June 2016
In This Issue:
Navigating New Terrain: Law Firms Facing Unprecedented Cyber Risk
Benefits and Risks of the Internet of Things
FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers
International Cybersecurity Compliance Concerns
EU Cybersecurity Directive Update
Measure to Manage: Understanding and Using Data to Affect Firm Change and Client
Relationships
e-Discovery and Security The Inevitable Reinvention of the e-Discovery Industry
Movers & Shakers
Cybersecurity Law & Strategy June 2016
Volume 1, Number 1
To order this newsletter, call: 800-756-8993
On the Web at: www.ljnonline.com/ljn_cybersecurity
Cybersecurity Law & Strategy Editorial Director: Wendy Ampolsk Stavinoha
Managing Editor: Steven Salkin, Esq.
Editor-in-Chief: Adam Schlagman, Esq.
Board of Editors:
Jonathan P. Armstrong
Cordery
London, UK
John Beardwood
Fasken Martineau DuMoulin LLP
Toronto
Brett Burney
Burney Consultants
Cleveland, OH
Alisa L. Chestler
Baker Donelson
Washington, DC
Jared M. Coseglia
TRU Staffing Partners, Inc.
New York
Jeffrey P. Cunard
Debevoise & Plimpton LLP
Washington, DC
Jake Frazier
FTI Consulting
Houston, TX
D. Reed Freeman Jr.
Wilmer Cutler Pickering Hale and Dorr LLP
Washington, DC
Alan L. Friel
BakerHostetler
Los Angeles
Collin J. Hite
Hirschler Fleischer
Richmond,VA
David F. Katz
Nelson Mullins Riley & Scarborough LLP
Atlanta, GA
Ari Kaplan, Esq.
Ari Kaplan Advisors
New York
Justin Hectus
Keesal, Young & Logan
Long Beach, CA
Staci D. Kaliner
Redgrave LLP
Washington, DC
Dan Lear
Avvo
Seattle, WA
Kelly Lloyd
McCarter & English
Newark, NJ
Emile Loza
Technology & Cybersecurity Law Group, PLLC
Washington, DC
Ian D. McCauley
Morris James LLP
Wilmington, DE
Jeffrey D. Neuburger
Proskauer Rose LLP
New York
Nicholas A. Oldham King & Spalding LLP Washington, DC
Mark Sangster
eSentire
Cambridge ON, Canada
Navigating New Terrain: Law Firms Facing Unprecedented Cyber Risk
By Mark Sangster
For years, various government authorities and security experts warned the legal industry about the
proverbial cyber target painted on their chest. And while a cornucopian crop of headlines bloomed about
data breaches, most concentrated on major retailers or recognizable brands. Given nebulous reporting
legislations, the data breaches at law firms remained below the press horizon. But you can only dodge so
many bullets until one hits the industry square in the chest. Recently, the legal industry found itself in the
spotlight as story after story about data stolen from law firms surfaced. And the media frenzy culminated
when Mossack Fonseca became the poster child for hacked law firms, earning the moniker of the Panama
Papers.
If the multi-law firm hack story was the first shot over the bow, then the Panama Papers leak will become
a torpedo. With a record-setting data heist and enviable client list of who’s-who in government, business
and entertainment, the Panama Papers leak struck a chord and unequivocally confirmed that legal wasn’t
just a target — it is the target. And it is a bellwether for an industry in a fugue, unable to conceive that
their firms held anything of value; certainly not anything worth stealing. Well, it turns out that boring old
shell companies and tax filings had a value.
Law Firms Are Full of Sensitive Data
It doesn’t matter the size of your firm. Large or small, your firm houses a treasure trove of sensitive data.
From personally identifiable information (PII) to M&A transaction details to contracts and plans, every
piece is desirable in the eyes of cybercriminals. Sure, larger firms have long felt that they’re not as
vulnerable to attack. They’ve been confident in the technological defenses they’ve established to protect
their sensitive data, and until recently they haven’t felt the need to question the efficacy of that
technology.
Small-to mid-sized law firms are at even greater risk. Unlike their larger peers, smaller firms simply don’t
have the budget and resources to allocate to internal IT management and technology investments. In many
cases, these bootstrapped firms are lucky to simply have the most basic technology in place, such as anti-
virus systems or firewalls. For these reasons, they’re perceived as an easy mark through the eyes of
attackers, and widely recognized as a conduit to larger targets.
Hackers Focus on People, Not Technology
In addition to evolving risk vectors, the nature of attacks themselves has shifted. Attackers no longer fear
technology because they know they can evade it. Recent successful breach events amplify that reality.
Today’s popular attacks focus on something far more malleable than technology. They focus on people
and their innate human nature. We all get busy. Dreadfully so. And it’s when we’re busy that we become
careless, particularly when it comes to our e-mail inbox. This is when we’re most vulnerable to the
epidemic that is e-mail spoofing.
Spoof e-mails have undergone a transformation. Once riddled with spelling errors and inaccuracies,
malicious content today is cleverly veiled in glossy, seemingly legitimate corporate branding. The correct
names are usually in the correct places, and the contents of the e-mail always appears to be reasonable
and typical of interoffice or vendor communications. As a result, phishing and Business Email
Compromise (BEC) are now big business for cybercriminals. The Ponemon Institute reported that large
companies now spend an average of $3.7 million a year dealing with phishing attacks. See, “2015 Cost of
Breach Data Study.” All firms have become a desirable target for phishing and BEC attacks.
Legislation and Guidance
Staggering breach cases are driving a larger conversation. At a micro level, cybersecurity is quickly
becoming a paramount issue for firms, whether large or small. At the macro level, industry, national and
governance discussions are turning their sights to the legal industry. The U.S. government’s
Cybersecurity National Action Plan (CNAP) passed last December and the Cybersecurity Act of 2015
officially ushered the government’s resolve to guard the pillars of the U.S. economy from cyber threats
and attacks. At a governance level, the industry is scrambling to ramp frameworks and measurements
with industry peers like the SEC, who since 2014 have worked to establish regulatory compliance
measures through a formal examination process and comprehensive frameworks.
The ABA, recognizing increased pressure from national compliance efforts and imminent threats from an
unseen army of cyber attackers has worked to architect a set of cybersecurity guidelines, as outlined in its
2014 Cybersecurity Handbook. The handbook has quickly become an indispensable tool for firms that
don’t know where to start. It outlines several pillars of regulatory focus, including: gaining an
understanding of what assets and sensitive data the firm has; who the regulators are; which threats are
targeting the firm; what protection firms have in place to guard against attacks; what risks exist; and,
whether firms can demonstrate cybersecurity claims.
Essentially, cybersecurity management can be divided into two clear buckets: the first focuses on policies
and planning, while the second centers on the day-to-day mechanics of cybersecurity and what kinds of
frontline defenses firms have in place to block or mitigate attacks.
Often, even tackling these questions can be a daunting task for firms, particularly those that don’t have an
in-house team to answer them. Commissioning a full, independent security assessment is a good place to
start. Security assessments are an effective way to assess your current security posture and identify gaps
in your processes, programs and technologies. An independent security assessment not only helps firms
build and augment their cybersecurity programs, but it also helps prepare a response for clients who will
request an audit report detailing your firm’s posture. A security assessment provides the clear direction
you need to build your program, policies and defense inventory. An assessment also benchmarks your
firm against that of your peers, examining the kinds of threats targeting you, and security considerations
that fit your organization based on those benchmarks.
