Elie and Joe chat with Joshua Lenon, Clio Lawyer-in-Residence, about global cybersecurity threats and what lawyers can do about them — for both themselves and their clients. We also discuss potty training philosophies, so if you’re looking for guidance on that, Elie has you covered.
Special thanks to Clio, our sponsor for this episode.
Above the Law – Thinking Like a Lawyer
The Harrowing World Of Cybersecurity
Intro Welcome to Thinking Like a Lawyer with your hosts Elie Mystal and Joe Patrice, talking about legal news and pop culture, all while thinking like a lawyer, here on Legal Talk Network.
Joe Patrice Hello. Welcome to another edition of Thinking Like a Lawyer. I am Joe Patrice.
Joe Patrice: Yeah, thank you, thank you. And with me as always is my colleague Elie Mystal.
Elie Mystal: It’s been long time since I have been forced to talk to you.
Joe Patrice: Yeah, that’s true. We had some real issues in March. I was out most of it and Elie didn’t want to do shows without me, which was I thought a very touching display of —
Elie Mystal: My two-year-old is almost potty-trained, I feel like my March was a success.
Joe Patrice: That’s true, that’s true. Now if we can just work on you, it will be fine, and actually no, as long as rum is not involved, you are fine.
Elie Mystal: Well, this week I want to start off by really thanking the gods that we do not work for a publicly traded company.
Joe Patrice: Yeah.
Elie Mystal: Because if we did apparently the President could attack our freedom of the press by going after our stock price.
Joe Patrice: Sure.
Elie Mystal: I don’t think people are sufficiently outraged by what Trump is doing in Amazon right now, and look, I am no great Amazon defender, right? I still have the all like what about the mom and pops and all of the businesses the Amazon has the story. So, I am no great Amazon defender, I am no great Beezus defender, but going after Amazon to get at The Washington Post, is a clear attack on the First Amendment and the freedom of the press, and I don’t see how he’s getting away with it.
Joe Patrice: I was just having this conversation with our colleague, Thornton, who works at DealBreaker and it actually — I am less concerned on the freedom of the press angle as what he raised, which I think is something I hadn’t heard and discussed is, there are some securities fraud issues involved in utilizing your position to willfully drive a stock down.
Elie Mystal: From the podium he is spreading misinformation and disinformation about Amazon specifically to affect its stock price, that could be a lawsuit, that could be a shareholder lawsuit.
Joe Patrice: I am not really up on it but I think it’s even more than – it’s definitely a shareholder suit potentially but it strikes me so that’s actually a SEC violation potentially.
Elie Mystal: Another special counsel.
Joe Patrice: But yeah, so that’s going on.
Elie Mystal: So, I just want people — that’s my grind, I just want people to be aware of this and to be outraged by this and to not let this latest attack on Amazon and The Washington Post just get filed under Trump’s general distaste for news media, right? This is a different in kind attempt to attack the freedom of the press and people need to notice it.
Joe Patrice: Yeah.
Elie Mystal: Nobody is going to notice it.
Joe Patrice: No, I mean, I think people are noticing it but for other reasons, and it’s going to be washed —
Elie Mystal: He is going to win in 2020, isn’t he?
Joe Patrice: No, I mean, it’s going to be washed over when the bottom falls out of the economy in a couple of months, so I don’t really think this particular stock dip is going to matter when it falls a thousand points in a couple of weeks.
Elie Mystal: Trade War 2018.
Joe Patrice: Yeah, it’s —
Elie Mystal: I am obviously rooting for China.
Joe Patrice: I mean, it’s going to be a thing, we will see. So yeah, so I have been out, you have been here. The economy is still plugging along, it’s amazing but that was a relatively tame gear-grinding. I would have thought that potty training was going to get involved in your gear-grinding given what you have been talking about it.
Elie Mystal: The second one ended up being so much better than the first one that I can’t really — I mean it was — don’t get me wrong, it was one of the worst months of my life, but like one of the worst as opposed to potty training the first one, which is literally the worst thing that’s ever happened to me.
Joe Patrice: Amazing.
