Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

November 2019
R. Jason Straight
Now that GCs are wary of outside counsel, there’s a lot they can do to shore up cybersecurity.
Ever since the Target breach in 2013, companies have been well aware that their vendors, even seemingly unimportant ones, can cause huge problems as unwitting conduits for cyberattacks. But for years corporations seemed to ignore the unique risks posed by another kind of vendor. This one is far from unimportant, but it hardly seems like a supplier at all: their law firms. The firms present huge third-party risks. But general counsel often viewed them as a special case, above the fray. That’s finally changed, according to ​​R. Jason Straight. Companies can no longer afford to give them a pass. They should be subject to the same scrutiny as other vendors, he says.
     Straight is in a good position to address this topic. He was an associate at Fried Frank right out of law school. But then he caught the tech bug and jumped to Kroll, the corporate investigations and risk consulting firm, where he worked his way up to managing director in the cybersecurity business. In 2013, not long before the Target case made headlines, he was hired by UnitedLex Corporation to build its Cyber Risk Solutions practice. The former Big Law associate is now tapped by general counsel to check out the security of their law firms. 

CyberInsecurity News: UnitedLex started as a business that helped companies save money by outsourcing legal work to places like India. When did it enter the field of cybersecurity?
Jason Straight: Computer forensics has always been a part of UnitedLex’s business because it’s so closely related to e-discovery, which is the business that got UnitedLex started 12 years ago. And obviously it is the field of computer forensics from which much of the cybersecurity industry has developed. UnitedLex formally created the cyber risk business in 2013, and I came over to build out and expand the practice.

CN: The issue of third-party risk has drawn a lot of attention recently. How big a part of your practice is it?
JS: It comes up in virtually every area. Even when we’re providing managed security services, we’re understanding who the trusted third parties are on the network. Monitoring their activities is important so that we can more easily detect anomalous activity by parties that aren’t supposed to be there. In our risk assessment services, third parties represent a very significant part of the equation. Obviously the types of third parties that create risk vary significantly from industry to industry, but the trend toward outsourcing even quite sensitive functions has been going on for decades. The most obvious example is payroll. Almost no company processes their own payroll. That is some exceptionally sensitive information that companies are sharing. So if you’re really going to help an organization understand its risks, third parties have been part of that analysis for a long time.

CN: When you pay a call on a client these days, are they already attuned to this issue?
JS: They understand it’s an issue. But they often don’t know the best way to assess relative risk. One of the first things that we do when we come in is that we triage the suppliers that they work with. We try to keep it simple: high, medium and low. That’s how we classify the categories of risk. There’s no handbook for that. It’s quite different depending on what industry you’re working in. A lot of companies will do it by expense. They’ll say, “Here are the vendors with whom we spend $10 million a year or more.” Well, maybe it’s the biggest financial risk if something happens to that vendor, but what you really have to look at is what information you’re sharing with these vendors. So you might have a vendor you’re only spending $50,000 a year with, but the information you’re sending them is so sensitive that that pushes them into a high-risk category.

CN: Traditionally we hardly think of law firms as vendors at all. But in this context, companies have been reconsidering, haven’t they?
JS: Yes, they have. Law firms have slowly come to terms with the reality that yes, they are vendors. They’ve always been vendors. Certainly they’re a special category. I always like to joke with law firms: They’re special, but they’re not as special as they think. Law firms have been, for a variety of reasons, exempted from the standard third-party risk programs at a lot of companies for years. But that has really started to change—led by the big banks and the pharmaceutical companies and regulated industries that have been statutorily forced to look at law firm security controls with a little more scrutiny.