The ABA’s Tech Report, released late last year, revealed that on average, less than half of responding
firms have firm technology or security policies in place. With the number of vulnerable attack surfaces in
any given firm, security policies are an essential first step when it comes to defending the firm. Just as
critical are framework documents like NIST, which fuses practices, guidelines and standards to protect
critical infrastructure. The framework helps to prioritize and manage cybersecurity risk, and presents a
sturdy platform to further policy and program development.
Security Areas to Address
Within data and network protection there are several vectors that should be addressed: security models,
network assets, policies and procedures, data encryption, remote banking/transfers and mobile device
management. The Tech Report found that 62% of respondents reported that their firm had not
experienced a breach. But with so many threat surfaces, it’s unknown how many of those respondents
suffered a breach and didn’t detect it. The Panama Breach case is a prime example; the firm claims that its
mammoth data leak was a result of a year-old, undetected breach. One may assume that a firm like
Mossack Fonseca would have fairly robust security in place, particularly given its top-tier client base.
While the root cause of the breach hasn’t been reported, it has been speculated that the breach was the
result of a sophisticated cyber-attack, one that cleverly evaded whatever perimeter defenses Mossack
Fonseca had in place.
Conclusion
While the fate of Mossack Fonseca remains to be seen, lesser breaches have caused firms to shut their
doors entirely. Universally, attorneys are fundamentally obligated to protect their clients’ confidentiality.
By extension, firms are required to ensure that the technology they use in no way subjects client
information to an undue risk of disclosure. Pair this with the breach cases impacting firms, and suddenly
firms face greater pressure, more scrutiny and evolving regulatory implications. Clients are taking data
protection into their own hands, running due diligence that requires that firms demonstrate the
mechanisms they’ve build to protect sensitive data.
The legal industry was founded and is fueled by professionals driven by curiosity and the desire to ask
“why.” Cybersecurity has gone from simply being IT’s problem, to becoming everyone’s problem. If
your firm doesn’t currently have cybersecurity initiatives underway, start the conversation. Ask the
questions. Turn to your governance resources such as the ABA and leverage the tools they’ve created to
drive momentum in your firm. Collaborate with peers through intelligence sharing forums like the Legal
Services Information Sharing & Analysis Organization (LS-ISAO), which was founded to facilitate threat
sharing amongst firms. The cybersecurity terrain is ever evolving. Consider this: Today’s fastest growing
and most successful threats originate from a human culprit. You need human-driven defenses to stop
them; technology simply won’t cut it.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to
peripheral factors influencing the way that law firms integrate cybersecurity into their day-to-day
operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity
services provider eSentire, he also serves as a member of the LegalSec Council with the International
Legal Technology Association (ILTA). He is also a member of this newsletter’s Board of Editors and
may be reached at [email protected].
—❖—
Benefits and Risks of the Internet of Things
What Every Company Should Know
By L. Elise Dieterich
The buzz phrase “Internet of Things” is seemingly everywhere. What is it, what can it do for us, and what
concerns does it present? More specifically, while the Internet of Things (IoT) presents tremendous
opportunities for businesses, are there corresponding risks, or elements of the IoT that businesses should
consider staying away from?
The answer to the benefits-versus-risks question is as simple — and as complex — as understanding the
privacy and cybersecurity risks associated with any and all Internet-connected technology, be it your
personal smartphone or an enterprise-wide software application hosted in the cloud. The IoT, because it
connects and communicates via the Internet, is vulnerable to hacking and malware, the same as our e-mail
and computers. IoT devices also present, however, specific benefits and risks that are important for every
enterprise to understand.
What Is the IoT?
For starters, what exactly does the term IoT refer to? Like many buzz phrases, it depends on the user. A
Google search serves up this definition: “a proposed development of the Internet in which everyday
objects have network connectivity, allowing them to send and receive data.” And indeed, most consumers
interface with the IoT through connected devices such as wearable fitness trackers, connected televisions,
or that “puppy cam” connected to their smartphone. For businesses, though, a more nuanced definition is
in order.
The U.S. Department of Commerce (DOC) recently offered this: “IoT is the broad umbrella term that
seeks to describe the connection of physical objects, infrastructure, and environments to various
identifiers, sensors, networks, and/or computing capability. In practice, it also encompasses the
applications and analytic capabilities driven by getting data from, and sending instructions to, newly-
digitized devices and components.”
The Information Technology Laboratory at the National Institute of Standards and Technology (NIST), in
a 2016 draft report released for public comment, posited that “the current Internet of Things (IoT)
landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no
formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness,
and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident.” Thus,
the NIST report proposes “a common vocabulary to foster a better understanding of IoT” that assumes the
IoT will typically be comprised of, at a minimum, a sensor, an aggregator, a communication channel, an
external utility (a software or hardware product or service), and a decision trigger. Id. at 15.
A mundane example of this is the FitBit, which senses information about the wearer’s physical activity,
aggregates that information over time, and communicates it to the wearer’s smartphone or computer,
where the wearer can evaluate and act on the information. Sensor-driven devices operating in the IoT
framework are all around us and range from connected cars and smart TVs to industrial controllers,
inventory trackers, and implanted medical devices with Wi-Fi built in.
A More Straightforward Explanation
At root, the IoT is fairly straightforward: my device senses something and uses the Internet to
communicate with me about it. Things get more complicated, though, when we take account of the fact
that most connected devices require an intermediary — usually the hardware or software provider — and
that intermediary typically also has access to our information. This FAQ on the website for Nest, a
Google subsidiary that sells home IoT devices such as smoke detectors, video cameras and thermostats,
illustrates the access that an IoT device provider can have to sensitive data when it asks “[d]oes Nest
know when I’m home or not?” and answers “yes”: “Our products can detect when someone’s there, and
we use information like this to make our products more thoughtful.” Nest reassures its users, however,
that “[i]f you want to be more literal about it, no one at Nest or Google spends the day looking at a screen
tracking if you’re home or not.”
With or without an intermediary, connected devices present unique vulnerabilities. A hacked “puppy
cam,” for example, can give the hacker a view inside the owner’s home. And whereas the risks to e-mail
and computers revolve primarily around data loss or misappropriation, the very functionality of an IoT
device is at risk. A staged hack that shut down a Jeep Cherokee while traveling on the highway at high
speed gained huge visibility last year when an article describing the hack was published in Wired
magazine.
Although hacking a car is a sophisticated exploit and likely not a routine danger, the fact that it could be
done alarmed both consumers and regulators, and highlighted the risks the IoT poses. Wired exposed
another frightening connected device vulnerability last year, when it reported hackers had been able to
override the Wi-Fi-enabled aiming system on a rifle. And, regulators have expressed life-and-death
concern about the risks to medical devices connected to the IoT. The Food and Drug Administration in
2014 issued medical device guidance that includes the following statement: “Failure to maintain
cybersecurity can result in compromised device functionality, loss of data (medical or personal)
availability or integrity, or exposure of other connected devices or networks to security threats. This in
turn may have the potential to result in patient illness, injury, or death.” It has been reported that doctors
disabled the IoT functionality of Vice President Dick Cheney’s pacemaker while he was in office, for just
that reason.
Is This a Real Problem?
How pervasive are these concerns? DOC reports that “by 2015 there were around 25 billion connected
devices. Devices now outnumber people by 3.5 to 1.” Even more astounding, “[i]t is expected by 2020
there will be up to 200 billion connected devices … .” DOC notes, further, that “thus far no U.S.
government agency is taking a holistic, ecosystem-wide view that identifies opportunities and assesses
risks across the digital economy,” although numerous regulatory agencies have addressed aspects of the
IoT in some way.
To begin to remedy this lack of a holistic view, DOC published in the Federal Register on April 5, 2016, a
request for public comments on “The Benefits, Challenges, and Potential Roles for the Government in
Fostering the Advancement of the Internet of Things.” 81 Fed. Reg. 19956-19960.