Elie Mystal: During potty training the first one I was honestly like reconsidered the whole thought of like having children or being alive, and I understood why people get chainsaws not to cut down trees.
Joe Patrice: Wow.
Elie Mystal: Like it was terrible.
Joe Patrice: Wow. So okay.
Elie Mystal: This one was comparatively yeah — yeah, you have been on the couch couple of times, whatever.
Joe Patrice: Yeah, I mean, who doesn’t?
Elie Mystal: Who has company anymore?
Joe Patrice: Yeah. So that’s cool. So, let’s take a break, I guess, and we will be back. It’s so new for us to be back, it’s been a while, we’re happy to have everybody back here. We are still relearning the ropes. We take breaks now, right? That’s what we do?
Elie Mystal: I believe so.
Joe Patrice: Alright.
Elie Mystal: Right now.
Joe Patrice: Right now. So, we are going to take a break and we will be right back.
Joe Patrice: Imagine what you could do with an extra eight hours per week? You could invest in marketing your firm. You could spend more time helping clients in need or you could catch your daughter’s soccer game. That’s how much time legal professionals save with Clio, the world’s leading practice management software.
With Clio time-tracking, billing and matter management are fast and easy giving you more time to focus on what really matters. And, Clio is a complete practice management platform with plenty of tools and over 90 integrations to help you automate daily tasks, such as document generation and court calendar. See how the right software can make it easier to manage your practice. Try Clio for free today at HYPERLINK “http://www.clio.com” clio.com.
Joe Patrice: And we are back; so Elie, want to talk about some cybersecurity?
Elie Mystal: I do, but first we should introduce our guest because I don’t actually know anything about cybersecurity.
Joe Patrice: Hmm, okay. So, for anyone listening you probably have just stolen Ellie’s identity, so.
Elie Mystal: If you ever want to be a 300-pound Black man with no assets, that’s Elie Mystal.
Joe Patrice: It’s so amazing. So, our guest today is Joshua Lenon. He is Lawyer-in-Residence at Clio and he is here to talk to us about some cybersecurity stuff.
Welcome to the show.
Joshua Lenon: Hi everybody. It’s great to be here.
Elie Mystal: How are you doing, Josh?
Joshua Lenon: I am doing great. It’s great to actually have this kind of cross-connection, the elites on the east and west coast, finally talking about the important issues.
Joe Patrice: And it’s a transnational conversation, right?
Joshua Lenon: I wasn’t going to raise that but I am up in a stunningly warm Kansas.
Joe Patrice: Nice.
Elie Mystal: Okay, Josh, so why don’t you, for our listeners, just give us the briefest of overviews about what we are talking about? When we’re talking about cybersecurity is it really the kind of identity theft that Joe just alluded to or are we talking about more kind of client data security? What does cybersecurity mean in the legal context?
Joshua Lenon: Well, I think you actually have to think about it in both instances. You do need to worry about your own personal information being protected because lawyers actually do have a lot of valuable data that is potentially at risk. Things like trust account, which is not necessarily client data, but does need to be protected from hackers, and then there are client files on top of that, which have an additional duty of confidentiality in addition to your normal just privacy law requirements in keeping information secure.
So, lawyers tend to have a greater cybersecurity burden than a lot of other small businesses and large businesses out there, simply because of how much information they collect, retain and manage, both on their own behalf and on others. So, they are kind of up the creek.
Joe Patrice: I mean, this is why we — when we see these Panama Papers sorts of scandals come out, it all comes back to law firms because they are somewhat the weak underbelly of the security world.
Elie Mystal: So, Joshua, kind of saying that law firms can be a soft target?
Joshua Lenon: Yeah, law firms are soft target and you mentioned like the Panama Papers or the Paradise Papers what’s really amazing about those is not just that a law firm got hacked but the sheer volume of data that comes out, right? They are the largest disclosures ever in the era of modern leaks, literally hundreds of thousands of pages of documents, and that’s more than people who have gone to jail over national security have released.
So, it takes an entire team of journalists around the world digging through these with new and advanced technology, sometimes e-discovery technology, to find information within these law firms hacked files. So, it’s not just that they are weak, they are actually also really valuable if you can get through and it changes the risk, cost-benefit for hackers to target things like law firms.
