Lawyers are in the business of holding sensitive and personal information, so they are prime targets for data breaches. Do you know how to protect your firm and clients? In this episode of the Florida Bar Podcast, hosts Christine Bilbrey and Karla Eckardt talk to Al Saikali about how lawyers should prepare their firms for different types of cybersecurity threats. They discuss how cybersecurity has changed and give tips on different types of administrative, technical, and physical safeguards. Firms of all sizes can implement defenses tailored to their needs, and lawyers have an ethical and legal obligation to take cybersecurity seriously.
Al Saikali is a Chambers-ranked lawyer specializing in privacy and data security law.
The Florida Bar Podcast
What Lawyers Need to Know about Cybersecurity
Intro: Welcome to The Florida Bar Podcast, where we highlight the latest trends in law office and law practice management to help you run your law firm, brought to you by The Florida Bar’s Practice Resource Institute. You are listening to Legal Talk Network.
Christine Bilbrey: Hello and welcome to The Florida Bar Podcast, brought to you by LegalFuel, The Practice Resource Center of The Florida Bar on Legal Talk Network. We are so glad you are joining us. This is Christine Bilbrey. I am a Senior Practice Management Advisor and one of the hosts for today’s show, which is being recorded from our offices in Tallahassee, Florida.
Karla Eckardt: Hello, I am Karla Eckardt. I am a Practice Management Advisor at The Florida Bar and a co-host of today’s podcast. Our goal at The Practice Resource Center is to assist Florida attorneys with running the business side of their law practices. We focus on a different topic each month and carry the theme through our website with related tips, videos and articles.
Christine Bilbrey: So, this month our topic is “Cybersecurity for Lawyers” and joining us is attorney Al Saikali. Al is a partner in the Miami office of Shook, Hardy & Bacon, where he founded and Chairs the firm’s Privacy and Data Security Practice Group. In that role Al directs breach response efforts, represents companies in litigation arising from data breaches. He maintains a blog at datasecuritylawjournal.com, where he writes about emerging trends and issues in data security and data privacy law.
The National Law Journal named Al a Trailblazer in Cybersecurity in 2015 and he is part of a small group of privacy lawyers who have received the Fellowship of Information Privacy Designation from the International Association of Privacy Professionals.
Al helped found and chairs the Sedona Conference’s Working Group on Privacy and Data Security Liability. He also co-Chairs the American Bar Association’s Cybersecurity Law Institute. And he is our very own Chair of the Florida Bar’s Technology Committee.
In his spare time he teaches Cybersecurity Law as an Adjunct Professor at St. Thomas University School of Business and he is the featured speaker this month for our LegalFuel Speaker Series CLE entitled Cybersecurity for the Everyday Lawyer.
Welcome to the show, Al.
Al Saikali: Hi Christine. Hi Karla. Thanks for having me.
Christine Bilbrey: Al was also the very first guest that we had over two years ago when we first took over The Florida Bar Podcast.
Karla Eckardt: So welcome back.
Christine Bilbrey: Yeah, you are our first returning guest.
Al Saikali: Well, I guess I consider it an honor to be invited back and congratulations that you are still around and doing well and thriving, so that’s great.
Christine Bilbrey: Thanks.
Karla Eckardt: Thank you. Oh wow.
Christine Bilbrey: So, Al, tell our listeners a little bit about yourself, and I am surprised you have any free time to also be teaching, because your résumé has grown since your first appearance, but how did you get into data and cybersecurity?
Al Saikali: So I got into this area when I was an associate back in like 2007, 2008 and we had a client come to us and they thought that they had a data breach and back then in 2007, 2008, there really weren’t any lawyers, very few practicing in this space. And the partner in my office who received this call from the client came to me and said, hey, you know how to use an iPad, can you figure this out, you know? It was basically — the understanding was Al knows technology, surely he can figure this sort of thing out.
So I did and it was a really interesting area. So I started writing about it. I started a blog. I started speaking about it, counseling more clients. And then we handled a very significant pro bono case probably late 2008, early 2009 that took off and required notice in all 50 states, and in fact, it affected, the breach there affected individuals — thousands of individuals around the United States and so it gave me some fantastic experience on writing breach notification letters and sending out the letters and handling a breach and the things you are supposed to be doing.
