How Secure is Your Law Firm’s Data?

Episode Notes

Transcript

Sharon D. Nelson:  Before we get started, I’d like to thank our sponsors Clio and Embroker.

[Music]

Intro:  Welcome to Digital Detectives, reports from the battlefront.  We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches.  Not theory but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson:  Welcome to the 138th edition of Digital Detectives.  We’re glad to have you with us.  I’m Sharon Nelson, president of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek:  And I’m John Simek, vice president of Sensei Enterprises.  Today on Digital Detectives, our topic is How Secure is Your Law Firm’s Data?  Today, our guest is Peter Baumann, the CEO and founder of ActiveNav, a leading data privacy and governance software provider.  Peter is a business builder who cut his teeth in the electronic publishing industry at Bureau van Dijk, Standard & Poor’s Global Markets and several startups.  He has 25 plus years with an international experience in high-growth finance and technology industries and co-founded two other companies.  It’s great to have you with us today, Peter.

Peter Baumann:  Yeah, likewise. Thank you very much for having me and I do need to update that bio.  Those 25 years are now more than 30 years, I’m afraid.

Sharon D. Nelson:  None of us want to fess up to how many years there are, right?

Peter Baumann:  Thank goodness for referring to it.

Sharon D. Nelson:  Well, Peter, why don’t you start by telling us a little bit about yourself?  What led to you to found ActiveNav and what exactly does your company do?

Peter Baumann:  Yeah, certainly.  Yeah.  So, as with many startups and entrepreneurs, as the long and the short version of the businesses in section, I’ll give you the short version.  I was lucky enough to be brought into an existing shell that had some really cool tech from university spinout over here in the UK but it is kind of struggled to find it in a core rest on debt.  Why did it exist?  The classic university spinout, some really good tech, now is there market for it?  So, my job and that of my early team was to find its niche.  And back then in 2008, this effectively meant to kind of taken a bet and what we believe would be and became an exponential growth of data and specifically unstructured data, the really hard stuff.  The elephant in the room, the stuff that sits outside of databases.

We ran some early proof of concepts with some UK customers and some of them UK government’s as well and kind of demonstrate, we could very quickly determine value from the data without any prior knowledge of that information.  Now, these days really when AI and ML was nascent at best, it didn’t really exist.  And so, we had the equivalent, our own algorithms of linguistic algorithms who are already doing that work that would now be described as AI.  And we found our technology was really cool at kind of raising the value out of that data with no prior knowledge and it enabled the customers to start going on a journey with the data whether it be from a pure audit inventory perspective, through to remediation, workflows, et cetera, et cetera.

So, those are the early days and then over the last 10 years as we all know, the markets matured enormously and eventually over time, a labor was given for the part of the market that technology sat in and that was file analysis.  And the use cases that file analysis supports expanded to cover again common language today, data discovery, data remediation, data labeling, data minimization and to support the fields of IG, privacy regulation such as CCPA, GDPR and post-breach support.  So, I think the long version is for another day, is that helpful?

Sharon D. Nelson:  Very.

John W. Simek:  Peter, unfortunately we’ve been seeing a lot more and more data breaches, not just at large global companies, but at smaller and medium-sized organizations like the law firm Stevens & Lee and even the Georgia State Bar and it really seems that it’s inevitable.  Data breaches are — it’s not a when but an if scenario.  What data protection methods could these organizations and what do you think they could have done better to prepare themselves for a breach?

Peter Baumann:  Yeah.  John, you hit the nail on the head.  Data breaches are very much a when and not if situation and no one is immune.  The best technology, the best doors and locks and alarm systems won’t stop the bad actors getting into your network.  I think people understand that now.  And data protection, data privacy, policies and regulations are crucial to employ so that when they do get into your network, you only got the right data that is there and that data effectively can then be correctly labeled, categorized, locked down, whatever locked down means to the organization.