Elie Mystal: Let’s give our listeners some credit. Let’s assume that especially if they are working for a small or solo practice, they understand that this is important. I am wondering about our kind of big law listeners. We understand — let’s say they – again, let’s say they understand that this is important but what are they supposed to do about it? Let’s say you are a 6th year associate at a major Manhattan law firm and you notice a potential cybersecurity issue, what are you actually supposed to do with that information?
Joshua Lenon: Well, I think there’s one thing that lawyers can do that they probably aren’t doing already, and that’s listen to their IT staff. So, at big law firms they are very fortunate actually to have some highly trained, highly specialized IT and security professionals working for them and what’s interesting is there was an article that came out that discussed how law firms have a huge amount of security implemented but 95% of them are aware that their own staff and lawyers are not compliant with their policies.
So, the things that they have done to really keep themselves strong, are just being ignored by the rank-and-file lawyers, and I think a classic example that springs to mind of this is DLA Piper when they were hit with malware early in 2017 that encrypted all of their files. So, they are a large law firm, about 3,600 lawyers, 40 offices around the world, a huge budget for IT.
They have been certified as ISO 27001 compliant, which is a standard for managing and securely hosting types of data, and yet somebody somewhere and either they are Spain or Kiev offices depending on which report you read, infected the entire network with malware, and it took them over a month to recover, if they’ve fully recovered to this date and so just one weak link in the chain at a law firm can bring the whole thing down.
Elie Mystal: Is that in part because IT professionals are generally passive-aggressive little snits that talk condescendingly to people with advanced degrees, it means that they have something to do with whether or not we listen to them?
Joe Patrice: Oh, I thought it was because a bunch of people with advanced degrees think they are way more important than they really are, even though they got advanced degrees, that are basically three years of extra civics classes and so they think, and they look down on these people, that’s what I thought heard you say.
Elie Mystal: One or the other could partially explain why the IT professionals are not —
Joshua Lenon: There are definitely two ships passing in the night here. I’ll agree with you on that one, right?
Yeah, IT professionals do have to realize that a 60-year-old lawyer is not going to jump through a dozen hoops to get to their email, even though that’s the secure way to do it in some instances.
At the same time a 60-year-old lawyer should accept the fact that if they don’t want their profit for partner to go down or become non-existent, they may need to accept some security protocols as a part of their daily workflow, something simple like two-factor authentication, just the ability to have data silos between offices, such that if somebody clicks on the latest malware spam link pretending to be a Donald Trump quote that it doesn’t infect every office around the world.
And yeah, it makes life slightly the less convenient, but it makes everybody’s life more convenient in the long run when they aren’t staring at giant goatee logos all over their website.
Joe Patrice: We didn’t have this problem when we communicated by interoffice mail, I’ll tell you what.
Joshua Lenon: Exactly, the 60-year-old lawyer thing.
Joe Patrice: Yeah.
Joshua Lenon: Why can’t we go back to vacuum tubes?
Joe Patrice: I actually think we should go back to them not even if they’re valuable, but because they’re cool looking.
Joshua Lenon: Like the pneumatic tubes that would shoot things in capsule? I love those.
Joe Patrice: They were awesome.
Joshua Lenon: You should bring those back.
Elie Mystal: My pharmacy in the suburbs still has one.
Joe Patrice: Really?
Elie Mystal: Yeah, it’s pretty cool. How much of this — because we’re kind of joking about it, but how much of this is just an ageist kind of thing? How much of this will kind of — how much of this will retire itself out of the system in the next 10 or 15 years?
Joshua Lenon: No, I don’t think that’s the case at all. I think security is complex, it’s an ongoing process, rather than just a set it once and forget it, right?
And so, we’re always going to have hiccups along the way and there’s no perfect cybersecurity, but there are lots of things you can do to either minimize the risk or mitigate the risk if it does happen. And that’s what we need to be looking at.
