1. Knowledge Base
  2. Cybersecurity
  3. Lex Mundi Core Standards and Recommended Practices

Governance and Leadership - Core Standard and Overview of GDPR

Core standard: "One or more members of the firm's governing body or senior leadership group have been identified as accountable for the firm's cybersecurity."

Top Down Commitment

Strong cybersecurity is a business imperative, yet too often cybersecurity is too far down on a law firm executive committee’s priority list or because it is so complex, simply delegated to lower level technical personnel. Some questions for law firm executive management: Is there a commitment from the top down, both culturally and financially, to rigorous cybersecurity? Who in leadership is driving the cybersecurity agenda? Is it a C-level accountability and part of the day-to-day business focus? Do current reporting lines and assigned areas of responsibility make sense? Given the responsibilities and accountability needed to execute the incident response plan, are the right employees, possessing the appropriate skillsets, adequately empowered? If the team charged with overseeing cyber-defense the same team who reports up the chain about breaches and who would oversee any response, that dual-role indicates an inherent conflict of interest.

Effective security awareness demands top-down commitment and communication, a characteristic that is often lacking at law firms, especially where legal practices (and partners) are “siloed” or otherwise isolated. Law firm executive committees should enforce the notion that the firm has an institutional commitment to protect client data reflected by involvement and engagement by senior firm leaders - not just IT. In the least, law firm executive committees should establish a cross- organizational team (including practice chairs, procurement, finance, human relations, communications, office management, IT and security personnel) that regularly convenes to discuss, coordinate and communicate information security issues.

Source: LAW FIRMS AND CYBERSECURITY: A COMPREHENSIVE GUIDE FOR LAW FIRM EXECUTIVE COMMITTEES By John Reed Stark; John Reed Stark Consulting LLC https://www.johnreedstark.com/

https://www.johnreedstark.com/wp-content/uploads/sites/180/2016/04/Law-Firm-Cybersecurity-Guide-Final-PDF.pdf

General Data Protection Regulation (GDPR) – Overview

"The General Data Protection Regulation (GDPR) (EU) 2016/679 is an EU regulation https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

It came into effect on May 25, 2018 and applies Europe-wide; for firms without European offices it may still apply if your firm offers services to individuals in Europe (e.g. as part of a class action suit).

"Under the GDPR, the data protection principles set out the main responsibilities for organizations.

Article 5 of the GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Article 5(2) requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Source: Information Commissioner's Office (UK): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles

GDPR - what firms need to do (checklists)

The UK's Information Commissioner's Office (ICO) has some excellent material regarding the GDPR:

Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf 

GDPR checklist for data controllers

Designed to help you, as a data controller [A controller determines the purposes and means of processing personal data], assess your high level compliance with data protection legislation. Includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.

Data controllers - self-assessment

GDPR checklist for data processors

Designed to help you, as a data processor [a processor is responsible for processing personal data on behalf of a controller], understand and assess your high level compliance with data protection legislation. Includes the new requirements for data processors, the rights of individuals, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.

Data Processors - self-assessment

And from Legal Risk who are a "specialist law firm combining cutting edge legal advice with our experience in management of large law firms . . . established specifically to offer legal advice to lawyers on risk issues in the UK"

Firms with European offices will need a thorough review of their processes.  They will need to give particular attention to establishing the lawful basis for the transfer of data outside the EEA.

For firms without European offices, there may still be a need to address GDPR issues if the firm offers services to individuals in Europe (or, less likely, monitors behavior in Europe).  A firm might offer services if, for example, it advertises for clients for a class action where potential claimants may include European citizens.

All firms need to address the following:

  • Risk assessment – map the data you hold, identify the lawful basis on which you process it, review how long you keep it, and satisfy yourself you are taking reasonable steps to secure it.
  • Review consents, if you are relying on them.
  • Appoint a Data Protection Officer if you need to.
  • Record keeping.
  • Train staff.
  • Review your recruitment procedures.
  • Review your contracts with data processors
  • Check whether you are transferring data outside the EEA and make sure you have a lawful basis for doing so.

Useful links

Source: Legal Risk UK  - https://www.legalrisk.co.uk/services/gdpr-for-us-law-firms-what-do-you-need-to-do/

Cybersecurity Consultants

The following consultants / consulting firms have been used by member firms (see their ratings and comments). Please add your consultant(s) by adding to this list.

Corvid

Location: Cheltenham, UK

Tel:  01242 225084

Email: nick.yarham@corvid.it

Website: https://corvid.it/

"Security consultants we have been using for the last 12 months."  Clive Swift, +44 1624 638322, Cains Advocates, Isle of Man

Rating: superior

Eero Öster / Nixu Oyj

Location: Helsinki / Finland

Tel:  +358 50 317 6041

Email:  eero.oster@nixu.com

Rating:  Superior

From:  Sonja Lindroos, +358 20 506 6637, Head of IT and Systems, Roschier, Attorneys, Ltd.

Jason N. Smolanoff, Senior Managing Director, Global Cyber Security Practice Leader

Kroll Cyber Security, LLC 

Location:  Los Angeles, CA

Tel:  213-700-4312 (m)

LinkedIn: https://www.linkedin.com/in/jason-smolanoff-123b6837/

"We would definitely use Jason again." Tony McFarland, Bass, Berry & Sims, Tennessee

Rating:  Superior

Cuyler Robinson, Charles River Associates

Location:  Chicago

Tel:    312) 619-3394

Email:  CRobinson@crai.com

Website: 

Cuyler comes from Navigant, a leader in the field.  Cuyler spoke at the Lex Mundi KM Roundtable here in Nashville in 2016.  I would expect superior service from Cuyler and his team, though I have not yet had the opportunity to use him.  Tony McFarland, Bass, Berry & Sims, Tennessee

Steven Visser, Navigant Consulting, Inc.

City:  Denver

Tel:  303-383-7305

Email:  svisser@navigant.com,

Website: https://www.navigant.com/capabilities/solutions/cyber-security 

6. Jim Soenksen, PIVOT

City:  Atlanta

Tel: 404-419-2163

Email:  jsoenksen@pivotgroup.com

Rating:  Very good people there. 

 From:  Michael Orce860-240-6100

Murtha Cullina, Connecticut

7. Aujas Networks Pvt. Ltd

City:  Assume Delhi, but not sure

Aujas Networks Pvt. Ltd

Website:

"Aujas was finalised for our work as they came up with the best tailored proposition to our specific ask (it was a combination of Information Security Assessment and VAPT). The delivery of the engagement was very good>Parveen Sharma, +91 11 41590700, National Director - Information Technology, Shardul Amarchand Mangaldas & Co, India.

Cybersecurity resources (and GDPR)

Here's where you can access "how to" resources so you can improve your firm's information security and share information about Cybersecurity products and vendors.

Very short video: How a 15-year old hacks systems like yours: click here.

For a very short overview of why hacking is a problem and what to do about it see this slide deck: Cybersecurity - the main problem and what do to about it FINAL.pptx