(00:05:04)

It could be encrypted, it could be removed, it could be deleted but the most important thing is when the bad actors are in your network, you’ve reduced the kind of threat, footprint for them to go grab if you like.  They use the threat attack or footprint if you like.  It’s really important.  It comes from the cyber community and what we’ve also seen over recent years is the coming together of these different facets of information in the organization, 10-15 years ago, it largely sat within information management, records management and we’ve seen that really grow recently.  So, now you have the privacy, the GCs, the cyber, the SISO and of course usually, the IT and CIO and departments in there.

And then the people are responsible for implementing the privacy regulations such as DPOs in the UK, Europe and the CPOs in the US.  And the cyber community uses the term, the threat attack surface.  And so, it’s that reducing the threat attack surface and, typically that is about the number of vulnerabilities that an organization, the law firm may have as points of entry for the bad actors.  For me, I think it’s both that and endpoint devices but also the data that sits on those devices and those systems.  That’s part of the surface and it’s all about controlling access to that surface, recognizing one day you will be breached and therefore, when they reach the surface, you’ve already got the right information.

Sharon D. Nelson:  Well, I know we’re always preaching about being proactive versus reactive but — and sometimes it takes and sometimes it doesn’t but how do you explain the importance of having a proactive data protection strategy versus a reactive strategy?

Peter Baumann:  Yeah, and (00:06:48), for me, it’s the difference between being prepared, Sharon and unprepared.  Cyber breaches are recognized today as a form of war, be it as a digital war and it’s scary rather how the parallels are the same as a physical war.  When you go to war, you want to be prepared.  If not, the consequence is going to be long, painful and costly at best and obviously devastating and probably not recoverable at worst.  And you have to think about cyber risk and cyber risk your data in the same way.  And so essentially, in the world of data, it’s about getting ahead of the bad guys.  They will, I think most of the audience will know this but it’s always good to repeat, it’s a scary statistic but on average, your bad actors will be within your network, your system for around 300 days before you discover them and the Ponemon Institute does an excellent research on that.  If you’re not familiar with it, they update it each year and usually it’s within 5-10% of those 300 days and getting worse.

You need to think like those intruders will think, the burglars will think in your network.  They won’t be after your flat screen TV and your iPad, they’ll be after your IDs, your crown jewels, your customer’s information and their IDs.  And then you need to determine what is it they want that data for.  Is it a simple hack just to take the data and try and set it on fast?  Or is it more new instance slightly more intelligent in a way which is that they want to demand a ransom through it and then what’s the nature of the data they’re going to be calling a ransom against?  And do they have your crown jewels, and what are your crown jewels?  And are they after the access to the crown jewels?  So think passwords to bank accounts, passwords to private files, passwords to other networks.  These are all things that bad guys will be doing and will be thinking as they breach your network and they’ve been there for 300 days and so you have to be proactive to get ahead of that and it’s essentially our view and some of our customers’ view now.

Sharon D. Nelson:  You’re actually leading me to give you one of our favorite quotes when we speak.  And that is, if you fail to plan, you plan to fail.

Peter Baumann:  Yes.  I could count to that actually.  Sharon, ones that we often use in here is you can’t protect what you don’t know.

Sharon D. Nelson:  Another one of our favorites too.

Peter Baumann:  There you go.

Sharon D. Nelson:  What you don’t know you have, right?  Yep.  I see we’re feeding each other lines.  Go ahead, John.

Peter Baumann:  (00:09:03).

John W. Simek:  Peter, you mentioned the term unstructured data previously and I know that’s familiar to me but perhaps it’s not familiar to a lot of our listeners.  So, can you talk a little bit about how unstructured data is different from structured data?