And so, yeah, making it easy is definitely one of the things that you need to focus on, making security instantaneous when it needs to be updated is another thing that law firms should be looking at, and there are lots of different ways to do that.
I’m going to self-promote for one sec, so at Clio if we make a security update to our program, because we’re cloud-based, the very next time you log in, whether it’s on your mobile app or on your computer, you’ve got the most up-to-date secured version, and that’s an example of a standard that all law firms should be aiming for, just that kind of instantaneous easy updates to their software.
And unfortunately when you’re dealing with distributed on-premise solutions, a lot of which have been custom-built as they have been in big law, it’s really tough to do that quickly and easily.
Joe Patrice: Yeah, that’s — you mentioned the cloud thing and it’s so true, like there’s a lot of hesitance about cloud stuff because there’s still people in this world who gets scared with the idea of putting eggs in a basket that floats in the ether, but updates are always going to be better when you’re cloud-based. You’re always going to have a more secure environment and it’s — yes, there’s something scary about not having that data be in your closet, but at the same time it’s that old maxim about just not about don’t put all your eggs in one basket, put all your eggs in one basket and watch that basket. The having cloud-based answers is always going to be better, because they’re always going to be taking care of it more than you are with the updates in the server stack in your closet.
Joshua Lenon: There’s definitely an economy of scale and at ABA TECHSHOW one of the speakers talking about cloud said this, and he goes, if you’re on a cloud solution and you’re the smallest account on that cloud solution, you’re actually getting as much security as the biggest account on that cloud solution is paying for, and so it kind of lifts everybody up, which is nice.
It doesn’t mean cloud is the only solution, I’ll be honest, right? But it’s really difficult to find that economy of scale when it comes to security if you’re trying to roll your own.
Elie Mystal: How much of this can be delegated, because I think one of the issues that I see is that for a lot of cybersecurity we’re asking the lawyers themselves to do it. If you think about other kind of legal adjacent issues we generally, especially when you get a certain kind of age or stature in the profession, we kind of don’t expect lawyers to do a whole bunch of things, and I don’t mean this dismissively, even though I was joking earlier. I don’t mean this dismissively, but we don’t expect lawyers to do a whole bunch of things that we generally consider kind of like clerical duties, right?
You have your secretary to make sure of that. You have your younger associate to make sure all the blue booking is right. Like we kind of expect our senior attorneys to be just like brains in a box and somebody else handles all the rest of this for them, can we get to a point where cybersecurity is handled the same way or is this ultimately going to take an actual attorney kind of caring and paying attention and being knowledgeable about this?
Joshua Lenon: It’s both. So, there’s no way that an attorney can devote a portion of their time to cybersecurity, especially the large law firms and be effective. You need to be able to delegate to those people with expertise, those people who are aware of the continually changing nature of security and what needs to be done to meet it and are actively implementing those measures on your behalf, that has to be delegated if you want to be an effective lawyer.
But, you can’t delegate it away, because ultimately the buck stops with the lawyer. Ethically speaking lawyers need to be aware of what steps are being taken on their behalf, do they rise to the ethical standards that are required of lawyers for confidentiality in communications, right?
You can’t lock everything away and then not talk about it, so there has to be a balance between those two, and you have to understand kind of what are the implications of the steps that they’re taking?
And one of the tough things about cybersecurity in a good chunk of it is risk analysis, like how likely are we to really have a problem, and lawyers aren’t great at probability, we’re great at spotting risk but not great at assessing how likely is that risk to happen.
And so, I think if lawyers are going to develop any real cybersecurity skill, it needs to be probability analysis rather than network administration, and being able to take a look at the advice that there be given by experts, weigh that advise against their own requirements and apply them in a way that best fits their law firm and their clients. There’s no one-size-fits-all solution when it comes to that.
Elie Mystal: I mean, look, you make a great point, lawyers self-select to be risk-averse, not risk assessors necessarily. We issue spot, right? You’ve mentioned this a couple times and if you want to self-promote here again I won’t be unhappy about it.
You mentioned a couple of times about the ethical responsibilities that lawyers have for confidentiality, and what occurs to me is that well the people in-charge of enforcing those ethical responsibilities are Bar Associations more than anybody, right? It’s your State Bar Association.