The broad scope of the questions set forth in DOC’s request for comments is indicative of the IoT’s reach,
touching on technology, infrastructure, policy, and international considerations, among others. With
regard to the privacy and cybersecurity concerns raised by the IoT, the DOC request for comments notes
that: “A growing dependence on embedded devices in all aspects of life raises questions about the
confidentiality of personal data, the integrity of operations, and the availability and resiliency of critical
services.” Id.
Your enterprise may currently be using the IoT for functions as diverse as encouraging employee
wellness through a FitBit program, managing inventory using RFID tags, tracking the location of
company vehicles using GPS, and improving products through automated feedback from connected
software or hardware products. Indeed, your company may be using the IoT in ways you’ve never thought
about — for example, providing QR codes on your products that individuals scan with their smartphones
to access information on your company’s website. Or, your enterprise may proactively be creating and
marketing to consumers products that feature IoT connectivity as a selling point. The benefits of
participating in the IoT are myriad, and include convenience, better and more timely data, and higher
levels of engagement. Nonetheless, in all these instances, there are important privacy and cybersecurity
pitfalls to be avoided.
Privacy Concerns
On the privacy side, IoT device consumers — be they individual or enterprise — should insist on
knowing: 1) what data the device is collecting; 2) what data is being shared, and with whom; and 3) how
consumers can control data collection and sharing. Purveyors of connected devices should have answers
to these questions at the ready, and clearly communicate their data collection, use, and disclosure
practices in privacy policies that are easily accessible to consumers. Collecting and using consumer data
without informed consent is generally a no-no that can result in significant penalties, not to mention
liability in the event of a breach of consumers’ information.
Cybersecurity Issues
On the cybersecurity side, the Federal Trade Commission (FTC) recently issued helpful guidance titled
“Careful Connections: Building Security in the Internet of Things.” Here, the FTC recommends the
following best practices for companies developing and selling IoT devices to consumers:
Encourage a culture of security at your company. Designate a senior executive who will be
responsible for product security. Train your staff to recognize vulnerabilities and reward them
when they speak up. If you work with service providers, clearly articulate in your contracts the
high standards you demand from them.
Implement “security by design.” Rather than grafting security on as an afterthought, build it into
your products or services at the outset of your planning process.
Implement a defense-in-depth approach that incorporates security measures at several levels.
Walk through how consumers will use your product or service in a day-to-day setting to identify
potential risks and possible security soft spots.
Take a risk-based approach. Unsure how to allocate your security resources? One effective
method is to marshal them where the risk to sensitive information is the greatest. For example, if
your device collects and transmits data, an important component of a risk-based approach is an
up-to-date inventory of the kinds of information in your possession. An evolving inventory serves
triple duty: It offers a baseline as your staff and product line change over time. It can come in
handy for regulatory compliance. And it can help you allocate your data security resources to
where they’re needed most. Free frameworks are available from groups like the Computer
Security Resource Center of the National Institute of Standards and Technology, or you may want
to seek expert guidance.
Carefully consider the risks presented by the collection and retention of consumer information. If
it’s necessary for the functioning of your product or service, it’s understandable that you’d collect
data from consumers. But be sure to take reasonable steps to secure that information both when
it’s transmitted and when it’s stored. However, it’s unwise to collect or retain sensitive consumer
data “just because.” Think of it another way: If you don’t collect data in the first place, you don’t
have to go to the effort of securing it.
Default passwords quickly become widely known. Don’t use them unless you require consumers
to change the default during set-up.
Conclusion
For enterprise consumers of IoT devices, these best practices provide a template for due diligence
questions to ask regarding technology your company may be considering.
The goal of the enterprise participating in the IoT should be to maximize the benefits while minimizing
the risk. Transparent and carefully tailored privacy practices, coupled with thoughtful and robust security
measures, will go far toward achieving this goal.
Applying the FTC’s guidance, the device provider’s security culture should be such that the security of
data collected by the IoT device is a primary consideration, baked into the design of the device, not an
afterthought or an add-on. The device should collect no more data than is necessary for its functions, and
the device provider should be clear about who has access to the data, for what purposes, and for how long.
Security settings should be readily accessible, user-friendly, and easy to apply. Users should set their
own, complex passwords, and protect them. And, consumers of IoT devices should insist on robust
security, and avoid devices that fail to provide it, or are unclear about their security practices.
When incorporating IoT devices into critical functions (think of the car, rifle, and pacemaker examples)
consider “worst case” scenarios, and have a disaster recovery plan. With these measures, enterprises can
partake of the IoT’s benefits, without the risks keeping anyone up at night.
L. Elise Dieterich is a partner with Kutak Rock LLP and leader of the firm’s privacy and data security
practice in Washington, DC. She is a member of this newsletter’s Board of Editors.
—❖—
FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers
By Alan L. Friel and Suchismita Pahi
In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet
Order, applying Section 222 of the federal Communications Act to broadband Internet access services
(BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service
Providers (ISPs). In doing so, it declined requests by some advocacy groups to take jurisdiction over
online service providers that do not offer broadband access, even if they offer services that, in ways,
arguably look like a communications provider — so-called “edge networks” like Facebook, Google, and
Yahoo. Indeed, doing so would have stretched the global Commission’s jurisdiction even beyond the
significant expansion required to regulate BIAS.
Having taken on BIAS, the commission needed to address that the FCC’s privacy and data protection
regulatory scheme was designed to address traditional telephone carriers, and the expanded jurisdiction
necessitated refinement of the approach to address BIAS and the different kinds of data involved between
data services and telephonic services. On March 31, 2015, the FCC issued a Notice of Proposed
Rulemaking (NPRM) in proceeding 16-39 (In the Matter of Protecting the Privacy of Customers of
Broadband and other Telephonic Services) for the privacy and data security regulatory scheme for ISPs, a
copy of which is available here. In short, the proposal would create a very burdensome privacy protection
scheme that applies to BIAS but to no other types of online services.
As a result, BIAS providers will have a much more difficult time providing interest-based advertising and
other services that take advantage of big data, even if in doing so they can provide consumers lower-cost
broadband. Much of the proposal calls for express opt-in consent to ancillary use and sharing of consumer
data, but the Commission questions whether some practices like exchanging discounts for consent should
be banned outright.
Key Aspects of the NPRM
The NPRM would regulate customer proprietary information (customer PI), defined as both customer
proprietary network information, which the NPRM proposes to expand beyond the telephone services
definition to include any information the provider collects or accesses in connection with provision of
BIAS, including service and traffic data, IP addresses, device IDs, and other unique identifiers, as well as
personally identifiable information (PII) collected by the BIAS provider, which also includes unique
identifiers. Unlike telephone services, directory data and phone numbers are not exempt from restrictions.
BIAS providers must offer transparency through privacy policies that explain data collection, use and
sharing, and the consumer’s choices. Great detail is given about how and when this must be done.
Choice is the most controversial aspect of the scheme. The NPRM would require explicit opting in for all
but the most narrow use and sharing:
Consent is implied for use and sharing that is necessary to provide broadband (but not
ancillary) services — “for example, to ensure that a communication destined for a certain
person reaches that destination.”
Providers and their affiliates that provide communications services may use customer PI to
market (but not to provide) communications-related services (but not ancillary services like
edge network services), subject to the customer’s ability to opt out of such use and sharing.