Peter Baumann:  Yes, no, John, that’s an excellent question.  For us, the clue is kind of in the naming.  If it’s structured, it means that it’s kind of already gone through some kind of filtrage, triage and passing system 

(00:10:01)

and typically sits in some kind of managed structured environment such as a database.  Think SQL, think Oracle.  If it’s unstructured, I like to call it the wild west, it could be in potentially hundreds, maybe even thousands of different types of repositories from those that we’re very familiar with like our general office documents in the Microsoft or the Google stacks through to a multitude of different tools that different organizations will use and proprietary repositories another.  And then somewhere in the middle, you do have semi-structured which I don’t think we need to worry about too much today.  But for us, it’s really what’s not in the database is unstructured.  And I think another way, nice way of thinking about it is it’s often about human interaction text messages.

So, certainly chat is deemed unstructured, taking notes, maybe a law firm has case files, those would be unstructured so when you have human interaction, often that’s unstructured but not exclusively.  And the last thing that again, I always think is interesting because I know you will both have a view on this is well, what percentage of our data is structured or unstructured?  And since I can remember in this market, the term 80% has been used.  And interestingly, last week I was at the RSA conference in San Francisco, I’m talking to a renowned analyst there that looks to the whole market and I called them out and I said, “Is this right or is it just an urban myth?”  Because everyone says 80%.  And interestingly, he said that they had done some recent work and it was actually higher than that.  And so, most organizations are going to be facing 80% plus of their data in an unstructured environment and wild west and most of them have no idea what’s in there.

Sharon D. Nelson:  Thank you for telling us about that but that’s really consistent with recent studies we’ve read just in the past week or two, so it’s helpful to have that reaffirmed.

John W. Simek:  Before we move on to our next segment, let’s take a quick commercial break.

[Music]

Sharon D. Nelson:  Looking for secure legal software to help manage your firm’s matters in the cloud?  With Clio’s cloud-based legal software, you can safely manage everything.  From client intake to billing, from one secure platform so that attorneys can spend more time doing what they do best, practicing law.  To learn why over 150,000 attorneys, firm staff and IT leaders trust Clio, visit clio.com today.  That’s Clio spelled C-L-I-O.com.

As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on.  That’s why thousands of lawyers have switched to Embroker.  Embroker offers A+ rated insurance for law firms.  You can quote and buy instantly online.  If you need help, they have experts on standby.  Go from sign up to purchase in 15 minutes by visiting embroker.com/law.  That’s E-M-B-R-O-K-E-R.com/law.

Welcome back to Digital Detectives on the Legal Talk Network.  Today, our topic is How Secure is Your Law Firm’s Data.  Our guest is Peter Baumann, the CEO and founder of ActiveNav, a leading data privacy and governance software provider.

John W. Simek:  Peter, prior to the break, we talked a little bit about unstructured data but I want to take that a little bit further and can you talk some about why unstructured data is often a bigger threat to the law firm’s data security than structured data?

Peter Baumann:  Yeah, absolutely.  John, the legal sector is really no different to most sectors and the risks of unstructured data are largely the same or greater.  The reason I believe that they’re actually greater than say the average organizational or sector is because the nature of the content that they’re holding.  It is by its very nature that the job of law firms to hold sensitive information, that could be information associated with individuals or a group of individuals but they also hold either the money or the access to the money.

And so, the bad guys know that and there’s some good stuff to go find if you like.  When you’ve got an arbitrary collection of unstructured data sitting in an email account, or on a file server or chat stream for example, you’ve got no signals or tools to identify and manage that data.  You’re at risk.  If hackers were to infiltrate the organization’s network, potentially via an unstructured data source, there’s nothing stopping them from getting hold of that highly confidential client data matter files, court filings, contracts, that deposition files, et cetera.

(00:15:05)

And aside of the monetary risk, it can also lead to a significant loss of confidentiality.  Trust and data protection is tantamount to the legal industry’s modus operandi ethos.  And failure to keep data safe can and will result, I believe and not only compliance and contractual breaches and of course non-compliance with the regulatory privacy rules and laws out there, but also reputational damage and to some extent, that’s the greatest risk that firms carry.