And with that experience it then turned into a lot of billable work from clients at the firm and the practice has just continued to evolve from there. Now with every state having a breach notification law, while initially most of my work was on the reactive side of data security, meaning helping companies to think that they may have suffered data breach, I would say now it’s pretty even split between that and the proactive side, which is helping companies prepare for an incident, drafting policies, procedures, helping them comply with all of these privacy and data security laws out there.
So it’s been fascinating watching the law change and grow and the team here went from one person in 2007 to about 25 of us now at Shook that are doing this, to some extent. So I think that’s probably a trend you have seen at a few different firms, but it’s been going very well for us, for sure.
Karla Eckardt: So one of the hardest points for us to get across to small and solo practitioners especially, because big firms tend to have a better grasp on this, but is that even as a small firm or a solo practitioner, you can still be a target. So why is it in your experience that you find that lawyers are such big or good targets for hackers?
Al Saikali: Lawyers are excellent targets for hackers because it’s the nature of their job to have sensitive information for clients. The lawyers have proprietary secrets about their clients, they have collected significant amount of personal information, depending on the types of clients that they represent, particularly in the financial industry or healthcare industry or retail industry. And so because they have that sort of information in their possession, they are obviously a target for hackers.
And it tends to be that hackers are focusing more on the vendors to the big companies than the big companies themselves, and at the end of the day that is what lawyers are, they are vendors to the large companies and large companies are sharing sensitive information with them and it just tends to be that the vendors don’t have strong security practices as the companies themselves and so they are often a focus of attack.
And I think it really honestly hasn’t been until the last year or two, I would say that law firms have really started to pay attention to this issue, and up to that point they didn’t really have a lot of really strong security safeguards, they weren’t raising awareness of these issues internally. I don’t think they would even understand when a breach had taken place for many firms.
And so, I think that’s changing a lot and very quickly, but that’s I think why they have been a target up to this point.
Christine Bilbrey: And I think a lot of non-techie attorneys, they have been just overwhelmed with these topics, the cybersecurity, where they almost shutdown because it’s like we are speaking another language. And I know that you go into more detail so we do want people to watch that free CLE that you have recorded for us, but can you break it down, some of the foreign words that people maybe just haven’t had time to really understand what that looks like come therein, so the cyber, espionage, and the ransomware and the spear phishing, can you just give us like simple definitions of those for people so we can meet them where they are at?
Al Saikali: Yeah, so there are different kinds of things that constitute a data breach, and I think there is a big misconception that a data breach just means that there is a bad guy, a hacker that gets into my system and steals all my stuff. And they are based in some foreign country and they are sharing all this information for, whatever, cyber espionage purposes. And certainly that is one type of a data breach, but a data breach is any unauthorized access of personally identifiable information.
So think about that for a second. That’s not just necessary clients, it could be employees. Personal information is defined under Florida law as a name, plus either a Social Security Number, a driver’s license number, financial information, health information, I mean there is several other data elements as well, and that’s just for Florida. I mean, if you are a firm doing business around the United States, then chances are you have collected information from individuals all around the US and each state has its own different law.
And so, I give that definition as a way of kind of play setting a little bit, because it goes to the question of, what are all these different types of data breaches that are out there?
So ransomware, for example, is a fancy way of saying that some bad guy has locked up your computer so that you can’t access information that’s on that computer and you have to pay some ransom in order to be able to get that access back. And just because you pay the ransom honestly there is no guarantee that you will get the excess back, and even if you do get the access back, chances are it could happen again.
So paying the ransom is not necessarily the best thing, but that’s a whole sort of topic for discussion. So ransomware is one type of breach, because it inhibits your ability to access the information.
The other could be sort of a cyber attack and that may be as a result of spear phishing. Spear phishing, I was at a conference recently by Mandiant, which is the leading cybersecurity firm in the country probably and they said that 90% of all data breaches and cyber attacks are a result of spear phishing.