CN: When UnitedLex got started, it had to convince general counsel that they were not at risk when they outsourced their legal work to people they’d never met in India. Now you’re helping general counsel consider the risk of outsourcing their legal work to established firms right here in the United States, some of which they’ve worked with for years. It’s an interesting twist.   
JS: It is indeed. One area of confusion is that as recently as five years ago, there was a lot of paranoia and outright refusal by a lot of companies to consider putting sensitive data into the cloud. “We lose control of it,” they said. “There’s risk.” Just like there was concern around outsourcing to places like India. But what’s happened in the intervening years is that the companies that are in the outsourcing business—including UnitedLex—understand that we’re one incident away from having a real business problem. And so we’ve invested heavily, and we’re probably protecting client data better than they protect it themselves. Law firms that weren’t getting scrutiny were getting by, saying—you don’t really hear this anymore—“We have a professional responsibility, an ethical obligation to protect sensitive information. It’s right in the rules of professional responsibility. And that’s all the assurance that you should need, client.” That was accepted for a long time. But companies have realized that, while lawyers certainly meant what they said, a lot of firms didn’t even understand their own risks.

CN: It seems to me that you could do your job and not be a lawyer. That is, you could have a technical background in forensics. Is it particularly valuable for you to be a lawyer, or is that just kind of like icing on the cake?
JS: Certainly there are many people who do what I do who are not lawyers and probably do it better than I do. So it’s not a requirement. Probably only a third of the people on my team are lawyers. So most of the people, like you said, are IT professionals who came out of law enforcement backgrounds, forensic backgrounds, much more technical backgrounds. We couldn’t operate this business without them. They could probably operate it without me. Now having said that, and understanding my bias here, I do think that there is a major benefit to having a legal background. Increasingly when you look at cyber risk, yes, you’re looking at technical controls and what would happen if the network goes down. But the other part of it is anticipating potential legal liability, and understanding—and this is something that a lot of purely technical firms miss—when it makes sense to engage counsel, either inside counsel or outside counsel, to allow the company to assert privilege or work product protection. As a lawyer, I have a very deep appreciation of that.

CN: A third of your team are lawyers. Why is that important?
JS: Is it necessary? No. Is it helpful? Yes. Someone who has gone through law school, and especially someone who has practiced a little, has skills that are useful in doing what we do. When we do incident response and risk assessment work, we interview people. We ask them questions to establish facts to put into a report. That’s something that lawyers are trained to do. They’re good at analyzing a set of facts and applying a rule, measuring against a standard. There are a lot of laws that we need to take into consideration. We have to have working knowledge of the General Data Protection Regulation. You don’t have to be a lawyer to read the GDPR and understand it, but it helps. And that’s the case with a lot of the regulations, whether it’s a state data breach notification law or HIPAA. But, by the same token, I wouldn’t get very far if my entire team was lawyers. We need the technical people, too.

CN: Do you find that in-house legal departments now have lawyers whose jobs are focused on cybersecurity these days? I’m hearing that’s more often the case.
JS: Very few will have lawyers that are dedicated full time to cybersecurity. But almost every company of any size will have a lawyer or a handful of lawyers that have a concentration of responsibilities in this area. It can include managing a third-party risk program, or advising on contract negotiations—what security controls the company itself would agree to undertake in order to win a piece of business. A lot of companies have a need for that kind of expertise. And depending on how frequently a company runs into regulatory issues—certainly financial institutions, the big banks, are going to have a big team of lawyers that do nothing but cybersecurity. Even some of the manufacturers and midsize businesses do. It’s rare to find a company that doesn’t have a lawyer with some experience in this area.

Law firms are inherently more vulnerable to attack than any other kind of organization.

CN: Getting back to law firms: Is this something you routinely bring up with clients these days—discussing risks associated with their law firms?
JS: We do when we’re talking to the general counsel.  And this is one of the things that separates law firm assessments from others. If you ask a chief information officer (CIO) or even a chief information security officer (CISO) about law firm security risk, they will often point you to the GC and say, “They’re exempted from our standard security program. I don’t like it, but that’s the way it is. And so you need to go talk to Legal about it.”

CN: When you talk to the general counsel, what usually happens?
JS: By and large, it is something they’re worried about. Usually we get a big sigh when we raise it. Some companies will describe some kind of process that they’re putting firms through. The big banks are starting to send the same kind of security control questionnaires to their law firms that they send to any other kind of supplier. And the GC would be aware of that. But it’s hard to generalize about GCs. I would say that those who have been through a data breach, or even a scare that involved a third party, are very attuned to the issues. The GC knows how sensitive the information is that they’re sharing with their law firms. I wouldn’t say they’re excited to dig into this. But they are at the point where they realize they can’t put their heads in the sand.

