Page 21 - NC Triangle Vol 7 No 1
P. 21

CRAIG PETRONELLA | Cybersecurity
A Conversation with Alex Pearce, Chair of the NCBA’s Privacy & Data Security Committee
PETRONELLA: What is the biggest threat to  rms that already have cy- bersecurity systems in place?
PEARCE: One of the biggest threats is phishing.  at’s because defending against that threat relies in large part on the vigilance of the employee as opposed to a  rm’s investment in tech- nological safeguards. For that reason, employee training on cybersecurity in general, and phishing, in particular, is critical. As part of that, companies are running phishing exercises on their employees. Law  rms should consider that. To my mind, tricking someone into clicking on a phishing link as part of a training exercise is a great way to teach them a lesson that sticks.
PETRONELLA: Other than a fail- ure to train employees properly, what are the two most common other vul- nerabilities law  rms face concerning cyber breaches other than going bare?
PEARCE: Two other common is- sues include not being careful with cloud storage and communications services; and failing to implement ap- propriate controls on the use of mo- bile devices. As to the  rst, our State Bar, and the state bars of several other states, have issued ethics opinions that outline the steps lawyers should take when using cloud services to store and transmit client information. As to the second, the rise of “BYOD” creates risks that I’m not sure all law- yers understand when it comes to the con dentiality and security of client information.
PETRONELLA: What does the landscape look like for cyber threats to law  rms?
PEARCE: For some time I think law  rms have been identi ed by cy- bercriminals as a “so  underbelly” of corporate America. Criminals have  gured out that law  rms tend to be places where sensitive, high-value in-
formation is collected in one place, and some law  rms historically, have been behind the curve in terms of cybersecurity. I think law  rms are getting better about this, but the fact remains that law  rms are targets, like any other business that handles valu- able information.
PETRONELLA: How about  rms that don’t have cybersecurity because they don’t know where to start, who to ask, or what to ask?
PEARCE:  ere are plenty of good resources out there that provide ba- sic steps to shore up security.  ey aren’t speci c to law  rms, but a few that come to mind are the Center for Internet Security’s Critical Security Controls and the Federal Trade Com- mission publication “Start with Secu- rity: A Guide for Business.” Profes- sional liability insurers can also be a good resource in this area.  ey o en make information on this topic avail- able to their insureds.
PETRONELLA: What’s your guid- ance for attorneys who say, “I’m not making enough to pay my electric bill, why should I spend money I don’t have on cybersecurity?”
PEARCE:  ere are obviously lots of reasons why attorneys need to pay at- tention to cybersecurity. But for folks who might be inclined to think it’s not a high priority, I’d point them to the increasing attention being paid to this issue by our state bar and other ethics authorities.  e rules of professional responsibility and several recent eth- ics opinions make clear that the ethical duties of competence and con dential- ity include an obligation to use reason- able e orts to prevent unauthorized access to client information.
PETRONELLA: A few liability in- surance experts told us that some  rms would rather go bare, declare bankruptcy and re-organize in the
AttorneyAtLawMagazine.com
event of a major breach. Good idea? Bad idea?
PEARCE:
Terrible idea.
 is strategy
does not ac-
count for the
ethical obli-
gations that
lawyers have
to protect
client infor-
mation, nor
for the con-
sequences to
a lawyer’s reputation of a breach that happens because the lawyer hasn’t done anything to protect that infor- mation.
PETRONELLA: What are some the minimum standards set by the ABA and the state bar?
PEARCE:  e ABA’s formal ethics opinion on Securing Communica- tion of Protected Client Information provides a high-level framework for evaluating and addressing cyberse- curity threats—I’d highly recommend that folks familiarize themselves with that opinion. Beyond that, the ABA and our State Bar don’t set forth spe- ci c “minimum standards” for cyber- security per se. Rather, they require lawyers to take “reasonable” measures to protect client information. What’s reasonable can vary, depending on the circumstances, but the point is that lawyers have to think about the infor- mation they handle
and the speci c risks that they face, and then to tailor their security program accordingly using a risk-based analysis.
Craig A. Petronella is the CEO of Petronella Technology Group, Inc. (PTG), an internationally trusted IT cybersecurity group that specializes in helping law  rms with training, security and compliance. If you like these tips, sign up for our free Cybersafety newsletter at https://www.petronellatech.com. Craig has 30 years’ experience, authored multiple books, including “How Hackers Can Crush Your Law Firm,” and “Peace of Mind Computer Support.” For more information about a cybercrime risk assessment call 1 (877) 468-2721.
21
Alex Pearce of Ellis & Winters LLP


































































































   19   20   21   22   23