Are there cases where Bar Associations are dinging people for not doing this effectively, and what does again self-promotion, okay, what does a company like Clio do to help educate the Bar Associations about kind of what people need to be aware of?
Joshua Lenon: So, oddly enough, it’s not really the Bars, they’re doing a lot of that. It’s more the professional liability insurers.
Elie Mystal: Aah.
Joshua Lenon: But they will point to the standards issued by the Bars. So say, you kind of what is the duty of a lawyer and why didn’t they live up to that as a part of their insurance policy. So, that’s where you’re seeing a lot of negative consequences when these things happen, right?
There was a smaller law firm in New England that got hit with a similar malware as DLA Piper and they are having to sue their professional liability insurer in order to try and recover some of their insurance coverage.
And the insurance policy as I know, this is excluded, it’s not covered by this particular policy, and the fight is dragging on.
Elie Mystal: That makes a lot of sense. I hadn’t thought of our insurers are going to be the drivers of enforcement in so many different ways.
Joshua Lenon: Well, enforcement; there’s another driver of enforcement that’s happening right now and that’s the rise of regulated clients.
Joe Patrice: Oh, yeah.
Joshua Lenon: So, the New York Department of Finance has a cybersecurity regulation now on banks and other financial institutions and that regulation requires them to use vendors that also meet those same cybersecurity regulations.
And so regulated clients are starting to turn to law firms especially in big law and saying, you claim you are secure, you claim that you are protecting confidentiality, we are going to send in one of the big four accounting firms to audit you and they are going to have to prove it or you don’t get our business. So, they are kind of getting on both sides, right? Either clients are demanding it or they are falling behind and their insurance companies are leaving them holding the back, that’s where law firms are right now.
Joe Patrice: Now the big firms have the wherewithal to adapt to this and like you said from the cloud perspective that the smallest accounts getting all the protection of the largest account, are there other tips, tricks, things that small firms need to know about this? Our whole conversation kind of — we glossed immediately over imagine small firms to figure this out, let’s talk about big, but let’s go back and what if small firms haven’t figured this out? What do they need to be doing tomorrow if they think they have got their whole thing worked out and they probably don’t?
Joshua Lenon: Well, small firms are trying to rely on the idea of obscurity as a protection, right? They are like, I am a small firm, I am in Wichita, Kansas, I got a server in my closet, nobody is looking at me, and what they don’t understand is the automation and just sheer brute force of the hackers that are out there, right? They are literally just targeting anything and everything, it’s a spray-and-pray technique, and unfortunately a server in your closet that you haven’t updated since Windows XP is no longer going to cut it because it’s just automatically vulnerable and will eventually at some point be found by these guys. They are just again spraying and praying.
So, obscurity is no longer a protection. It’s going to need to be active measures, and for a small firm they need to be thinking about certain things like 24/7 risk vulnerability detection. They are going to need to know about constantly applying updates. They are going to need to be able to prove that even if they have that type of protection and something slips through that their protection was reasonable such that their insurer can’t deny claims against them.
So, there are a couple of things that we advise firms to take a look at right off the bat. First of which is what level of security is being provided by whatever service they are using, whether it’s something that they store in their closet whether or not it’s something that they use a cloud provider, they need to take a hard look at them, they need to see if there are any third-party reports on the security being provided. So, don’t take a vendor’s word for it, take the people who are paid to review vendors against each other and find them.
And it’s a bit of a rating agency trap having lived through the housing crisis. I take rating agencies with a grain of salt, but you do have to turn to experts again and use your professional judgment against them. From there use the security measures that are built-in, so many lawyers — well so many people, it’s not even just lawyers, go for convenience over security. And so, there are certain features built into Clio that we recommend every lawyer turn on.
So, the ability to require strong complex passwords, the ability to expire those passwords after a period of time, forcing them to create a new password with a same strength but different, just prevent anybody who picked up a post a note from being able to log in three months from now, using two-factor authentication when it comes to logging in, such that it’s not just an email and password that works its way through.
