This is the second of our two-part interview with Dennis Garcia, assistant general counsel at Microsoft. Part 1 is here.
Despite a crackdown on legal practitioners who've not made an effort to embrace technology, nearly one in five lawyers still view tech competency as either minimally important or not important at all. Technology education for attorneys, in general, is a problem. Although most law firm lawyers generally find in-house training to be the most effective form of education, only about a third of small and mid-sized firms have the resources to implement it. Lawyers who fail to make efforts to protect firm and client data risk their reputations and businesses.
Dennis Garcia, however, has some fixes. He is among those who do realize that technology is an inextricable part of today's legal practice, and his contributions to the cybersecurity field put him in select company.
In the first part of our interview, Garcia, assistant general counsel at Miscrosoft, described steps law firms can take to immediately upgrade their security infrastructures. Here, he elaborates on what firms can do to create a culture where protecting client data is a top priority.
Logikcull: What steps can law firms that lack the financial resources, time, and personnel support that larger firms have take to protect their clients’ data?
Garcia: A smaller law firm may want to get some help from a cybersecurity and information security expert on what steps they should be taking to protect client data. Firms of all sizes should make sure they’re using the latest version of their information technology solutions. For instance, if you’re going to be using Windows as your operating system, then Windows 10, for example, will be more robust and secure when compared to earlier versions. Also make sure you’re using multi-factor authentication and strong password hygiene practices.
Logikcull: How can law firms, irrespective of size, best ensure that their data security strategies are being properly implemented and executed?
Garcia: Even small law firms should prioritize doing proactive cybersecurity training for their employees and contractors to create a culture of cybersecurity.
One thing that we’re seeing more and more are phishing attacks whereby nefarious groups or people will send emails that look legitimately like they’re from a financial institution or social media platform, and then recipients click and open them only to find malware.
Being cognizant about these phishing expeditions is extremely important. In general, lawyers should not be shy in raising their hand and saying, "I need help.’”
Logikcull: What educational tactics should law firms consider to ensure proper execution of their data security policies?
Garcia: If you’re a big enough law firm, then you should have a chief information officer or chief privacy or data officer who’s focused on these issues. If you don’t have the luxury for that, then it would be good to reach out to a cybersecurity consultant to stress-test your information technology environment so you can learn more about the state of it and what you can do to improve it so that you don’t create any gaps or holes for cybercriminals or others to penetrate it.
Educating your employees and contractors on cybersecurity is important since it’s everyone’s business, and if someone’s leaving the firm, it’s also important to ensure that you cut off that person’s access to firm systems or otherwise ensure that they won’t have the same access to your law firm system as he or she did while employed.
Logikcull: What statutory or other legal considerations should lawyers be aware of when crafting a firm-wide data protection strategy?
Garcia: You may have various bar associations or regulatory bodies that issue guidelines your firm should consult. There are US state laws, US federal laws and industry-specific laws that are applicable to privacy and cybersecurity, so it’s important for lawyers to keep up to speed with the ever-changing landscape of cybersecurity. And of course, outside the United States, the new and comprehensive European Union General Data Protection Regulation (GDPR) will take effect in May 2018.
The International Association of Privacy Professionals (IAPP) has great resources on cybersecurity and privacy and is an industry leader. You can obtain privacy certifications from the IAPP which you can test for, and you can receive continuing education in this area, but the most important thing is to keep current on embracing best practices in the ever-changing cybersecurity landscape.
As told to Eric Pesale, a soon-to-be attorney and founder of Write For Law. Eric writes regularly for the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at email@example.com or on Twitter at @writeforlaw.
To learn about specific steps your firm can take to protect client data, check out our newest whitepaper below.