Images
Ed.
note:
This
article
first
appeared
in
an
ILTA
publication.
With
cyberattacks
and
data
breaches
dominating
the
headlines,
legal
professionals,
whether
in
law
firms
or
corporate
legal
departments,
now
serve
as
protectors
of
trust,
privacy,
and
some
of
the
world’s
most
sensitive
information.
Today,
security
is
no
longer
a
background
IT
task;
it
is
a
leadership
imperative
in
legal
service
delivery,
risk
mitigation,
and
brand
management.
Legal
work
is
digital
and
distributed,
and
expectations
extend
far
beyond
merely
checking
off
compliance
boxes.
Clients,
corporate
leadership,
and
regulators
are
watching.
They
demand
transparency
and
assurance
that
your
law
firm
or
legal
department
is
proactive
about
securing
all
privileged
data,
monitoring
the
vendor
ecosystem,
and
adapting
to
an
evolving
threat
landscape.
This
article
outlines
the
seven
most
critical
security
strategies
to
safeguard
information
and
proactively
build
client
and
stakeholder
confidence.
[1]
Build
a
Culture
of
Vigilance
Both
law
firms
and
in-house
legal
teams
are
now
judged
not
just
on
legal
skill,
but
also
on
their
ability
to
protect
highly
sensitive
data.
Research
shows
that
roughly
one
in
three
law
firms
will
be
targeted
by
a
data
breach
this
year,
with
the
average
incident
costing
over
five
million
dollars.
Even
more
troubling,
63%
of
those
breaches
trace
back
to
third-party
vendors
or
partners,
making
external
risk
management
as
important
as
internal
controls.
Law
Firms
Clients
are
sending
increasingly
detailed
security
questionnaires
and
often
require
contractual
proof
of
your
security
controls,
including
documentation
on
vendor
oversight.
Corporate
Legal
Departments
Boards
and
nonlegal
business
leaders
expect
you
to
uphold
or
exceed
the
security
standards
that
govern
the
rest
of
the
organization.
There
is
often
a
need
to
oversee
both
your
internal
systems
and
the
security
practices
of
your
outside
counsel
and
legal
technology
vendors.
Action
Steps
Map
every
touchpoint
where
client
or
company
data
exchange
occurs,
internally
and
externally.
Ensure
that
the
appropriate
levels
of
protection
(e.g.,
encryption
or
access
controls)
are
in
place
at
each
touchpoint.
Designate
security
champions
on
both
legal
and
business
teams
to
bridge
communication
gaps
and
remediate
any
gaps
in
protection.
Create
open
channels
with
IT
and
compliance,
ensuring
you
receive
alerts
about
new
risks
and
best
practices.
[2]
Turn
Compliance
into
a
Competitive
Advantage
Regulations,
including
HIPAA,
GDPR,
CCPA,
and
more,
dictate
how
legal
organizations
handle
information.
But
the
best
law
firms
and
legal
departments
go
beyond
the
minimum,
positioning
compliance
as
a
value
proposition
and
a
reason
for
clients
or
the
C-suite
to
trust
them.
Law
Firms
Highlight
a
culture
of
compliance
in
RFPs,
outside
counsel
guidelines,
and
pitches.
Clients
increasingly
differentiate
between
firms
based
on
their
ability
to
manage
risk
and
share
audit
documentation.
Legal
Departments
Be
the
compliance
role
model
for
your
company.
Demand
documentation
from
outside
counsel
and
review
every
supporting
vendor
for
regulatory
gaps.
For
example,
when
working
internationally,
confirm
GDPR
controls
at
every
stage.
Do
not
just
rely
on
a
signed
business
associate
agreement
or
a
sweeping,
generic
statement:
require
proof,
process
walk-throughs,
or
third-party
certifications.
Action
Steps
Catalog
applicable
regulations:
Map
which
statutes
and
guidelines
(e.g.,
PIPEDA
for
Canadian
matters,
HIPAA
for
health
care,
etc.)
apply
to
each
workflow.
Train
every
team
member:
From
senior
counsel
to
administrators,
make
compliance
part
of
onboarding
and
annual
reviews.
