy talking with you. So we appreciate you being with us Tom.
Tom Lambotte: Wonderful. Thank you for having me.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Maura Grossman discusses how TAR is used by medical researchers to support their efforts to understand and treat COVID-19.
David Ries gives an overview of work-at-home and remote access best practices.
Doug Austin surveys the current state of the eDiscovery industry and discusses emerging trends.
Ben Schorr shares tips for improving security in Microsoft products.
John Simek and Sharon Nelson answer lawyers’ frequently asked questions about how to work remotely and securely.
David Ries breaks down the trends in The Identity Theft Resource Center’s 2019 End-of-Year Data Breach Report.