All other use and sharing requires explicit opt-in consent, obtained subsequent to the sale
(i.e., subscription to BIAS services) and prior to first use or disclosure requiring opt-in
consent. Although the FCC invites comment on the details of how opt-in consent should
work, the NPRM proposes that providers notify consumers at the time consent is sought “of
the types of customer PI for which the provider is seeking customer approval to use, disclose
or permit access to; the purposes for which the provider is seeking customer approval to use,
disclose or permit access to; the purposes for which such customer PI will be used; and the
entity or types of entities with which such customer PI will be shared.”
The NPRM proposes specific data security practices based on the HIPAA Security Rule (including
assessments) and breach notification obligations for BIAS providers.
A Targeted Approach
Rather than taking a flexible approach based on key data privacy and security principles and concepts of
reasonableness and consumer expectations, the FCC’s proposed regulatory approach is very specific,
limits data usage and sharing absent consent, and requires very detailed data security and breach
notifications. It proposes to mandate express opt-in consent for types of data usage, such as for interest-
based advertising, that edge networks and other online services that do not offer broadband will not have
to follow.
The FCC’s approach differs significantly from the technology-neutral approach to privacy and data
protection of the Federal Trade Commission (FTC), which had historically been the sole privacy data
protection regulator for BIAS. The FTC’s authority to regulate privacy and data protection under Section
5 of the FTC Act is limited to prohibiting deception and unfairness, with unfairness requiring a consumer
injury not outweighed by benefit to consumer or competition. As a result, the FTC’s approach is to
prohibit express misrepresentations concerning data practices and to look at reasonable consumer
expectations under particular circumstances to determine whether a practice is implicitly deceptive absent
notice and/or consent.
Consent, even when necessary, may typically be in the form of opting out, except for highly sensitive
information. The FCC, however, arguably has much broader authority, and the proposed rules exercise
that putative authority in creating a new sectorial privacy and data protection scheme for ISPs where the
default is limitation on data usage and sharing absent consent, which is proposed to be opt-in consent for
all but the most limited circumstances. Further, the FTC proposes that such consent must be separate from
the consumer’s subscription agreement and potentially not bargained for by offering discounts.
As noted in dissents by Commissioners Pai and O’Reilly, the result will be vastly different rules for
different types of online services, with consumers being subject to different privacy principles and data
protection schemes depending on the type of platform and service they are using online. And the practical
impact will be to put BIAS providers at a competitive disadvantage over non-BIAS providers in the area
of digital advertising, which relies on targeted consumer, and other emerging commercialization of big
data, than would otherwise be the case. As Commissioner O’Reilly concludes, “applying heightened
standards to one segment of the Internet economy will hamstring competition with the largest users of
consumer data.”
Conclusion
The FCC’s proposals would result in BIAS providers having constraints on their data practices, such as
those related to interest-based advertising, that do not apply to other digital service providers like Google
and Facebook, at least to the extent they remain edge networks. To the extent BIAS providers want to
compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they
would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC’s
approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected
data and the level of consent required to collect, use, and share such data. The comment period for
proposals ended May 27, 2016, and reply comments thereafter are due by June 27, 2016.
Alan Friel, CIPP and CIPM, is a partner at Baker Hostetler in its Los Angeles office and a member of
the Board of Editors of Cybersecurity Law & Strategy. He may be reached at [email protected].
Suchi Pahi is an Associate in the Houston office of Baker Hostetler. She practices privacy and security
law, and can be reached at [email protected].
—❖—
International Cybersecurity Compliance Concerns
By Steven Rubin and Stephen Milne
Compared with the rest of the world, the United States has historically been a more open framework when
dealing with information. Social media has made even the most mundane and possibly personal pieces of
data available to many with a press of a finger. Such an open relinquishment of private information is
almost assumed and has become part of the American culture. Those who think about how easy it is to
access data understand how their own data has become part of the searchable cyberspace.
The European culture and laws are different. Privacy rights are assumed, information confidentiality is
maintained, and the concept of the United States “discovery” is scorned. There is a concern that European
sensitive data should stay outside of the United States because the protection of such data in the United
States is not sufficiently strong. It is therefore not a surprise that the laws in the United States and in
Europe are inconsistent when it comes to cybersecurity.
Cybersecurity Law in the United States
The most significant piece of federal legislation in this area is the Cybersecurity Information Sharing Act
(CISA) passed in December 2015 (Division N of the omnibus spending bill). The purpose of this Act,
purportedly, is to promote information-sharing between the government and the private sector for issues
relating to cybersecurity and new threat vectors. The idea is that sometimes industry is aware of new
viruses or technical threats, but does not share the information with the government so that the
government may protect itself and/or inform the public. CISA creates a voluntary means for companies to
share their threat data with the government.
There are problems with sharing this information. While the act of sharing appears to be protected by
statute, the underlying problem may not be. If I see a threat to my system, I could tell the government
about that threat and the act of telling would not create a new cause of action. But, the law is not clear as
to whether that sharing could then lead to a lawsuit relating to the cause of the sharing. Stated another
way, I can tell the government I have a virus, and telling the government should not in itself expose my
company to liability. But, I could later get sued for failing to comply with certain cybersecurity
requirements because my system was infected with a virus and I did not take proper steps to protect the
data.
So, trying to comply with United States laws alone creates a dilemma. But if you consider complying
with CISA, you may also expose yourself to legal issues in Europe.
European Laws on Cybersecurity
Disclosure of personal data (capable of being used to identify a living person either on its own, or in
conjunction with other data in the possession of the person controlling how the data is used) relating to
EU nationals could cause serious potential issues in light of recent developments overseas. Previously
(before January 2016), many organizations relied upon the approved “Safe Harbor” regime framework
developed by the Department of Commerce (DoC) in the United States and the European Commission,
under which organizations could self-certify that they adhered to its principles. The certifying company
gave binding promises that they complied with privacy policy requirements and provided protections for
personal data that were sufficiently high that transfers of personal data from the EU to the United States
would be permissible under the applicable Data Protection Directive (the Directive).
However, the Safe Harbor regime has suffered a huge blow by virtue of a recent decision in the Court of
Justice of the European Union (CJEU). See, Maximillian Schrems v. Data Prot. Comm’r,
ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14. Maximillian Schrems was an Austrian citizen
who had been a Facebook user since 2008. Facebook habitually transferred some data provided by its EU-
based subscribers from its Irish subsidiary to servers located in the United States. Schrems lodged a
complaint with the relevant supervisory authority in Ireland on the basis that the law and practice in the
United States did not provide sufficient protection in relation to his data.
Initially, Schrems’ complaint was rejected, particularly on the basis that the Safe Harbor regime ensured
sufficient protection. However, on referral to the CJEU, the court held that the powers available to
national supervisory authorities cannot be eliminated just because the European Commission originally
decided that the Safe Harbor scheme provided such protection. The authority must look at the situation
independently and determine whether the transfer of a person’s data to a third country complies with the
requirements of the Directive.
CJEU then proceeded to consider the fact that public authorities in the United States are not subject to the
Safe Harbor scheme. Further, national security, law enforcement and public interest all may prevail to the
extent that a United States entity holding or processing data may be forced to ignore the requirements of
the Safe Harbor scheme where it conflicts with any of the foregoing. As a result, data would not be
protected in such circumstances and there were no clear limitations or restrictions on the public
authorities’ abilities.
In addition, there was no clear ability for individuals to pursue legal remedies in order to access their data
or to have it rectified or erased, which the CJEU viewed as inherent in the existence of the rule of law and
as compromising “the essence of the fundamental right to effective judicial protection.” The CJEU
therefore held that the original European Commission decision that Safe Harbor privacy principles
provided adequate protection was invalid — effectively nullifying the Safe Harbor option.
What Now?
The Safe Harbor route is no longer a valid basis upon which personal data can be transferred from the
European Union to the United States. But, there is not yet clear guidance as to what will replace it.