Spear phishing means that a bad guy is targeting a small group of individuals at a company and learns some information about them. Maybe they go on the LinkedIn or whatever it may be and learn some information, like their email address, their name, their title, and then uses that information to phish, to send out an email to the individual to pretend to be someone else, or to do something that somehow gets that bad guy the credentials to get into their system. They have spear phished.
Sometimes there is a phrase also out there called “Whaling”, which is a different type of phishing. Whaling is for the really big, like the CEO of a company or something like that, that’s whaling. So, with these credentials they are able to get into the system and once they are able to get in, they can access all the information that’s in there.
And one practical way that we are seeing this really happen a lot right now is with cloud-based email services. Office 365 is one type, but it’s certainly not limited to that, and what I mean by that is if you log into your email using the web, you have your username and your password and if somebody else gets the username, that username and password, they can go to Office 365’s website and try to login and access your email there. That’s data breach, right?
And so if that happens, the lesson learned is making sure that you are limiting who has access to your credentials and using something called Multifactor Authentication. And I know it’s a big word and let me explain it in 10 seconds. Multifactor Authentication means that you are requiring more than just putting in your username and password to get access; you have to put in like some token. So you authenticate based on either who you are, what you know, or what you have.
So an example of what you know would be your credentials, an example of what you have might be like a card that you scan on your device or a token or something. And then who you are would be like a biometric scan, you are just putting your fingerprint on something. So Multifactor Authentication means you are using more than one of those three types of ways of authenticating.
And if you do that you — I went to a presentation by the President of Google who said that is the number one piece of advice that he would give anybody to help them secure their information is use multifactor authentication. And it’s so true, because if I am a hacker and I have Al’s credentials, I can’t really do anything with that unless I have that second way of authenticating myself, so that when I put in Al’s credentials at Office 365’s website, it’s then going to ask me, okay, what’s the token that we just sent to you, Al? He is not going to know that, he doesn’t have my stuff.
Like that is what security professionals will tell you is the number one thing you could do. So if people listening to this podcast, the one thing I would say, take away from this is go back to your offices and make sure you are using that.
Christine Bilbrey: Yeah, absolutely, because it’s a basic thing. Like my credit card companies — when I go to log in to my credit card website, I have the choice to turn that on or turn it off and it’s as simple as saying yes, I want that turned on, so when I try to log in, it sends me a code and I enter the code. But I think too many people are just, nope, I can’t be bothered and I don’t think they are realizing what they are opening themselves up to.
And I have to tell you, so there is like here are the things I hear. Everyone is going to get hacked, there is nothing you can do, so I am not doing anything about it. And then the other extreme is that, you have got to spend a whole lot of money, you have all been hacked, you just don’t realize it.
So if I am a small practitioner, I am overwhelmed by this, what are you suggesting that I do in my office?
Al Saikali: Yeah, that’s an easy way. It may be that your information may get compromised and it may be inevitable that that will happen, but do you really want to face the liability that’s involved when the hacker uses your account to break into your email system or your document management system and steal information about your clients, because guess what, once that happens you have an ethical and legal obligation to notify those clients that their information has been impacted.
And what lawyer, when we are in the business of maintaining secrets for clients, wants to go tell their clients that guess what, we didn’t use the common thing of multifactor authentication and as a result some bad guys got into our system and stole your information and you may now be subject to a data breach. Nobody wants to have that conversation.
So it may seem a little daunting to some companies, particularly law firms, particularly small ones to say look, I don’t have the money to do a lot in this space right now, it seems very overwhelming, but I could provide you two or three really good small cybersecurity firms that you can have a conversation with them and they can tell you generally here are your top five priorities, you can hire them to do an information security assessment, where they come to your law firm and they kind of give you a sense of, okay, look, you could be doing a 100 different things, but here are the five things you need to be doing right now and that I think can be really helpful.