Sharon D. Nelson:  Well, given that they absolutely do have that risk, why in the world do you think, we have our own ideas but, why do you think that legal organizations avoid dealing with their unstructured data?

Peter Baumann:  You know, my flippant answer and I think you know this, Sharon, the first time we’ve met is that it’s just too hard.  And maybe a slightly more nuanced answer is they don’t really understand the implications of what might happen and what’s in this data.  So, you know dealing with unstructured data feels daunting, can be all-consuming and because most legal organizations are kind of generally still unaware of the magnitude of the risk, they procrastinate on it.  Is it something we do today?  Do we push it off?  Are we in control of our structured asset?  Can we just lean into the privacy policies and cyber perimeter protection that we already have?  So, for me, that’s not unusual to encounter in this sector.  Legal staff and I say this carefully, but may be tempted to kind of cut corners on their personal data, security practice because of individual level, it seems low risk and if you have thousands of individuals doing the same thing, then clearly have thousands of potential entry points that hackers can exploit.

Sharon D. Nelson:  Yeah, we find I think frequently that they just say it will cost too much and take too much time at which point, we start to talk about how much time and how much money a data breach will take.

Peter Baumann:  Well, that’s right.  The ROIs against dealing and successfully dealing with your unstructured data are significant.  In the early days 10 years or so ago, it’s all about storage savings.  And generally now, it’s the other side of the pinwheel, it’s all about risk.  And so, you’ve got to know that there’s no shortage of good ROI metrics here and to some extent depends on that organization.  We find that organizations are very willing to deal with this post breach, it’s extremely compelling and those that are dealing with it as a good practitioner, there’s usually some other kind of catalyst that sets them off.  And it might be something quite simple.  It might be a data migration program or project and they’re moving their data from this box to another box going to the cloud and whilst they’re doing that is a perfect opportunity to actually look at that data and get yours arms around it, and clean it, and label it and do all the necessary good IG, things that need to be done to it.

John W. Simek:  Well, Peter let’s take a little bit different course here and talk something about the types of tools or resources that are available to deal with data assessments and remediation.

Peter Baumann:  Yeah, of course, and I’m glad we get to this.  One of the reasons it’s so hard to deal with and/or people put it off is because they’ve either had a bad experience using maybe the wrong tool or they don’t appreciate that there are tools to deal with it.  As what I’ve got in a conference years ago, full of CIOs and one of the best Gartner analyst I felt at the time, the lovely line.  She said, “Look, it was people and technology that got us in this mess.  It’s only technology that is going to get us back out of this unstructured data mess.”  And people, of course it is a joined thing and don’t keep hoping it will go away or it’s something episodic maybe just for Christmas.  It won’t.  It’s a new line item on your PNO.  I thought that was really interesting and I think some organizations learnt into and accepted it and others are still fighting it and hoping it can be dealt with through something else.  So, the key thing is you need tools that are built to do the job, not secondary or tertiary players.  And when you’re trying to get around this, the first thing you want to do is know what you’ve got, back to our earlier points.  You can’t manage what you don’t know.  And for us, that’s really about using tools that are built for unstructured data that have built to have no knowledge of the content and built holistically ground up.

(00:20:01)

So, they can deal with a large amount of content and have a proven kind of workflow triage process so that you’re not passing the burden of actually making decisions against the data to the users in the law firm, to the busy partners who are out there earning dollars for their business.  They don’t want to be worrying about this other than where they absolutely have to.  And so, it’s really important that the right tools are used.  Historically — unfortunately, it’s not historically, it’s still today, a lot of organizations think that just carrying out a survey, you know like a manual survey asking people about their data will suffice is an important part of process but it doesn’t.  The moment that survey is complete, the day after it’s out of date.  And the other problem with surveys is your reliance on the human recollection, memory recollection, and when you ask them what’s an important document, they’ll tell you what they worked on last week.  If you ask them what did they work on two years ago, they won’t have a clue and they won’t remember.  So, you have a very narrow point in time.  And so, the best way of doing it is combining those manual exercises and surveys which do have some value and then blend in a more map in them against actual data, what’s your data about.