Indeed, different data protection authorities (DPAs) have been taking different approaches to this
evolving situation.
For example, the Information Commissioner’s Office (ICO), the supervisory data protection authority for
the United Kingdom, has been advocating that continued use of the Safe Harbor principles may still be a
sensible proposition in the interim. The ICO further indicated it will not take enforcement procedures
until an approved alternative to Safe Harbor has been determined. However, this guidance is not legally
binding and the ICO is keen to reiterate that companies need to review their compliance processes and
procedures.
This approach has been somewhat reflected in guidance from the Spanish regulator, which has indicated
that it will not rush to take enforcement action against companies provided they are working on
appropriate proposals and arrangements to ensure adequate protection of personal data. However, in stark
contrast, the data protection authority in Hamburg, Germany has already made it public that it does not
expect organizations to continue relying upon Safe Harbor and that it will take immediate enforcement
proceedings against any that do continue to transfer personal data outside the EU in this way. Such
proceedings could lead to fines up to €300,000 Euros (roughly U.S. $340,000) per data breach.
Some Proposed European Solutions
The Article 29 Working Party (which is made up of representatives from the data protection authorities of
the EU states) recently confirmed that it views use of binding corporate rules and model contract clauses
as valid options to enable the transfer of data from the EU to the United States.
Binding Corporate Rules are essentially rules operated by an organization that put in place adequate
safeguards for protecting personal data in line with the Article 29 Working Party’s requirements. They are
not, however, a quick fix — as such rules require an application to, and approval from, the relevant data
protection authority via a relatively cumbersome design and implementation procedure, which usually
takes in the region of 12-18 months.
Model contract clauses are, on the other hand, considerably easier to implement provided both parties are
in agreement. These provide for an approved set of contractual obligations that eliminate the requirement
for the transferee of data to make their own assessment regarding the adequacy of the protections
provided. There are different sets of clauses depending upon the parties’ relationship and what they do
with the data.
A further possibility is to obtain express consent to the transfer of the data. However, even the more
relaxed data protection authorities are closely scrutinizing this route to effecting transfers, as the key
concern is whether consent is specific enough for what is happening to the data and whether it provides
any real protection to the individual. Much has been made in recent months of high-profile examples of
data having been harvested from individuals on the back of a generic data consent and having then been
retransferred, reused and resold multiple times in manners the individual who gave “consent” could not
possibly have anticipated. Consent on its own may well not be enough.
Privacy Shield
The European Commission and the DoC have agreed upon a new arrangement, known as the “Privacy
Shield,” as a replacement for the now defunct Safe Harbor scheme. The Privacy Shield is in fact a
collection of principles including:
Choice: Individuals will have the ability to opt-in or out as far as sensitive data is concerned, as
regards third-party marketing and in relation to any new use of their data which was not initially
contemplated.
Notice: Individuals must be informed of their rights, the principles of Privacy Shield, and given a
contact for complaints. They must also be given details about sharing and disclosure of their data
(including public authorities), and organizations will have to confirm their liability for data
processing.
Accountability: Organizations will be required to put in place formal, written contract
arrangements for onward transfers of data to other controllers or processors (with only limited
exceptions).
Security: Security measures must be implemented that are reasonable based on the nature of the
processing and the personal data being processed.
Integrity and Limitation: Data will have to be kept up to date and accurate, and data collection
will have to be limited strictly to what is relevant in the circumstances.
Access: Individuals will have the right to access their data and to require its correction and/or
deletion (unless the cost of doing so would be overly burdensome).
Recourse/enforcement: This is one of the crucial proposals and it provides for a free means of
recourse for individuals to be provided by the organization with the ability for individuals to
escalate complaints to local data protection authorities if the issue is not satisfactorily dealt with.
If that does not resolve the matter, then there is even scope for individuals to potentially initiate
arbitration claims.
Although intended implementation for Privacy Shield was set for June 2016, there are still a number of
criticisms being leveled by both politicians and commentators, so implementation will likely be delayed.
In addition, the General Data Protection Regulations are upcoming (albeit not until April 2018), and these
will bolster both the European Union’s data protection authorities’ powers (including the ability to
impose fines of as much as 4% of global turnover in cases of breaches of data subject’s rights) and their
likelihood to crack down on enforcement.
Conclusion
Each organization needs to review its current compliance arrangements and re-evaluate on the basis of the
above issues, implementing sensible interim solutions, at least, to avoid falling foul of the more
aggressive data protection authorities and their willingness to impose potentially sizeable fines.
Steven Rubin is a partner with Moritt Hock & Hamroff LLP in New York where he serves as Chair of
the firm’s Patent practice group and as Co-Chair of its Cybersecurity practice group. Stephen Milne is a
consultant with Memery Crystal LLP in London where he focuses on business law and commercial
contracts, including outsourcing, agency and distribution agreements, joint ventures, tender responses,
franchising, marketing, introduction, reseller and maintenance and support agreements and key ancillary
issues such as data protection and cybersecurity.
—❖—
EU Cybersecurity Directive Update
By André Bywater and Jonathan Armstrong
Cyber attacks and IT security breaches are being constantly reported (the “Panama Papers” being the
most recent spectacular example), and almost certainly represent just the tip of the iceberg. No one can
doubt that cybersecurity is a very significant global issue with cybercrime a major international menace
— any statistics about these issues always make for grim reading.
In the European Union (EU) a number of EU Member States already have some sort of national
cybersecurity rules in place, but there is nothing uniform at an EU-wide level and so the EU is
introducing new rules aimed at redressing this gap in the form of the (European Commission proposed)
“Directive of the European Parliament and of the Council concerning measures to ensure a high common
level of network and information security across the European Union” (EU Cybersecurity Directive,
sometimes also referred to as the NIS Directive).
At the end of last year, high-level EU political agreement was reached on these rules and their finalization
is now awaited. This article sets out in brief the main features of these forthcoming rules.
Why Should Businesses Be Concerned?
The EU Cybersecurity Directive is mainly aimed at EU Member States in that it requires them to improve
both their national cybersecurity capabilities and cooperation between them on cybersecurity. But, the
new rules will also affect businesses because appropriate security measures will need to be put in place
and incidents will have to be reported to national regulatory authorities by providers of critical services,
and of certain digital services. It must be emphasized that these new rules do not impose breach
notification obligations on everyone, unlike the recently published EU General Data Protection
Regulation (GDPR; to be fully applied from late May 2018), which imposes mandatory breach
notification to a regulator (within 72 hours) on all organizations.
What Are the Components of the New Rules?
The forthcoming rules can in effect be divided into the following three components.
First, EU Member States will have to adopt a “Network and Information Security” (NIS) strategy and
designate a national NIS regulatory authority, which must be adequately resourced, to be able to prevent,
handle and respond to NIS risks and incidents, and, set up “Computer Security Response Teams” to
handle incidents and risks.
Second, an EU cooperation mechanism will be set up between the EU Member States and the European
Commission to share early warnings on risks and incidents through a secure infrastructure, which will
include a network of “Computer Security Incident Response Teams.”
Third, affected organizations will be required to assess the risks they face and adopt appropriate and
proportionate measures, and, report to regulators major security incidents on their core services.
What Sectors Will Be Affected?
Two categories of sectors will be affected.
First, organizations in the following “Operators of Essential Services” sectors will be covered under the
EU Cybersecurity Directive: energy (electricity, oil, and gas); transport (air, rail, water and roads);
banking (credit institutions); financial market infrastructures (trading venues and central counterparties);
health (healthcare providers); water (drinking water supply and distribution); digital infrastructure
(Internet exchange points (which enable interconnection between the Internet’s individual networks),
domain name system service providers, and top level domain name registries).
