Blame it on Target. Or Edward Snowden. But in case you haven't noticed, legal technology conversations lately aren't exactly obsessed with predictive coding right now. Instead, firms—and everyday citizens—are more likely to be discussing data breaches, cybercrimes, and concerns about confidential client information.
But according to a new survey by LexisNexis' Legal & Professional division, while law firms may be talking—they aren't doing very much about it. The company reports that 89 percent of the 300 legal professionals in 40 states and in 15 practice areas who were recently polled said their firms send confidential information to clients via unencrypted email—relying on a disclaimer at the bottom of the correspondence to serve as protection.
So what are the ramifications? How are law firms, corporate counsel and vendors responding to these sometimes contradictory technology challenges? We can get some clues from last week's Computer and Enterprise Investigations Conference, annually presented by Guidance Software.
For starters, the company has always thrown a broad cloth around its offerings. Founded in 1997, Guidance has targeted both electronic data discovery and other "digital investigations," and today offers a line of seven software under the "EnCase" brand (and a line of Tableau forensics products). The company says its EnCase Enterprise platform "is used by more than half of the Fortune 500," by the likes of Allstate, Ford, General Electric, Pfizer and Viacom, to name a few.
It's easy to see that Guidance, and its CEIC conference, covers a wide range of disciplines, including digital forensics, cybersecurity, e-discovery and litigation support, compliance and risk management, information and law enforcement.
Guidance President and CEO Victor Limongelli kicked off the 2014 four-day CEIC event with the opening keynote on May 19, explaining how the company has decided to transition to a "platform" approach for its EnCase suite of products. The concept is to move from a "closed" (self-contained) system to a more collaborative environment, where third parties can plug applications into the EnCase platform and, in effect, customize the operation to meet the specific needs of their organizations.
Perhaps Guidance is also reacting to yet another strong legal industry trend: bring your own devices. About a year ago, Guidance launched its EnCase App Central store (think Apple Inc.'s App Store). It offers apps from third-party developers that can be integrated into the EnCase platform, Limongelli explained. To date, more than 30,000 downloads from the EnCase App Central store, he told the audience.
"It's all about apps," observed San Francisco's Albert Barsocchini, director of strategic consulting at Minnesota-based NightOwl Discovery. He served as an associate general counsel at Guidance for eight years (2003-11). "EnCase is no longer closed," he said. Now, EnCase products are a foundation, and organizations can build systems on top of that foundation, said Barsocchini.
But don't think the company is throwing out its babies with the bath water. "With recent attention on data breaches, including Target Corp. and the controversy about Edward Snowden's disclosure of government documents, I expected to see cybersecurity take center stage," observed Boston's David Horrigan, an analyst and counsel at 451 Research.
Guidance has traditionally had three focus areas—forensics, cybersecurity and e-discovery," he said. "What surprised me was Limongelli’s strong focus on e-discovery, said Horrigan. "The keynote highlighted Guidance's new e-discovery offerings, including Linked Review, which we expect to be Guidance's answer to predictive coding," Horrigan noted.
U.S. law firms may be worried about the security risks of sharing confidential information online, but a new surveyby LexisNexis' legal and professional division reveals that they are not doing much about it.
Unencrypted email remains by far the most prominent way that law firms share privileged communications with their clients, with 89 percent of respondents reporting that it is the firm's primary method of distributing information.
In March, the company canvassed about 300 legal professionals in 40 states across 15 different practice areas. Results show that although respondents were aware of the risks, and wary of them, the most common method of securing documents and protecting privilege was the use of a confidentiality statement at the bottom of an email, with 77 percent of firms reporting this was their primary line of defense.
“There’s clearly a disconnect between expressed security concerns and measures law firms employ to protect their clients and themselves,” said Christopher Anderson, a senior product manager at LexisNexis, in a statement. “Relying on a mere statement of confidentiality when sharing privileged communications by email is a weak measure—and further it might protect the law firm but affords very little protection for the client,” he said.
A minority of law firms go a step further to protect their information, with 22 percent saying they use email encryption,14 percent using a password to protect documents and 13 percent employing a secure file-sharing site. At the reverse end of the spectrum, 4 percent of respondents said they take no measures at all to protect private information. “Law firms need to perform their due diligence, stay abreast of technology and ultimately protect their clients’ interest online just as they do in providing legal counsel,” said Anderson.