CN: What threats are law firms vulnerable to?
JS: Law firms are inherently more vulnerable to attack than any other kind of organization. Because of the business structure of a law firm and the realities of what a firm needs to do to support clients, they really can’t lock down their systems as tightly as what I’ll call a “normal” company. In order to do what they do, lawyers need to have access to their firm’s environment and document management system and email from wherever they are in the world, with whatever device they have in their hands, at any time of day or night. And they don’t want to have to ask permission to do it. That is a reality. And that’s not the case with other organizations, where you really can lock down access, and say, “OK, I know what you need to do your job. And that’s all I’m going to give you access to.” Access controls are one of the most effective ways to control cyber risk. So law firms have a limited ability to do that.
     Now having said that, law firms could be doing more. If I’m a litigator, do I really need to have access to the wills and trusts documents? And if it ever came to the point where I needed that, I could go and ask permission. So firms could do more, but the reality is that there are some limitations. And the other thing is that they are more susceptible to social engineering—specifically spear phishing exploits. It’s pretty easy, because of the public nature of a lawyer’s representation of a client, to figure out which specific lawyers are representing which specific companies on which specific cases. Sophisticated attackers are starting to realize that if they’re unable to get into the corporate network that’s really their ultimate target, they will turn to third parties—and increasingly law firms—as a foothold to try to get access to the information they’re looking for.

CN: What’s the worst-case scenario when you think about law firm breaches?
JS: From a single intrusion, an attacker can get access to a law firm’s network, and then the data that’s exposed wouldn’t be just limited to one company. It would be hundreds of companies. Or even all of the firm’s clients. It’s hard to paint a worse picture than that. There was a situation last year where a major international law firm was affected by one of the large global ransomware attacks, and the firm essentially lost access to its network—all of its servers. Its laptops were essentially useless for weeks. There were court dates that were missed, briefs that couldn’t be filed, transactions that had to be delayed.

CN: You’re thinking of DLA Piper.
JS: I am.  

CN: And, of course, the Panama Papers case made this subject a headline.
JS: Panama and Paradise Papers. Both of them. And the reason we know about the Panama Papers and the Paradise Papers is because the attackers wanted us to know. That was sort of the point, right? To publicize it. In most situations, nobody has any incentives to make public a breach like that. I’m not saying it happens every day, but it’s definitely happened a heck of a lot more than we know.

Companies don’t think as much as they should about the things they do that actually exacerbate the risk.

CN: Can you compare the risk that a company’s law firm poses to the other third parties that a company uses?
JS: If you think about the kinds of work that law firms do for companies, there’s a very wide spectrum of sensitivity on their representations. So a law firm that is negotiating commercial leases for a company—there’s some risk there. But it’s not going to come anywhere near the risk posed by a firm that’s handling M&A transactions, or high-stakes litigation, or even harassment suits. There’s a reason why the attorney-client privilege exists, and there’s a reason that there’s so much confidentiality that we put around the attorney-client relationship. It’s because there are tremendously sensitive communications going back and forth.
     One of the points I wanted to make is that companies don’t think as much as they should about the things they do that actually exacerbate the risk. We work with a lot of law firms as clients as well as companies, and trust me, the law firms don’t want all this sensitive information to begin with. They understand the risk they’re taking on when a company sends them the CEO’s email for the last seven years in response to a litigation request. They don’t want to hold on to that stuff. There isn’t enough thought put into: “How can we restrict the volume of information that we share with firms, and how can we share that information in a way that reduces the risk of exposure?” I think we’re headed in that direction. Corporations are going to start to assert more control over their data, even when it’s being shared with third parties, including law firms. Instead of emailing sensitive files—and this is already happening—companies are using secure data repositories, secure FTPs, secure file transfer mechanisms. But even with the secure file transfer, often the firm is pulling the data down on the other side and putting it someplace in their environment, and I think we’ll start to see a move toward putting documents in a place where lawyers can access them but they cannot copy them. They can log in to a secure site using two-factor authentication. They’re able to work on documents there. They’re required to store their work product in a location that is again controlled by the corporation. You’re leaving less to chance. You’re leaving less to the discretion of the law firm.