It will be up to the EU Member States themselves to identify these operators specifically (upon
implementation of the EU Cybersecurity Directive into national laws) on the basis of specific criteria,
significantly for example, whether the service is essential for the maintenance of critical societal or
economic activities.
Second, key digital businesses, called “Digital Service Providers,” also fall under the EU Cybersecurity
Directive, in the following areas: Online marketplaces, which allow businesses to set up business on the
marketplace in order to make their products and services available online; cloud computing services; and
search engines. In contrast to “Operators of Essential Services,” Member States will not designate
particular businesses as “Digital Service Providers.” The new rules will apply to all entities falling within
the definition of “Digital Service Providers” set out in the EU Cybersecurity Directive, throughout the
EU.
It appears that, on the one hand, “Operators of Essential Services” will be required to ensure that systems
that they use to provide their critical services are “robust enough to resist cyberattacks,” while on the
other hand, “Digital Service Providers” will only be required to ensure that their infrastructures are
“secure.”
Both “Operators of Essential Services” and “Digital Service Providers” will, however, be required to
report major security breaches to the EU Member State regulators in question.
Please note that the sectors involved still need to be confirmed under the final version of the EU
Cybersecurity Directive — micro and small digital companies, and, social networks, will likely be
exempt. It still remains to be seen in the final version of the EU Cybersecurity Directive to what extent
the new rules will apply in the same way or differently to “Operators of Essential Services” and “Digital
Service Providers.”
These FAQs also state that the regulatory national authority in question may also require that the public is
informed about incidents — public announcement is not mandatory under the EU Cybersecurity
Directive, but this will need to be confirmed in the final agreed version.
Are Internet Service Providers or Network Owners Affected?
These organizations are already reporting incidents under the risk management and incident reporting
obligations under other EU rules, namely the so-called EU Telecoms Framework Directive.
Who Is Exempted from the Reporting Obligations?
Hardware manufacturers and software developers are exempted from the risk management and reporting
obligations. The same applies to specific sectors or sub-sectors, for example insurance, and, food supply.
Will Every Incident Have to Be Reported?
No, according to the European Commission FAQs issued with the original proposed EU Cybersecurity
Directive in 2013. This states that only incidents that have “a significant impact on the security of core
services provided by market operators and public administrations will have to be reported to the
competent national [regulatory] authority.” By way of examples, the FAQs provide the following: “an
electricity outage caused by an NIS incident and having a detrimental effect on businesses; the
unavailability of an online booking engine that prevents users from booking their hotels or of a cloud
service provider that inhibits users to get access to their content; the compromise of air traffic control due
to an outage or a cyber attack.”
Will Incidents Have to Be Reported To 28 EU Member States’ Systems?
According to the European Commission FAQs issued with the original proposed EU Cybersecurity
Directive, common reporting systems will be developed through implementing measures for the EU
Cybersecurity Directive. Specific templates might also be developed by the EU agency the European
Network and Security Agency (ENISA), whose general objective is to improve network and information
security in the EU, and which has already brought together national regulators to develop harmonized
national measures for risk management and incident reporting as part of the EU telecoms rules.
What Are the Next Steps?
The EU Council and the European Parliament need to formally approve the new rules, which may occur
before this summer.
Once the EU Cyber-Directive is finally adopted at the EU level, EU Member States will then have to
adopt it into national legislation within 21 months, and, as mentioned, also officially identify “Essential
Services Operators” from the sectors in question within a further six months. The EU Member States will
also have discretion as to what sanctions to apply for breach of the EU Cybersecurity Directive as
implemented under national rules. The original version of the EU Cybersecurity Directive stated that
when there is a security breach involving personal data, the sanctions for infringing it must be in line with
sanctions imposed under the GDPR. As mentioned above, the GDPR has now been published and the
financial sanctions are set at a very high rate (maximum €20 million or 4% of total worldwide annual
turnover), so it will be important to see if this aspect of the EU Cybersecurity Directive will be
maintained.
Despite the aim of having EU-wide rules in place, because the legislative format being used is a
Directive, there will inevitably be a degree of divergence on some aspects, possibly such as indicated
above concerning public announcements about incidents. This said, divergence might be mitigated at least
as regards risk management and incident reporting for “Digital Service Providers” as it expected that this
work will probably be developed by ENISA, with the involvement of stakeholders, at a later stage.
What Preparation Is Needed?
Those businesses that are likely be asked in the individual EU Member States to take part in a
consultation before the EU Cybersecurity Directive is implemented into national law. Those businesses
that are likely to fall under the new rules could start to prepare by undertaking the following actions: alert
the Board about the incoming EU cybersecurity regime and plan resources to address it; set up procedures
to address risk assessment, crisis management response, internal investigation (guided by legal counsel),
and, incident reporting; update and/or revise policy documentation; undertake training; re-evaluate and/or
prepare a press strategy in the event of an IT security breach; and; either reassess existing cyber insurance
or take out a new policy. Also, businesses doing business with “Essential Service Operators” and key
“Digital Service Providers” will have to consider how to factor in any possible downstream effects on
them.
André Bywater and Jonathan Armstrong are commercial lawyers with Cordery in London, UK, where
they focus on regulatory compliance, processes and investigations. Reach them at
[email protected] and [email protected].
—❖—
Measure to Manage: Understanding and Using Data to Affect Firm Change and Client
Relationships
By Justin Hectus and Peter Zver
Organized and meaningful data has been leveraged in progressive organizations for years, but now that
data and information is highly accessible and easily consumable via the ever-expanding digital mesh,
enterprise-level expectations and related legal business impact have been elevated. With this new reality
come many questions: What data should we collect? What needs to be measured? By whom? And, how
can metrics and key performance indicators (KPIs) not only affect change but provide a common
communication and measurement base for firms, their clients, and technology suppliers alike? Recently,
myself (Director of Information at Keesal, Young & Logan (KYL)) and Peter Zver (Tikit North
America’s President), had the opportunity to present a business information “measure to manage”-themed
educational panel session as part of ALM’s 12th Annual Law Firm Chief Information & Technology
Officer’s Forum (CIO Forum). Our panelists, including industry pundit and founder of Procertas Casey
Flaherty, Google’s head of legal operations Mary O’Carroll, and Tikit’s customer value engineer Ryan
Steadman, discussed how to best organize and use data in ways that are useful to attorneys, firms, and
clients, while promoting positive behavioral change that impacts the bottom line and client relationships.
Specifically, we drilled down into real world ‘measure to manage’ examples including time data, system
utilization, technology proficiency, client KPIs and pricing.
This article takes into account Peter’s (PZ) technology innovator perspective and my (JH) law firm
technology and operations experience as it relates to the panel session. In my additional role as this year’s
CIO Forum Chair, I wanted to make sure to go beyond law firm concerns and challenges and focus on
what in-house legal operations professionals are looking for in terms of law firm service delivery. The
topic of baseline metrics that can be measured and subsequently managed and leveraged across the legal
ecosystem definitely fit this core objective.
PZ: Technology vendors need to claim responsibility when it comes to meeting firms’ client demands.
How can we leverage technology to contribute to overall client efficiency and what are some proven,
objective metrics that can help create win-win-win scenarios?