Most law firms dish up technology by implementing and supporting systems in-house. They have little choice but to deal with upgrades and replacements because vendors continually displace "obsolete" older versions of applications and hardware. These upgrades are usually costly and disruptive. Certainly, some changes are warranted but much of the turmoil absorbs IT staff resources and creates little value for a firm. The advent of cloud computing and managed services is providing firms a viable alternative.
CLOUD AND MANAGED SERVICES DEFINED
In general, there are two types of cloud services. The first, often called Software as a Service, involves an application—or set of like applications—run by a third-party vendor and accessed through the Internet via a web browser. The second approach involves data that is stored or shared via a third party’s infrastructure and accessed via the Internet. Examples of this type of service (security issues aside) would be Dropbox or Apple's iCloud.
Let's focus on SaaS. With these services, firm personnel access an application(s) via the Web to perform their day-to-day work. Their work product and data is stored on the vendor’s systems. Several vendors have set up integrated application sets (suites) that include practice management, document management, time entry, and billing for law firms.
As attractive as cloud services seem, however, firm lawyers may be uncomfortable about having the firm's data completely managed and stored by an outside vendor. The use of managed services is one way to address this issue.
With managed services, the firm maintains ownership of server and data center equipment, but contracts to have the day-to-day operations and upgrades managed by a vendor. It is possible to set up these services so they mimic a cloud service—thus the term “private cloud.” There are many shades within the spectrum of managed services, with vendors owning more or less of the infrastructure and applications.
The advantages of cloud-based services are many. They include:
• Access from anywhere there are Internet connections. • Reduced need to manage IT infrastructure (servers and data storage) within your firm. • Application and hardware upgrades handled by the vendor. • Predictable (fixed) pricing—usually based on the number of users. • Reduced capital spending. • Business continuity built-in. • Good vendors provide 24/7 support.
Managed services have similar advantages. However, the level of benefits from reduced capital spending and avoidance of software and hardware upgrade hassles will depend on how much of the IT infrastructure and associated applications continues to be maintained in-house by the firm.
The other major advantage of both approaches is the potential impact on IT staff utilization. With in-house systems, as much as 75 percent of staff time is dedicated to maintenance. By moving to cloud or manage services this maintenance component can be dramatically reduced. Of course, IT staff will need to take on a bigger role managing the vendors. The change nevertheless should free up significant IT staff time for value-added services that help the firm make better use of technology, particularly in pursuit of superior client service.
These services are not a magic bullet. No contract with a cloud or managed services vendor should be entered into without the proper due diligence. Most importantly, firms need to make sure the vendor is financially sound and has a good track record, that a sufficient level of technology infrastructure and back-up is in place, and that firm data will be properly secured. It is important to “kick the tires” by testing the service thoroughly before making a commitment. Understanding how to get firm data back when the service is no longer needed is also critical.
A firm’s telecommunications network is what connects it to these services. To get best performance, a firm will need a robust network infrastructure that provides a high-speed telecommunications network connecting all your office-based systems with the cloud vendor and the Internet.
Using cloud-based applications may mean that firms will have to give up some ability to customize software and hardware for particular firm and lawyer needs. For example, the ability to customize interfaces or financial reports may be limited, or lawyers may have to live with restrictions on how quickly old documents can be retrieved. At some firms, cultural preferences will have to be considered and carefully managed.
MAKING THE TRANSITION
Transitioning from in-house-based systems to a cloud or managed services platform will require thorough planning to get the most benefit and minimize disruption. This change will not only affect how people in the firm access systems and information, but may require people to learn new systems and new ways of working. Also, significant role changes may be required for the in-house IT staff. Anticipating these changes and their impact will be an important to achieving the benefits of the systems transition and a successful project.The following steps are recommended:
1. Identify the applications and systems that will be transitioned. Determine if the target will be managed services or a move to cloud applications. 2. Clearly document your firm’s requirements for performance, availability, security, and functionality for the systems and applications that will be moved. 3. Identify and choose the service vendor or vendor(s) based on the requirements. This is typically done via a "request for proposal" process. 4. Develop a detailed transition plan for each application. Determine the human impact and develop appropriate change management, communications and training plans. 5. Run a pilot test with either a small group of people and/or a particular application. Adjust your plans based on the results of the test. Include a test of the vendor’s back-up and recovery processes. 6. Rollout to the firm.
Depending on the number of applications and the size of the firm, a transition could take from six to 18 months. Success with this type of project will depend on strong support from firm management and strong project management from the IT staff (or consultant if the skills do not exist in-house). The cost will also be highly dependent on firm size, geography and the applications and hardware involved.