Sharon D. Nelson:  Well, who’s typically responsible, Peter, for information governance, policy and risk assessments at a law firm or an organization?

Peter Baumann:  Yeah, to some extent, it depends on the size of the firm.  If it’s a law 100, then you’ll probably have a whole department, maybe a dozen people working in the department and it will be very integrated with the kind of the risk area, SISO, and other.  There’s a smaller firm than it may come down to just one partner or a couple of people that respond with some support and some assistance.  Generally speaking, the IT department is responsible for the technology in the systems, the data resides in.  The actual owners of the data, of course, not the IT department.  And so, the IT department can’t take responsibility of making kind of decisions against the data.  So, you do need to have subject-matter experts, as the commonly known SMEs and those SMEs will typically be people who own the data and ultimately, they will be the partners of the lawyers in those firms.  Other people somewhere in the mix are records managers depending on the organization who are experts on the data and will already understand how that organization chooses to kind of manage it.

Sharon D. Nelson:  Well, before we move on to our next segment.  Let’s take a quick commercial break.

Christopher D. Anderson:  The Un-Billable Hour podcast is devoted to all aspects of managing your law practice outside of your client responsibilities.  I am Christopher T. Anderson, a lawyer and the host of the podcast.  With each episode, I invite industry professionals to discuss best practices for marketing, time management, client acquisition and everything in between.  For actionable and practical information to refine your practice, turn to The Un-Billable Hour on the Legal Talk Network.

Craig Williams:  Today’s legal news is rarely a straightforward as the headlines that a company know.  On Lawyer 2 Lawyer, we provide legal perspective you need to better understand the current events that shape our society.  Join me, Craig Williams, in a wide variety of industry experts as we break down the top stories.  Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.

Sharon D. Nelson:  Welcome back to Digital Detectives on the Legal Talk Network.  So, Peter, how do you get buy-in from lawyers to actually put proactive information governance or data protection policies in place.  What’s the secret sauce for that?

Peter Baumann:  Yes, you show them their own data.  And what I mean by that, you shine a light on their own data and you show them the risk that they have within their organization and you show the risk against a few things.  You run the out-of-the-box algorithms rules, et cetera which will very quickly raise sense of information that shouldn’t be there, PII and the like, non-compliance, privacy regulation-type data.  But you also show them the data against their existing in-house policies.  And one of the things I love about this since we’re talking to a law firm just recently, they never had a retention policy on their emails.  And so, we all know that email has been around for at least 20 years now.  And so, they have 20 years’ worth of emails, the risk threat.

John W. Simek:  So, they’re a typical law firm then.

Peter Baumann:  It would appear that way, John.  I was trying to be polite.

(00:25:01)

And so, the risk threat is unbelievable.  If you have a policy that just says five years, you’ve removed an enormous amount of risk and in this particular case, they’re looking at a couple of policies, one for the people have been an organization for a long period of time, maybe 10 years and then for newcomers, new staff, it will be one year.  And so, they’re trying to go through a process of making that easier.  But it’s really about bringing it to life and showing the risk and then where you can, also showing the value.  And when we really talk about the pinwheel, one side is all about risk and compliance.  But once you’ve got through that, you start to extract the value from the data.  And ultimately managing partners and the like, that’s what they really want.  How can they leverage the information they got to be better custodians of either their customers’ data or take other offerings to market?

John W. Simek:  Well, Peter, I think our listeners, they understand the obvious risks of case matter information or personal information that might be leaked during a breach but what about other risks to the law firm if they don’t have a proactive data strategy?