Encrypting your files at rest, so that way you can’t — people can’t just pick up that hard drive off your desk and walk away with your files and backing up really, really freaking often. You can never have too many backups as long as they are encrypted because at some point there’s always going to be a weak point in your chain, right? It could be that your laptop dies, you really need that document you were working at it. It could be that there’s a storm and the power lines go out and so you don’t have access to the Internet until the power lines are back up, and so your local backup can help cover you.
There are lots of different points of failure when it comes to technology, all of which can be overcome if you have got good technology, a good power supply and maybe an extra device or two and you are up and running again, no problem.
When lawyers do that they are really likely to have covered the basics and then they can start diving into the more esoteric demands that might be required by their individual clients.
Joe Patrice: Multiple devices also is an issue, could that raises flags? Obviously, if you are a solo practitioner they are all your devices but the more devices you add to the chain, the more points of failure, right? Or is there some like best practice on how to manage what people can access data on?
Joshua Lenon: Yeah, so cloud actually really helps with this as well. For example, in Clio we can just — if somebody say loses their phone, and it happens. You can just log on to Clio and turn off access from that device and so they no longer get access to law files even if somebody physically has the phone in their hand, they just can’t log in and that’s one way that cloud actually makes mobile more secure.
Elie Mystal: If I am a law student I am listening to this and thinking I got to worry about this until I have a job, am I right about that?
Joshua Lenon: Absolutely not, if you are going to be in-trained, you are going to need to quickly get up to speed on law firm cybersecurity policies, you have the exact same duties of confidentiality at a lawyer does, they are impugned upon you. I get to use my big vocabulary today. And quite frankly you may be going into an environment that doesn’t understand cybersecurity as well as you. It could be that you are dealing with maybe some antiquated systems and it would be a good thing to point out politely that there may be some security risk in using tools this way.
Here are a couple things that we learned in law school about this issue, would you like me to see if I can implement some of them?
Elie Mystal: Oh, the partners are going to love you.
Joshua Lenon: Not every lawyer is going to love that suggestion, yeah, but the ones that get it should be the ones you want to work for anyway. You wouldn’t go into a mine that ignores safety regulations to work there, why would you go into a law firm that does the same?
Elie Mystal: Great analogy.
Joe Patrice: Yeah.
Elie Mystal: Because it is like working in a salt mine.
Joe Patrice: Yeah.
Joshua Lenon: There you go, yeah.
Joe Patrice: Yeah.
Joshua Lenon: You are grinding it out.
Joe Patrice: Yeah, it’s all well and good and then one day —
Joe Patrice: My man is going to sound effect back in there.
Joshua Lenon: Yeah, yeah soundboard, yeah.
Joe Patrice: All right, so I felt like I needed to – it’d been a while since I hit it. All right, thank you so much for joining us, Joshua. Joshua Lennon from Clio, which is HYPERLINK “http://www.clio.com” clio.com. Thank you for listening everybody. Thank You Elie for being here.
Elie Mystal: Showed up to work today.
Joe Patrice: Yeah, now cool. If you aren’t subscribed to this podcast, you should do that. You should also give it reviews in Apple Podcasts or whatever of the various millions of podcast apps there are. Give it reviews, don’t just give it the stars, I mean give it five of those but then also write something because that helps too. It helps more the algorithm figure out that we are actually a law podcast which sometimes is hard for people to know depending on the episode.
And you can follow us both at HYPERLINK “http://www.abovethelaw.com” abovethelaw.com. You can follow Elie at @ElieNYC on Twitter. I am at @JosephPatrice, and that’s pretty much everything.
Elie Mystal: See you guys soon.
Outro: If you would like more information about what you heard today, please visit HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com. You can also find us at HYPERLINK “http://www.abovethelaw.com” abovethelaw.com, HYPERLINK “http://www.atlredline.com” atlredline.com, iTunes, RSS, Twitter, and Facebook.
The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Joe Patrice: And –
Elie Mystal: They drop out.
Joe Patrice: And cybersecurity got them, and there go the hackers. They do not want you to hear this. That’s how important this information is.
Joe Patrice: Yeah.