Benchmarking and Measuring the Basics
JH: From the law firm perspective, one of the most interesting things about what’s going on in the
landscape of metrics is that while there is ample ability to measure big data and analyze the complexities
of enormous data sets, many firms are overlooking the mundane repetitive tasks which, if optimized, can
have a big impact in terms of cost efficiency. For example, at KYL, we look at usage across all
applications and can determine who is using which applications, how much, and how well. If our
attorneys are knee-deep in a specific set of applications, we can custom tailor training to ensure that they
are using those technologies to the greatest effect, often resulting in certification. Instead of relying on
perceptions, we can use this new data reality [what’s actually happening vs. where usage and productivity
should be based on client expectations] and develop a measured action plan. This “360 perspective” really
provides a clear picture and road map ahead. So, even though there are a lot of really fancy tools we can
use and amazing things we can do with metrics and data analysis, there is considerable value to be had
from just measuring baseline technology use and maximize usage and effectiveness.
For us, it goes beyond investing in technologies that our clients want us to use and into listening to recent
client feedback (via RFP’s, Outside Counsel Guidelines, and one-on-one conversations) focused on
increased technology proficiency. Progressive clients expect us to validate that our attorneys have the
requisite skills to effectively leverage the best technology available, and now we’re seeing client-driven
technology audits similar to risk assessments focused on an objective confirmation that our timekeepers
are making the grade.
Designing to Measure
PZ: As a legal technology company, the focus on metrics has affected change for our clients, preceded by
how our clients interface with our technology. Here’s some reverse engineering logic to help explain: The
metrics are really a derivative of good data and good data is the derivative of good quality input by users
which in turn is the result of good UI/UX user experience.
As illustrated by this example, the needs of the law firm and how they will interact with specific
technologies are vital aspects to product development. Essentially that’s what brought along our latest
next generation timekeeping software. We had to consider the various consumer-centric user personas
right from the beginning so that we could develop technology that would not only address firm
timekeeping productivity needs but also provide value to the law firm-client relationship in the form of
metrics and KPIs that demonstrate billing transparency and accountability. Getting back to the reverse-
engineering paradigm, we had to start at the user engagement level — how would each user interact with
the application, on which platform? This goes back to creating the appropriate UI/UX which in turn
prompts engagement which prompts good data and accurate metrics. Now, law firms can take these
accurate metrics directly to their clients and demonstrate their service commitment and focus on
transparency.
We have learned over time that proper metrics measurement relies heavily on knowing your audience,
how they consume information and in turn delivering it in the proper format.
In the old days, consumption was easy. You would print out a report and put it on someone’s desk and
that was the route to transmitting information and creating specific action. Today, you have a
smorgasbord of endpoints that can be leveraged when looking to engage your users, so the $64,000
question becomes: “what are the 5-10 most popular endpoints and how can we create a user experience
that drives firm staff engagement?”
Impactful Law Firms Metrics
JH: The most important thing when you’re trying to determine where to improve operations is starting
with a real-time picture of where you are. Once you can get deep into the data, you can confirm
suspicions as well as learn new things that maybe you didn’t know before about usage patterns and the
direct correlation between things like realization rates and billing hygiene or technology proficiency.
From there, it is important to create transparency so that you connect the dots between what’s in the best
interest of the client, which is objectively the most important thing, and what the end users are doing. In
terms of users’ technology expertise, you can allow people to develop their own path to get to where they
should be or you can help them do that with very personalized one-on-one training. Ultimately, it goes
back to the same theme of “if you don’t measure, you don’t know.”
Metric Futures
We strongly believe in a “back to the basics” approach when it comes to determining where to start with
data analysis and measurement. Don’t get blinded by shiny metrics and complex analytics at the expense
of missing the mundane but major “low hanging fruit”; current behavior and engagement patterns that
with moderate tweaking of technology, processes and training, can yield significant gains. In a critical
application area like timekeeping, it might come down to providing firm users with an application
interface that best corresponds with how they work and interact with technology, ultimately leading to
better quality time data. For an MS Office power-user, it could mean a targeted training regiment focused
on maximizing productivity based on how they are currently using specific features and functions.
The same approach is equally effective in the areas of e-discovery and knowledge management. Effective
use of these common apps increases quality and consistency and reduces overall cost to the client. From a
technology development standpoint, this requires understanding user personas; user engagement and how
our consumer-driven professionals will best interact with specific applications. None of this is possible
without measuring the baseline, in order to determine where firm users are and how technology, processes
and common sense can take them to the next level.
Justin Hectus is the director of information at Keesal, Young & Logan, where he oversees a variety of
operational functions including the direction of the firm’s IT vision, strategy and execution. A member of
this newsletter’s Board of Editors, Hectus is a two-time ILTA Distinguished Peer Award winner. Peter
Zver is the president of Tikit North America and has been serving the legal technology market for over
two decades. His background in information systems and finance and his experience running technology
companies have enabled him to collaborate with law firms globally on delivering time and knowledge
management solutions to users.
—❖—
e-Discovery and Security
The Inevitable Reinvention of the e-Discovery Industry
By Jared Michael Coseglia
The e-discovery industry is on the precipice of major change yet again, and this time it is all about
security. What will distinguish the winners from the losers in the next few years will be an organization’s
ability to do one of three things: consolidate, innovate or reinvent.
Consolidation is clearly the strategy of larger service providers like DTI, Epiq and Consilio, which now
sit atop the “revenue castle” as the biggest players in the space. Innovation remains a viable option,
especially for up-and-coming companies with proprietary cloud technology like Everlaw’s Disco,
Driven’s One or Logikcull.
The innovation angle may be more challenging, however, for middle-market e-discovery vendors
(roughly $30-$60MM/year), which do not want to sell to larger companies and are entrenched in
Relativity service. These providers, as well as some law firms who still use Relativity to generate profit
for the firm, are wisely fearful of what kCura directly offering “a Relativity license through kCura using
Microsoft Azure to deploy on a cloud infrastructure” will do to their businesses. A third option for growth
(or survival) is reinvention.
This article delves into the evolving landscape of law firms, corporations and service providers in regard
to their e-discovery practices and businesses and explore what an organization needs to do to stay
competitive and profitable in today’s new security-centric environment.
What Are We Evolving Into?
At the 2016 ACEDS (Association of Certified eDiscovery Specialists) Conference held in New York
City, an entire day of preconference education and demonstration was fully dedicated to “cybersecurity
for legal professionals.” In fact, over the course of the three-day conference event, there was as much
focus on topics of security, information protection and governance and privacy as there was on what the
community typically considers e-discovery topics (project management, legal analytics and rule changes
affecting the practice of law).
Craig Ball, a thought leader in the e-discovery space for decades, gave an incredibly vibrant presentation,
“The Crystal ‘Ball’: A Look into the Future of e-Discovery,” in which he stated that “e-discovery will be
as much about privacy, security and information governance in the future” as it will be about all the
traditional aspects of EDRM that we have come to accept as standards. Our ALM sibling, Legaltech
News, has published numerous surveys and reports in the last few months stating that, among other
things, “corporate cybersecurity spending will increase 38% over the next 10 years” and “80% of [law
firms] consider cybersecurity and privacy one of their top 10 risks” in 2016 and beyond. The evolution is
clear: With continued e-discovery price compression, commoditization and consolidation, the next
frontier for all legal technology professionals is matters of cyber risk, security solutions and privacy.
Service Provider Reinvention
There is no doubt that consultancies are the front-runners, bolstering and recalibrating their talent force to
compete in the cybersecurity space. More practice groups have been developed and leadership hired with
a focus on legal security and privacy in the last year than in the five years prior combined. The
consultancies are generally pulling their leadership-level cyber talent from two places: corporations and
the federal government.
This is a huge departure from where e-discovery companies and consultancy divisions are acquiring
talent, which has become almost entirely from each other, occasionally from law firms or corporate
clients and almost never from government agencies. High-end hiring in e-discovery at service providers is
more about drawing talent for revenue and relationships than it is subject matter expertise, since there is a
far greater saturation of those skills in the legal market than ever before. However, when it comes to cyber
staffing and talent augmentation, hiring motivations are entirely about expertise with the belief in the
potential of those leaders to eventually drive revenue through new relationships and perhaps existing
relationships they developed in their government positions.