CN: So, should companies treat their law firms more leniently than they treat other vendors—as many traditionally tended to do? And if not, should they devise special procedures like the ones you’ve been talking about that wouldn’t necessarily apply to other vendors?
JS: Law firms should absolutely, positively not be given a pass or be put into a special category that doesn’t get assessed for risk. We’re way past the point where that is a reasonable approach.

CN: So they’re not like “trusted travelers” at the airport who get to go to the TSA Clear line.
JS: [laughing] No. But I think you do have to recognize the ways in which law firms are different from most vendors. If you look at a payroll provider, you can map out the business processes that support that relationship. You can name the people at the company who interact with them. You can name the systems from which data is pulled. You can take a look at that business process and impose security controls on it.  And that’s the case with most third parties. The risk that they pose to you today is essentially the risk that they posed to you yesterday and they’ll pose tomorrow. But with law firms that is not the case. It can literally change from hour to hour as the nature of the work changes. You have to take that into account. And you have to think about them differently. Instead of focusing on controls and technical security protections, you need to think about secure processes and putting mechanisms in place to make sure that before a law firm is given access to any information, that somebody who understands the risk equation is thinking of ways to minimize it.

CN: You’ve talked about some of the standards that can be imposed on at least some of the most sensitive work that a law firm may do. Can this be enforced across the board?
JS: The enforcement procedure for any third party is challenging. At a certain point you do have to trust that your third party is doing what it told you it’s doing. And obviously you’re getting commitments from them in writing, and it’s certainly the same for law firms. But one of the things that we recommend that companies do with their high-risk providers—and that wouldn’t be all law firms, just those that fall into that high-risk category—that you do an outside inspection. Usually we recommend at least annually. You’re going onsite and you’re saying, “Show me where my data is. And show me how you’re protecting it.” You send the security professional in to really look at not just the technical controls, but the organizational controls as well. “How are you determining who needs access to this information? And when someone changes roles and they no longer need access, how are you making sure that that access is removed?”

CN: How does that go over with the white-shoe law firms?
JS: The white-shoe law firms have grown fairly accustomed to it. Do they like it? Nooo. But the big firms in New York—the banks have been doing this to them for almost a decade. They will have one or more people whose full-time job is responding to these client security audits. Because of the volume of sensitive information that they have, it’s not unreasonable to hold them to the same standard that you’re holding to your payroll provider. But for smaller firms it becomes a much bigger challenge, and it’s much less justifiable.
     I think it’s fair to have different standards for the large firms than you do for the smaller firms. What that means for the smaller firms is that they’re going to potentially need to qualify themselves to do work involving sensitive data in an incremental way. So a firm that isn’t quite as advanced or mature in their security controls may not be permitted to do certain kinds of work because of the sensitivity of the data. Or maybe you set up a process where any firm that isn’t able to meet these pretty severe standards has to use a special repository controlled by the company to access information.

CN: When should companies drop a firm because of cybersecurity risks? Do you ever have to advise them on this?
JS: That’s a real hard question. The short answer is that the only time I would ever recommend that a company drop a firm, or any third party, is, No. 1, if they’ve lied. They tell you they’re doing something, and it turns out they’re not. They knowingly misrepresented something to you in a security assessment. Or when it’s apparent that they just don’t care. That’s a little bit subjective, but you do see it. You see organizations that were told the year before that they really need to implement two-factor authentication, and you come back the next year and they still haven’t done it. And they’re making all kinds of excuses about budget or whatever. It’s pretty easy to see the firms that are doing the best they can, given the reality that nothing can happen overnight and there are financial constraints. But it’s pretty easy, when you’ve been in this business long enough, to separate the companies that are making an honest effort to protect data and those that are just crossing their fingers and hoping that they can get by to the next year. And there’s just too much risk today. I don’t think you can afford to do business with the ones that are just crossing their fingers.  

