The new era of data protection and regulation is far from full proof, but more realistic and comprehensive than ever before.
The cybersecurity environment is one in constant flux—not just in terms of attacks and how cybercriminals operate, but also in how corporations think about and ultimately implement cybersecurity in-house. At Legalweek West's "Regulatory Update & Strategies to Manage Cyber Risk" session on June 12, speakers from legal and corporate looked to define this new era of best practices and protection.
Below are three trends that are at the foundation of how modern companies and law firms address cybersecurity in the current market.
1. IT is a partner, not the main player.
At the foundation of any cybersecurity plan is the need to identify where and how corporate data resides. However, it is an area where most law firms and corporations come up short. "This is where firms are told to start but they fail [to answer] why exactly they care about [the data] and where exactly it is," said Matthew Todd, chief security officer and vice president at financial adviser group Financial Engines Inc.
The problem, he explained, is that most companies tend to depend on their IT department to know and manage all its in-house data. But given that many departments store data with cloud providers or vendors without informing IT, such thinking can be out-of-date.
Companies "need to have an ongoing conversation, because guess what, [where data resides] is not static and changes over time," Todd said.
And what's more, even if the IT department did have visibility into all data in-house, it would still need to know what data warrants higher levels of protection.
"IT are given the prerogative to protect the data, but they don't always have the context with which to do it," Todd said. He advised that IT should know what information is considered high-value to "make trade offs. This kind of stuff can be protected more, or this less."
While it may seem obvious which information is considered sensitive, Steve Bunnell, a partner at O'Melveny & Myers, noted that in some companies, this is not always clear cut. "There are also [data] categories that could be more harmful if they get out, data that could affect the operations of the car or avionics that could cause a plane to crash. Those are important things to protect even if they're not secret-sauce stuff."
2. Cyber regulations are near a tipping point.
As of spring 2017, almost every state has a breach notification law that requires companies to inform authorities or the public if they suffer a specified type of breach. Julie Engbloom, co-chair of the privacy and data security practice group at Lane Powell, noted that New Mexico became the most recent state to pass such a law in 2017.
But the move towards breach notification is not the only cybersecurity regulatory trend happening within the country. Engbloom pointed to the effect New York state's Department of Financial Service's cybersecurity regulation, which has unprecedented scope, can have on the future of other state laws.
"[New York's] regulation has certainly raised the bar and likely will become a model for other states," she said, adding that the regulation "elevates the notion of security from IT right into the board room, and certainly boards have been put on notice."
Among the regulations various requirements, Engbloom pointed to the need to provide "notice within 72 hours of a breach," and how "third-party vendors [of the regulated company] need [to] be in compliance with the law as well" as the most far-reaching and aggressive.
New York's regulation, which takes effect in August 2017, is already starting to do what financial services companies expect of their law firms.
"Mayer Brown responds to 30 [security] audits, half of which are from financial companies every month," said Eric B. Evans, partner and co-chair of the firm's electronic discovery and information governance practice. He added that the law is "increasingly shaping how financial services companies and law firms that deal with them are able to make choices."
3. Effective training is holistic—but never foolproof.
When he was general counsel of the U.S. Department of Homeland Security, Bunnell oversaw almost 2,000 lawyers. "While some of them were focused on cybersecurity, the vast majority [weren't]," he recalled. "And it became clear to me very early on that most of them were not very technically proficient, like many lawyers."
So to help his attorneys understand cybersecurity best practices, Bunnell launched what he called "a campaign for cyber literacy." An attempt to educate the department's attorneys in technical internet and cybersecurity knowledge, the program attempted to help lawyers "ask better questions" and use more "security by design thinking earlier on."
Such basic technology education, Bunnell explained, is pivotal, as it gives attorneys a better understanding of why they should protect data in the ways that they are increasingly called to employ.
Training, however, doesn't necessarily result in a completely secure environment. Financial Engines' Todd noted that his company uses "an anti-phishing campaign" that sends emails "that look really realistic" to staff. He said that while the rate of those noticing the emails are part of a phishing campaign will "never be perfect," the company will have to "keep chipping away at it."
Todd added that even among his team of tech services professionals, many were tricked by phishing email tests. While many "realized it was phishing," they still clicked on it because they were "distracted by another thing."
For Bunnell, accounting for such failure is a necessary part of any cybersecurity testing. To better catch mistakes and teach in-house attorneys at the DHS, he said that his security team would test them with fake phishing emails offering "invitations to pick up free Redskins tickets. And when they showed up to pick them up, they got an hour of [cybersecurity] training."
Reprinted with permission from the June 13, 2017 edition of Legaltech News © 2017 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.