Cloud and managed services hold great promise for law firms and other businesses. The potential for improving a firm’s access to technology while scaling back on the need for in-house technology infrastructure makes these service compelling. Done correctly, firms will benefit tremendously by spending more time focused on their core business of delivering outstanding service and results to clients rather than distracting technology issues far removed from that core.
Philip Wisoff is a principal at MTC Services, based in the New York Metro Area.
1. Beware the overshare. Avoid providing TMI (too much information) a la Miley Cyrus. We’ve all seen ttweeters who tell us every time they go to Starbucks, or folks that post several times each hour. Not only does this annoy readers and prompt them to un-follow you, but it also gives the impression that you have nothing better to do than to post inane content all day long. Post frequently only when you have meaningful content to convey, like when you’re at LegalTech or the International Legal Technology Association and new people and ideas are inspiring your posts.
2. Don’t be MIA. Ever go to look up a company’s LinkedIn, Twitter or Facebook page, only to find that it doesn’t exist or is so scarcely populated that it looks like a dummy corporation for the Mob? Not good! Vendors need to establish sites on at least these three main social media venues. Even if the sites are not constantly posted to, the content about the company should be accurate.
3. Be Proactive, Not Reactive. Many social media blunders result from vendors seeing a competitor’s activity and trying to pull stunts to outdo them. Hasty and reckless social media activity can be incredibly damaging and it lives forever on the web, so take a step back and plan out your strategy and tactics. Post responsibly!
1. LOOK AT ME! The biggest mistake vendors make with social media is prescribing to the LOOK AT ME! "strategy." Social media success is not measured by who sends the most tweets or publishes the most posts, but the value of the content. A good way to measure the quality of your content is by the numbers of new followers you gain. If you are distributing content that is valuable, people will follow you to receive it.
2. Hijacking an event hashtag. Used the right way, industry event hashtags (e.g., #LTNY for LegalTech New York) helps build your audience, but often people hijack those hashtags. Don’t have every person who works for your company retweet a message sent from your main company account. You can tell when you look at the feed of the hashtag and the same message appears 10 times in a row. Be respectful.
3. Hoping it will go away. Facebook has more than a billion users and Twitter logs 241 million monthly active users. According to a DOMO infographic, every minute of every day 27,778 new posts are published on Tumblr; Foursquare users check-in 2,083 times; and YouTube users upload 48 hours of new video. The bottom-line—you simply cannot ignore social media. While you won’t become an expert overnight, social media tools now make it easier than ever to get started. Start small. Pick two, e.g., Twitter and LinkedIn, and spend 30 minutes a week building your online presence.
1. Lose sight of the big picture: Aside from posting politically incorrect tweets or following someone who tells the world what she or he is doing every minute of every day, the number one mistake is thinking that social media is a silver bullet. You aren’t going to share one post and have 20 Am Law partners clamoring for your software. Activities around social media must align with your marketing plan and goals. If your company is focused on, for example, growing its presence on the East Coast or targeting law firm CIOs in order to win 10 new clients in Q3, then your social media efforts should have a special focus on supporting that goal.
2. Spray and pray: From LinkedIn to Instagram to Confide, the number of social media channels grows every day. It’s very tempting to take on as many of these channels that you can—after all, don’t you want to build an online presence and recognition for your company? But stop. Take the time to carefully evaluate each social media channel, its advantages, its benefits and—most importantly—if your prospects and clients are using it.
3. Concentrate on the numbers: “Hi, I’m X. I have 3,000 Twitter followers.” My (internal) response: “Who cares? How does that define you as an individual?” We want to measure progress and one of the most common defaults is to define success on the social media front based on the number of followers. A recent study showed that about 40 percent of Twitter accounts are owned and populated by bots. Know who your followers are, connect with them authentically and see them as more than just numbers.
>>Valerie Chan, principal, Plat4orm Public Relations, Seattle. E-mail: email@example.com. Website: www.plat4ormpr.com. Social media can help drive web traffic and raise visibility on search engines, and generate new leads; however, most posts on sites, like Twitter and LinkedIn, are replaced by new entries every 10-15 seconds. And most people just don't have time to stay connected 100% of the time. In order to use social media effectively, organizations should avoid these three major mistakes:
1. Skipping the employees in the process. All employees are important—especially when it comes to evangelizing your company. Make every employee a social media evangelist; re-tweeting, sharing and linking to corporate posts will promulgate the network.