CN: Speaking of risks, we should talk a bit about insurance. Should companies demand that their law firms carry cyber insurance?
JS: I think law firms should have cyber insurance. I think everybody should have cyber insurance. It’s a best practice. I would definitely raise my eyebrows at a firm today that didn’t have it. Or wasn’t at least looking at it. I’d want to understand why that would be. I’m not against requiring it, although you definitely do not want to put too much weight on the fact that they have it. They should have it. But a lot of the losses that can accrue from a data breach incident are not insurable in the first place. Your law firm’s cyber insurance is not going to pay for the damage to your reputation or the customer loss—the kinds of indirect effects that are often much bigger than the direct impact of a data breach event. So requiring insurance is fine, but don’t reduce your scrutiny in other areas just because a firm has insurance.

CN: How have law firms in general been responding to company complaints and demands about security?
JS: I would say that we’ve moved from initially being incredulous to being annoyed and irritated to acceptance. I think firms now for the most part really do understand that this is the new reality. I know the security professionals in these law firms are thankful that clients are demanding these controls. If the clients weren’t demanding them, they weren’t going to get them. Security professionals in these firms have been wanting bigger budgets, and they’ve been wanting to do more. And the partnerships have been holding them back, until it became an issue of: “Oh my God. We might actually lose a big client over this. OK, we’re going to double your budget pretty soon.” I think we’re there with the big firms. It’s the midsize firms and the smaller firms that are a little bit slower and are having challenges getting the budget, and also having the expertise to understand what to invest in. This is a problem not just with law firms but across all industries, as company organizations are spending money on the wrong stuff. And that can have a really big impact on a smaller firm.  

CN: Have you found in-house lawyers to be allies with companies in this context?
JS: The GCs are welcoming this. I’m not saying they’re thrilled to be having to spend time on this, but this is something that keeps them up at night. Because if something happens, it’s on them. And the GCs know that. What they’ve been most frustrated with is having this on their plate, but not having any help implementing something that’s reasonable. We find that when we come in and are able to understand the special nature of the relationship, understand some of their constraints and ways that law firms are different, and then offer to help build a program to help reduce risk, at that point they’re very happy to have us.

CN: Has UnitedLex’s legal process outsourcing business run into these issues itself? How has it handled them?  
JS: Are we getting more and more scrutiny around our security controls? Yes, we are. In addition to my role as leader of the cyber risk practice, I’m also the chief privacy officer for the company, which means that I’m responsible for making sure that UnitedLex is compliant with global data protection laws. I’ve been in that job for about five years now, and I can tell you that each year I’m spending more of my time on those duties—partly because of the regulatory environment, but also because more and more clients are asking questions to understand our privacy controls and what we’re doing to protect data. We are going through the same evolution as the law firms are. Companies like UnitedLex were getting scrutiny before the law firms were because we weren’t given that special law firm status. And in fact, one of the things we finally decided to do three years ago in the U.S.—longer ago than that in India—is that we finally got ISO 27001 certification   [an international information security management system certified by the International Organization for Standardization in Geneva] for our operations that involve client data. A lot of the big law firms are going that route as well. That has made things somewhat easier—partly because, to maintain that certification, ISO forces you to have your controls extremely well documented and organized. So when someone comes in and asks to review our security program, we have a very clean set of documents and controls that we can share with them and show them. It makes our life a little easier when they do put that scrutiny on us. But we are getting onsite security audits on nearly a weekly basis. We’ve definitely seen the uptick like everybody else.

CN: That gives you an interesting and broad perspective, doesn’t it? 
JS: It does indeed. I can literally see it from every angle, I think.

CN: Any last thoughts you want to leave with our readers?
JS: A lot of lawyers—and this is true for law firm lawyers and in-house counsel—get a little bit … I don’t want to say intimidated, but they get confused by the technology. They think that they can’t possibly understand IT well enough to be able to determine whether their company is doing what it should be to protect data. I would encourage them to invest some time and get to know their CISO, get to know their information security team, talk to them about what they’re seeing. Get involved in your own security program, and you’ll find that it’s actually fairly simple to understand. As someone who has made the transition from lawyer to security professional, it’s not as big of a chasm as you might think. And it really pays dividends.