As the surge of data breach and cybercrime continues unabated, law firms face intense pressure to meet the increasingly rigorous data security demands of their corporate clients. The ability of these firms to show they’re up to the task is becoming a prerequisite to maintaining clients’ trust, and to keeping their business. Unfortunately, most have a long way to go.
Among those at the forefront of the push to modernize cybersecurity in the legal space, and to assure its law firm and in-house practitioners are well-aligned, is Dennis Garcia, assistant general counsel at Microsoft. Over the course of more than 25 years in various in-house roles, he’s developed expertise in a range of the most thorny, technology-driven areas of law, including privacy, security and anti-piracy.
We recently asked Dennis for his guidance on what law firms can do to begin to meet the security standards of their most technologically sophisticated and data-rich clients. Below is the first part of a two-part interview.
Logikcull: Based on your experience, what new expectations or demands are clients placing on law firms regarding cybersecurity and data protection issues?
Dennis Garcia: For all companies, cybersecurity is a top of mind issue more than ever because every company is a data company nowadays. I do know that potential clients are asking law firms what they’re doing to secure and protect their data and sending them detailed questionnaires asking a host of questions.
“Cybersecurity is top of mind more than ever because every company is a data company nowadays.”
I get the feeling a number of law firms are scrambling. But they have to properly fill out these questionnaires to ensure that what they’re telling potential clients passes muster with them regarding protecting their vitally important data. We’ve been hearing more about this since we have so many customers, and Microsoft works with several law firm partners. From my perspective, I think there is an opportunity for law firms to really think about working with highly trusted and reputable cloud providers to help them get more secure with their data and their client’s data.
It may be the case that a highly trusted and reputable cloud provider has the appropriate compliance certifications, security practices and privacy protocols to do a better job at securing a law firm client’s data than what a law firm can do by itself with its traditional on-premise technology environment.
“It may be the case that highly trusted and reputable cloud provider… (will) do a better job at securing a law firm client’s data than what a law firm can do by itself with its traditional on-premise technology environment.”
Logikcull: What immediate steps can law firms take to improve their data security infrastructure?
Garcia: I do think that law firms should seriously evaluate and look at cloud solution providers who are highly trustworthy, reputable and transparent. I think that nowadays, knowing that cybersecurity is a big issue, law firms — and their valuable clients — are more focused on this more than before.
In fact, knowing that cybersecurity is such a big concern, I believe that this year and next year, we’ll see “Big Law” go big in the cloud by acquiring cloud solutions… from providers who can probably do a better job protecting their clients’ data in their state-of-the-art, highly-secured data centers rather than what they can do on their own.
Logikcull: What other steps can law firms take to build up or shore up their reputations with clients in terms of their cybersecurity practices?
Garcia: Firms should build robust internal cybersecurity policies and practices and may want to consider looking into complying with important international information protection standards such as those created by the International Organization for Standardization, or ISO.
Lawyers are terrific at doing due diligence, and in the United States, the American Bar Association’s Model Rules of Professional Conduct requires lawyers to represent their clients in a competent manner and to ‘…keep abreast of changes in the law, including the benefits and risks associated with relevant technology…’ Law firms should enlist the active involvement of their security, privacy, compliance and technology advisors to closely review potential cloud solutions. In fact, several months ago, ISO created a new standard called ISO 19086, which is a good due diligence resource for law firms as it establishes a framework for cloud service level agreements (SLAs).
Logikcull: What are the benefits of working with a cloud provider? And how does working with one help attorneys meet their ethical obligations to clients?
Garcia: At Microsoft, we invite customers to participate in a tour of our data center environment so they can see the breadth and depth of our cloud security and privacy practices firsthand. After our customers see our data centers, sometimes their lawyers will come to us and say, “Wow, it would be hard for us to replicate a similar environment.”
Firms may want to initially try a subset or category of cloud-based solutions to see how they like them through a hybrid approach of moving some data to a cloud-based solution and retaining other data in its on-premises environment. In addition, over twenty state bar associations in the United States have rendered ethics opinions regarding law firms’ usage of cloud computing services, and they all uniformly say that it’s ethically okay for lawyers and law firms to use cloud solutions so long as they take reasonable care in protecting their clients’ data and have performed appropriate due diligence in selecting a cloud provider. If you’re working with a highly trusted and reliable cloud provider that’s transparent, adheres to leading compliance standards and is undertaking a number of specific practices to secure client data in the cloud, I believe you can make a good argument that what the firm’s doing is meeting or exceeding this reasonable care standard.
As told to Eric Pesale, a soon-to-be attorney and founder of Write For Law. Eric writes regularly for the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at email@example.com or on Twitter at @writeforlaw.