2. Assuming people will follow. Many people just don't have time. Make it easy for your prospects to follow you by including your social media links on all outbound marketing items—on the website, in press releases, in advertising, on white papers and on collateral.
3. Forget to protect the brand. With all things electronic, the brand is the most important company asset—and it needs to be properly protected. Social media sites, especially Facebook, expose personal aspects of employees' and friends' lives that could harm an organization's reputation. Establish strict policies for commenting, linking, following and tagging as part of the HR policies and procedures.
>> Edward Colandra, associate, Legal Vertical Strategies and legal technology sales and marketing consultant, InnerVision, New York. Email: firstname.lastname@example.org. Website: www.LVStrategies.com.
1. Not having a strategy that ties social media into your overall marketing plan. Spending time on LinkedIn, Twitter, Facebook, etc, without setting expectations for measurable results can be a waste of time. There is little value to simply measure re-tweets, followers or likes. Rather, determine the expected tangible results in awareness, demand generation, and/or sales that your plan expects, and decide how your social media activities will produce the desired results.
2. Commercials: LinkedIn can be great place to develop a well deserved reputation. But when done wrong, answers to questions are merely a poorly concealed commercial for your product or service. Instead, engage in conversation. Respond with suggestions. While it’s OK to reference your own product, a potential client will likely respond to a sincere willingness to be helped through a question or crisis. An epic failure sounds like “Hey, call me. We have a one-of-a-kind, best-of-breed service that will cure all your ills. When do you want to see a demo?”
3. Missed connections: Each of us develops a personal brand via social media. But failing to make an obvious connection between you (the individual) and your company is a mistake. People follow you because they expect a personal opinion from an expert. That expertise should logically be connected to the values your companybrings to the market, and thereby enhance the value of both.
Compiled by Monica Bay, editor-in-chief of Law Technology News. Twitter: @lawtechnews @LTNMonicaBay. If you have a question for the marketers, email email@example.com.
When customers should be notified of a data breach, how to react if a breach occurs and best practices for preserving data were the topics of a panel at Georgetown Law Center's Cybersecurity Law Institute on Thursday.
“Potential Legal Exposure/Aftermath of a Breach: A Simulation” discussed potential data breach scenarios and how they can best be handled. The moderator of the panel was Kimberly Peretti, a partner at Alston & Bird. Panelists included: Thomas Hibarger, managing director of Stroz Friedberg in Washington, D.C.; Pablo Martinez, managing director of global investigations and cybercrime at Citibank; Joseph Moan, associate general counsel handling employment law and data privacy at Coca-Cola Co.; and Greg Schaffer, CEO of the cybersecurity firm First72 Cyber.
Before a data breach is announced to the public, it is best to make sure that the number of affected users is accurate, said Schaffer, otherwise that number might have to be revised, which can be embarrassing. “It’s not the event that gets you killed,” said Schaffer. “It’s the cover-up that gets you killed.”
Law enforcement might ask that notification be delayed to help aid the investigation of catching the cyber “bad guy” behind the attack, said Martinez, as the incident could potentially be linked to another crime. In the event of a breach, contaminated servers should be taken offline and information necessary to the case should be preserved, said Martinez.
In some instances, law enforcement agencies that have good working relationships with outside counsel will use the firm as a point of contact—for example, if the firm asks to receive the subpoena instead of its client. In that scenario, law enforcement must receive the information they are requesting in a timely manner, and a forensic report must be conducted by a third party, Martinez said.
When a data breach hits, companies are well-advised to overact, rather than underreact, observed Hibarger.
The panelists each shared three data security tips:
Hibarger: 1) Take a proactive step by creating an incident response plan; 2) have a good information governance policy in place; and 3) make sure that your antianxiety medication is up-to-date, joked Hibarger.
Moan: 1) Have the right data security personnel in place; 2) if a breach occurs, tap the highest-level executives at your organization for a more strategic view of the issues at hand; and 3) get to know government regulators ahead of time.
Martinez: 1) Properly train employees; 2) have a playbook; and 3) make sure that there is an internal communication plan in place before a crisis happens.
Schaffer: 1) Know your data security plan and procedures (so it does not have to be pulled off the shelf in the event of a breach); 2) know your assets (e.g., where your data is and where it flows through an enterprise); and 3) know your vendors (how your data is moving around in the vendor’s system) and acquisitions.