Demand
regular
vendor
audits:
Require
outside
partners
to
provide
up-to-date
certifications
and
respond
to
standardized
compliance
questionnaires.
[3]
Treat
All
Client,
Company,
and
Case
Data
as
Highly
Sensitive
Legal
risk
does
not
respect
any
boundaries
between
official
records
and
working
documents.
IP
filings,
deal
memos,
video
depositions,
transcripts,
background
emails,
and
anything
else
associated
with
legal
matters
may
contain
highly
confidential
or
regulated
material.
Law
Firms
The
days
of
treating
only
internal
firm
files,
such
as
retainer
agreements
or
billing
records,
as
the
most
important
or
confidential
are
over.
Anything
related
to
a
client
must
be
considered
mission-critical
security
data.
Legal
Departments
Internal
memos,
early-stage
project
files,
and
communications
often
get
overlooked.
Everything,
including
scratch
notes
and
emails,
should
be
subject
to
the
same
protections
as
a
finalized
contract.
Action
Steps
Adopt
a
universal
classification
rule.
If
it
touches
a
legal
matter
or
sensitive
business
strategy,
protect
it
fully
with
no
exceptions.
Invest
in
secure
collaboration
platforms.
Choose
tools
that
support
granular
access
controls,
transparent
audit
trails,
and
easy
revocation
of
access.
Audit
legacy
data.
Regularly
sweep
shared
drives
and
email
archives
for
unprotected
or
improperly
stored
files.
[4]
Proactively
Vet
and
Monitor
Every
Third-Party
Vendor
Breaches
rarely
start
at
home.
More
than
half
originate
in
the
extensive
web
of
litigation
support
providers,
software
vendors,
contract
staffing
agencies,
and,
sometimes,
expert
witnesses.
Both
in-house
and
law
firm
legal
teams
must
scrutinize
every
vendor
as
a
source
of
risk.
Action
Steps
Adopt
a
standardized
risk-vetting
tool
(such
as
Shared
Assessments’
SIG
questionnaire)
to
screen
all
vendors.
Require
multitiered
evidence:
Ask
for
independent
audits
(SOC
2,
ISO
27001),
vendor
supply
chain
risk
questionnaires,
and
regular
IT/infosec
reviews.
Insist
on
regulatory
attestation:
Obtain
written,
renewed
sign-offs
from
both
vendors
and
their
critical
subcontractors
confirming
compliance
with
every
relevant
statute
(HIPAA,
GDPR,
CCPA,
etc.).
Consider
legal
industry
specialists:
Firms
like
Prevalent
focus
on
legal
technology
supply
chains
and
can
streamline
complex
vendor
reviews.
[5]
Make
Encryption
a
Nonnegotiable,
Visible
Standard
Encryption
must
be
used
everywhere:
for
files
at
rest,
for
data
in
transit,
and
for
backups.
Encryption
not
only
protects
sensitive
data
(by
making
it
unreadable)
but
it
also
helps
minimize
risk
if
any
information
is
ever
exposed
in
a
data
breach
(since
it’s
unreadable
if
encrypted
using
strong
protocols).
Law
Firms
Document
your
encryption
policy
in
your
client
security
briefing.
Make
clear
that
encryption
is
not
just
“enabled”:
it’s
enforced,
monitored,
and
routinely
audited.
Using
a
cloud
service
does
not
guarantee
encryption,
and
vendor
claims
should
be
scrutinized
and
independently
verified.
Legal
Departments
Don’t
just
rely
on
generic
IT
statements.
Request
and
periodically
review
encryption
documentation
and
processes,
especially
when
onboarding
or
updating
tools
and
vendors.
Action
Steps
Mandate
encryption
for
all
client
and
company
data—from
emails
and
files
to
backups
and
endpoints.
Demand
encryption
transparency
from
every
vendor.
Require
written
confirmation
in
RFPs
and
ongoing
contracts.
Keep
it
clear
and
straightforward.
Non-tech
stakeholders
should
always
know
which
files
are
encrypted,
when,
and
by
whom.
[6]
Require
Multifactor
Authentication
Everywhere
Passwords
are
among
the
most
easily
compromised
protections,
and
breaches
using
stolen
credentials
are
among
the
most
expensive
to
remediate.