Peter Baumann:  Yeah, I mean, I talked a little bit about this earlier on, John.  Let me see if I can just pat it out a wee bit more.  We talked a bit about reputation and I think that that’s super important.  A law firm is built on confidence and reputation.  And so, trust, those kinds of items, the cost, the monetary costs that you’ll be hit with to such a breach, talked a little bit about that and I’ll see, we’re all familiar with GDPR but with what looks like a forthcoming US Federal privacy regulation.  And let’s not kid ourselves, the US is extremely litigious compared to the EU and including the UK.  And so, we expect to see the teeth being sharpened up on all the US privacy regulations at a state level and then obviously the federal level.

And then, to my last point, finally, large volumes of unstructured data prevent any law firm from kind of being agile.  They’re going to struggle to pivot, to grow, to scale the business.  They won’t have any confidence or they shouldn’t have any confidence in their kind of trend analysis and that will feed through to their ability to really monitor profitability and all kind of risk management reporting.  So, it’s so important this data.  If it wasn’t so important, why is there so much of it and why does every single customer interaction have so much unstructured data?  And so, the value has to be managed, controlled, de-risked and then leveraged for the good of the organization.

Sharon D. Nelson:  Well, I certainly think that’s true.  And let’s have our final question kind of be a practical tip.  If a law firm doesn’t have anything in place right now to govern their unstructured data, what’s the first step you want them to walk away with today that they can implement?

Peter Baumann:  Yeah, well the first thing is you need a plan.  Without a plan, you can’t get anywhere as we know.  And part of that plan is then making sure you’ve got the right executive sponsorship.  And in law firms, that’s going be the managing partners.  It has to go to the top because this does carry challenges with it and it’s only going to be successful with executive sponsorship.  So, a plan and then the right support and sponsorship.  Then you get into the nuts and bolts if you like.  And for us, we talked about that kind of human survey.  That’s a very helpful process to go through and you’ve probably already done it on your structured data, so leverage it across your unstructured.  But then more importantly thing, you need an up-to-date inventory of all those data assets.  And once you have those in place, you can leverage any of the knowledge and experience and methodologies you’ve maybe used already to your structured data, carry those across into the unstructured space.

But more important than anything else is that you bring the right tools in to support this process.  And the right tools, and I’ll be a little bit controversial here, they’re not re-leveraged e-discovery tools which this community is very familiar with, which are brilliant at looking at multi-threads on the small amounts of data, a few gigabytes, maybe a few terabytes.  These are tools that can look at potentially petabytes but certainly tens and tens of terabytes and you need to use these tools to provide an up-to-date inventory of all your unstructured data assets.  Not an episodic one, but one that’s kept current.  And so, whether that current for you is daily, weekly, possibly monthly, for unstructured data, that’s current.  And so, you need to do a data inventory and you need to use the data that comes out of data inventory and align it with your policies, procedures, and your other methodologies.

(00:30:05)

And then, you essentially need to start a process of data remediation and management, and classification as appropriate in your organization.

Sharon D. Nelson:  Well, I think that’s a good first step for them to take and certainly, John and I want to thank you for being our guest today.  Peter, you’ve given them, I think a look into unstructured data which many have not had previously.  You’ve told them what they might do about it, how to create a roadmap and you’ve done it all with that charming British accent that I so dearly love.

Peter Baumann:  Thank you.

Sharon D. Nelson:  I made you laugh.  A lot of Americans are in love with British accents.  What can I tell you?

Peter Baumann:  Well, I never — us Brits, we literally don’t understand that.  We think it’s very strange behavior.  It’s just the way we talk.

John W. Simek:  Well, that does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple podcast.  And if you enjoyed our podcast, please rate us on Apple podcast.

Sharon D. Nelson:  And you can find out more about Sensei’s Digital Forensics, managed technology and managed cybersecurity services at S-E-N-S-E-I-E-N-T.com.  We’ll see you next time on Digital Detectives.

Outro:  Thanks for listening to Digital Detectives on the Legal Talk Network.  Check out some of our other podcast on legaltalknetwork.com and in iTunes.

[Music]