Because then it also gives you an opportunity to show your client you take it seriously, because clients now are increasingly asking law firms, what are you doing to secure my information? We get those questions all the time. I mean questionnaires with tens, if not scores, of questions in them from large companies saying, are you doing this, are you doing that, what are you doing for this? And so you have got to be prepared to demonstrate that you are doing something. It’s not enough to say well, hopefully it won’t happen to me and taking the ostrich approach and sticking your head in the sand is just not the way to go.
Karla Eckardt: Right. And since you touched upon the liability issues, what Florida Bar ethical obligations do lawyers have to secure client information, because I feel like a lot of them think that if they just keep it on their computer and they don’t put it on another computer or on their iPad or on their phones, that it’s fine, that they don’t have to do anything else.
Al Saikali: No. Yeah, they definitely have the ethical obligation under Rule 1.6 and then under — and legal obligations under the Florida Information Protection Act to adopt what are called Reasonable Security Safeguards, and that is a squishy term. There is a lot of room for what that means, but it means things like encrypting your information for sure, making sure that all your information is encrypted at rest and in transit.
So what does that mean? At rest is — an example of at rest is when looking at my laptop as it’s sitting there, all the information on there is encrypted, so when I turn on my laptop the first thing it’s going to say is put in your password, and when I put in my password it becomes unencrypted and I am able to read the information that’s on there. That’s encryption.
So if a bad guy gets my laptop and he opens it up, he can’t do anything, he can’t access anything. In fact, encryption is so important that the Florida Information Protection Act says that if encrypted information is accessed as a result of a data breach, there is not even an obligation to notify, unless there is some exception where like the bad guy gets your password that allows them to un-ecrypt. So encryption is a big part of what do you have to do under these standards.
And so I think that you have got to be thinking about what is it — looking at what you have, what information you have, I think it all starts — we often tell clients it starts with a data inventory, meaning getting a sense of what sort of data, sensitive information are you collecting, where is it residing, what are you doing with it.
I will go back to a second because I said encryption at rest, but there is also encryption in transit, which is when you send an email, it’s leaving that laptop and going somewhere else. There is technology you can purchase and I think maybe even free in some circumstances, where it will send the email in a way that’s encrypted so that if it’s intercepted in some way, the bad guy can’t see it. So that’s also another type of encryption that you want to sort of look into.
And there are three types of safeguards in all of this to take a big picture approach. There are administrative safeguards, there are physical safeguards, and then there are technical safeguards.
So encryption would be kind of technical safeguard. Technical safeguard is like what you hire your IT guys to do, firewalls, encryption, things like that.
And then administrative safeguards would be things like training, learning about the issues, raising awareness about it, training your employees to know what is a breach, how should they be securing personal information, what is personal information, having a policy, having an incident response plan.
And then you have your physical safeguards, which is when someone comes to your law office, can they just walk right into your filing cabinet? Is there somebody there to greet them, a security guard, to take their name? Do you have locks on your filing cabinets to the extent that it’s paper documents? Those are physical safeguards.
And so the law and the rules of ethics look to all three. You have to have all three and there is not a silver bullet, there is not a checklist that if you do these five things you are good, but you have to demonstrate at least that you have been doing some things towards being secure as you can. Any security expert is going to tell you 100% security can never be reached, but you have to keep making an ongoing effort to improve the security of your law firm.
Christine Bilbrey: And so you are talking about there is a lot of high tech things, the low tech, like getting your staff to not click on the link in those emails, that’s a whole other thing, but what’s your opinion on firms purchasing cybersecurity insurance?
Al Saikali: I think it’s a fantastic idea and in some ways it’s against my own interest honestly as a lawyer in this space, because we are not necessarily on all the panels for these insurance companies, but really the good reason why you want to have it is because the insurance companies will provide you a list of vendors.
So when you think you have had some sort of an incident, you pick up the phone, you call your insurance company and they will tell you okay, here are the three or four law firms that we recommend that you use who can give you advice on what legally you have to do in terms of potentially notifying someone or not having to notify someone.
Here are your list of cybersecurity vendors and forensic teams that can come in and figure out, was there unauthorized access to information, are you still being compromised, what can be done to prevent this from happening moving forward, that I think is maybe your most important vendor that’s offered as part of the cybersecurity insurance.