MFA
adds
another
layer
of
protection
against
password-based
incursions.
Law
Firms
Deploy
MFA
on
all
document
and
case
management
systems,
communication
tools,
and
any
platform
that
supports
remote
access.
Legal
Departments
Work
with
corporate
IT
to
ensure
MFA
is
enforced
across
legal
tool
sets,
third-party
logins
(for
vendors
or
outside
counsel),
and
SaaS
platforms,
old
and
new.
Taking
advantage
of
single
sign-on
(SSO)
in
tools
or
with
service
providers
that
support
it
will
simplify
staff
authentication
and
give
you
more
direct
control
over
who
can
access
external
systems.
Action
Steps
Apply
MFA
universally
for
every
employee,
partner,
business
unit,
and
critical
vendor
account.
Engage
users.
Use
mobile
authenticators,
push
notifications,
or
biometric
options.
Explore
the
feasibility
of
passkeys,
which
eliminate
passwords
and
further
reduce
your
exposure
to
security
risks.
Communicate
your
MFA
posture
to
business
leaders,
clients,
and
stakeholders.
Highlighting
MFA
as
a
default,
not
an
exception,
signals
your
seriousness
around
cybersecurity
and
can
differentiate
your
legal
department
or
firm
in
pitches
and
proposals.
[7]
Elevate
with
Ratings,
AI
Guardrails,
and
Human
Training
Just
as
credit
scores
are
used
to
gauge
risk,
legal
teams
should
require
up-to-date
security
ratings
for
any
company
with
access
to
their
data.
Tools
like
SecurityScorecard
and
Bitsight
provide
objective,
actionable
vendor
scores
based
on
data
breaches,
patching
cadence,
network
hygiene,
and
more.
It
is
also
essential
to
set
clear
AI
and
data
governance
standards.
The
adoption
of
GenAI
is
transforming
both
legal
work
and
associated
risks.
A
staggering
60%
of
breaches
are
due
to
human
error,
not
software
failure,
which
is
why
it’s
crucial
to
treat
security
training
and
testing
as
a
continuous
process.
The
strongest
legal
operations
create
a
culture
where
everyone,
from
junior
admin
to
senior
partner,
proactively
learns
and
tests
their
cyber
awareness.
Best
Practices
for
All
Legal
Organizations
Never
use
unredacted
client
or
company
data
to
train
external
or
internal
LLMs.
Insist
that
vendors
provide
written
guidelines
and
controls
on
AI
use,
data
retention,
and
LLM
training.
Create
your
own
firmwide
policy
on
the
responsible
use
of
AI
and
review
it
at
least
annually.
Ensure
every
person
in
the
firm
understands
its
full
scope.
Conduct
monthly
phishing
training
for
all
staff,
including
senior
partners,
C-suite
legal
officers,
and
contract
attorneys.
Treat
missed
exercises
as
learning,
not
punishment.
Provide
specialized
remedial
training
only
for
repeat
misses.
Ensure
that
all
providers
and
their
staff
undergo
security
awareness
training
with
documented
results.
A
New
Era
for
Legal
Security
Leadership
Security
is
now
a
legal
leadership
imperative
and
a
trust
multiplier.
Today’s
forward-looking
law
firms
and
legal
departments
are
not
just
rule
followers
but
risk
managers,
business
protectors,
and
confidence
builders.
By
embedding
these
seven
strategies
deeply
across
every
internal
procedure
and
external
partnership,
your
legal
organization
can
protect
its
clients,
work,
and
reputation.
Leadership
means
working
hand
in
hand:
corporate
counsel
and
outside
firms
collaborating
on
joint
risk
reviews,
sharing
best
practices,
and
speaking
up
together
for
stronger
protections
in
the
marketplace.
Security
is
everyone’s
job.
By
making
it
visible,
proactive,
and
continuous,
you
transform
it
from
a
vulnerability
into
an
enduring
strength.
Jacob
Mathai
is
the
chief
information
officer
for
Veritext
Legal
Solutions,
the
leader
in
technology-enabled
court
reporting
services
and
litigation
support
solutions.