And then if you determine that you do have an obligation to notify third parties, they will provide you with a list of vendors who can help send out the notices for you to all of the individuals and can help you develop FAQs, set up a call center if it’s a really big potential incident. So it really does help in that respect in terms of minimizing the cost of the response.
Because if you were to add up — let’s say you didn’t have the insurance and you had to hire all three types of vendors, you are looking at potentially hundreds of thousands of dollars in fees as a result of it.
I mean I saw a statistic recently that said that the average breach — the cost of an average breach is something like I think $3.1 million, which I think is — I think that’s escalated, I don’t think that — those are not the breaches that I see. And the mega breaches that these really large companies suffer obviously skews that number much higher.
But are you looking at hundreds of thousands of dollars potentially? Yes, even as a smaller firm, because the forensic investigations, they are not cheap and they can be time-consuming and the cost of remediating and replacing equipment that’s affected, all of that.
So cybersecurity insurance I think is a great way to start. There are one or two really good carriers I think in the space, but there are a number of different carriers and you can talk to your broker and I am sure they will help you find one.
Karla Eckardt: Right. I just want to reiterate that there is a misconception that malpractice insurance, your regular malpractice policy will cover this and it will not, so it’s important that people contact their insurance providers and make sure that they have this particular policy in place.
You have talked about of course insurance providers being a good resource after the fact, but where else can solo or small firms go to find reputable cybersecurity experts, apart from yourself of course?
Al Saikali: Well, if I am a lawyer listening to this and I am at a smaller firm, I mean look, I have my list of three or four small ones, but other than asking me who are the cybersecurity experts, you can — well, there’s different kinds of experts. You have got the forensic experts and in that respect I think simply just doing some research on Google.
And then, I know The Florida Bar also has some member services where there may be one or two forensic vendors I think that are part of that, that I think that they are — that the lawyers can certainly reach out to. Or asking a broker, because I think that the brokers will know which vendors the carriers use and they can probably give you a heads-up that way too, and then just getting involved in the space, looking up information security experts in Florida, things like that, to kind of ask around.
And then on the legal side, the easy way I say is look at Chambers. I mean, Chambers has a separate ranking for privacy and data security lawyers in the United States. Now, you are looking at primarily larger firms there, but that’s certainly one resource to find lawyers in that space.
And then there are different blogs that are out there as well. I like a blog by, oh, I am losing his name now, Brian Krebs, who used to work for The Washington Post, it’s a really nice, easily digestible blog. And of course Law Fuel as well has some good resources too — LegalFuel, sorry.
Christine Bilbrey: Well, it looks like we have reached the end of our program, that’s excellent advice.
Thank you Al Saikali for joining us today.
Karla Eckardt: So Al, if our listeners have any questions or want to follow up and presumably they haven’t watched the CLE because you do provide your contact information on there, where can they reach you?
Al Saikali: You can send me an email at [email protected]. You can go to our website, Shook, Hardy & Bacon and find my bio and reach out to me that way. You can also give me a call. I am happy to talk to anybody about it, especially my colleagues here in The Florida Bar, happy to help however we can.
Christine Bilbrey: Excellent. So when you get done listening to our podcast today, please go encrypt your laptop and then go find Al’s CLE on legalfuel.com entitled Cybersecurity for Lawyers.
If you liked what you heard today, please rate us on Apple Podcast. Join us next time for another episode of The Florida Bar Podcast brought to you by LegalFuel, The Practice Resource Center of The Florida Bar on Legal Talk Network.
I am Christine Bilbrey.
Karla Eckardt: And I am Karla Eckardt. Until next time, thank you for listening.
Outro: Thanks for listening to The Florida Bar Podcast, brought to you by The Florida Bar’s Practice Resource Institute and produced by the broadcast professionals at Legal Talk Network.
If you would like more information about today’s show, please visit legaltalknetwork.com. Subscribe via iTunes and RSS. Find The Florida Bar, The Florida Bar Practice Resource Institute and Legal Talk Network on Twitter, Facebook and LinkedIn, or download the free app from Legal Talk Network in Google Play and iTunes.
The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.