Consider some of the recent hires by some of the largest consulting firms in the country: K2 Intelligence,
“an investigative and integrity consulting firm founded in 2009 by Jeremy M. Kroll and Jules B. Kroll,
the originator of the modern corporate investigations industry,” recently brought Austin Berglas over as
the senior managing director and head of U.S. Cyber Investigations and Incident Response. Prior to K2,
Berglas spent just under 20 years at the FBI focusing on cybersecurity. Navigant Consulting just hired
Bob Anderson in January 2016 after a 21-year run at the FBI culminating in his appointment as executive
assistant director (EAD) of the Criminal, Cyber, Response and Services Branch.
The list goes on and will continue to do so as consulting firms look to the FBI, CIA and other elite
government entities to transition experts out of potential retirement and into the private sector. There is
simply no talent quite like the talent at such agencies when it comes to expertise in combating
cyberwarfare and defending against data theft and intrusion.
This year through 2018 will mark a peak period of opportunity for federal thought leaders in cyber to
matriculate into leadership roles at large global consulting firms; however, traditional e-discovery vendors
who may see the cyber arena as tangential to their business as opposed to mission critical may be well-
advised to consider bolstering their staff and imagining a future where these services don’t just command
a premium, but are a requirement to win business with larger global corporations and law firms.
Middle-market e-discovery providers can best begin to mature their staff and services with an eye toward
security in their forensic collections division. Forensics is the intersection between e-discovery and
cybersecurity careers and offerings. Kevin Treuberg, national director of forensic services at CDS Legal
in New York, makes a key observation regarding e-discovery forensics and cybersecurity forensics:
“Back when I began in the industry, computer forensics and cybersecurity were one and the same. A
technician was capable of straddling both disciplines: able to investigate the most complex data breaches
plus identify the actors responsible. With the advent of ‘push-button computer forensics’ in the early
2000s (due to the proliferation of advanced computer forensics software solutions), there was a demand
for technicians [who] were strictly focused on the static environment of computer forensics without the
focus on network intrusion analysis.” Treuberg goes on to profess that “in today’s environment, you now
need to be able to identify and react to threat vectors both on the network and static fronts to best serve
your clients.”
While some midmarket e-discovery vendors may still see forensics as “collections” and a means to serve
their processing and hosting businesses, consider also that for now, services focused on cybersecurity can
be unique differentiators, if not requirements.
The growing dominance of master service agreements (aka, subscription-based pricing models), coupled
with aggressive vendor consolidation in the e-discovery vendor market offers the opportunity to
distinguish one service from newer, more complex services that span a broader range of client-vendor
collaboration beyond the EDRM. Much of what happens in the CSRM (Cybersecurity Reference Model)
happens before EDRM, the greatest overlap being “information governance.”
As corporations decide which providers to engage in multimillion-dollar annualized contracts, the breadth
of service is slowly becoming as important as the depth of expertise in a particular service. Corporations
want to engage fewer vendors to get the job done, and with so much downstream e-discovery business
stemming from a client’s maturity around data governance and security, middle-market e-discovery
providers may need to have experts on staff who can consult on cyber and privacy-related issues to win
client business much earlier in the life cycle of data creation and maintenance.
Whether you are a $30MM e-discovery vendor or a $300MM player, having a go-to industry expert on
staff to drive conversations with existing clients while developing a practice in this new area is becoming
essential. The opportunistic reality of this advice is demonstrated by the hiring (or lack of hiring)
practices in the Am Law 200 and Fortune 1000.
Corporate and Law Firm Reinvention
Corporate cybersecurity leaders will also be ripe targets for recruitment as consulting firms develop more
mature teams in the security and privacy vertical. Shahryar Shaghaghi recently joined BDO Consulting as
national leader, Technology Advisory Services, and head of International BDO Cybersecurity after years
at Citigroup. Corporations will in turn do one of three things in the wake of losing their core information
protection talent: hire a similarly experienced replacement from another corporation, engage an outside
consultant or promote from within (consider that “outside consultant” often converts into a full-time hire
for the client). There will be CISO (Chief Information Security Officer) opportunities in the Fortune 500
in the next five years as a result of this matriculation.
The Am Law 200’s response to security staffing has been — and will continue to be — very different.
Law firms, notoriously slow to adapt advanced technology, are equally slow in adopting exclusively
dedicated roles for cybersecurity in-house. As mentioned earlier in this article, cybersecurity law is a
sector that is showing increasing demand for talent and salary potential for practicing attorneys.
Outside of the practice of law around privacy and security, law firms are not bolstering their staff with
technical security experts in order to address issues around their own data, and probably their clients’ data
as well. According to the ABA in 2015, “58% [of law firms with 500 or more attorneys] did not have a
dedicated Chief Information Security Officer (CISO) or another staff member charged with data
security.” Firms are instead leaning on the “Cyber 500” vendors and consultancies to help them or are
promoting someone from within (a CIO, global network manager, IT director) to learn security disciplines
and take control of the problem. This makes it a great time to be a vendor in the information security
vertical, especially if you are servicing law firms. However, most of the “Cyber 500” are focused on
corporations and not law firms, though that is slowly changing. Again, with timing being everything, now
could be a good window for middle-market e-discovery vendors whose relationships with law firm clients
are deep and lengthy to offer security services solutions before the market becomes as saturated with
players as e-discovery is.
Consolidation, Innovation, But Mostly Reinvention
The focus of this article has been on how and why an individual or a company needs to pivot thinking
toward an emphasis on security. For the profit-minded, security vendors and consulting firms are charging
healthy premiums for services and technology while the security market remains fractured and largely not
understood. Job hopping and practice group development in the consulting world is rampant as
opportunity is high and talent supply low.
Federal employees have a rare and unique window of opportunity to lead the future of the private sector’s
cybersecurity community. This is exactly where e-discovery was 10 years ago, and 10 years from now,
security will commoditize, consolidate and price compress, forcing another revolution and reinvention of
the standards for everyone making a living servicing law firms and corporations in the legal vertical. For
those of you who have lived, learned, succeeded, failed, but most importantly remained loyal to the art of
e-discovery, the time may finally have arrived to consider reinvention (personally and holistically) if you
wish to experience profitability, complex challenge and prestige in the legal community for the next
decade.
Jared Michael Coseglia is the founder and CEO of TRU Staffing Partners. A member of this
newsletter’s Board of Editors, he has over 12 years of experience representing talent in e-discovery,
litigation support, cybersecurity, and broadly throughout legal and technology staffing. Coseglia has
successfully placed over 2000 professionals in full-time and temporary positions at the AmLaw 200,
Fortune 1000, Cyber 500, Big 4, and within the e-discovery consultancy and service provider community.
He can be reached at [email protected].
—❖—
Movers & Shakers
Judy Selby, a frequent contributor to this newsletter’s predecessor, e-Commerce Law & Strategy, left her
position as co-chair of Baker & Hostetler’s information governance team, to become a managing director
at BDO Consulting, with a focus on cybersecurity and cyber insurance.
Saul Ewing added April Doss, previously an associate general counsel for intelligence law at the
National Security Agency, as a partner in Baltimore and Washington, DC, where she will lead the firm’s
newly formalized cybersecurity and privacy practice.
Richard Borden, a former senior vice president and assistant general counsel at Bank of America Corp.,
joined Hartford, CT-based Robinson & Cole as counsel for its cybersecurity and data privacy team.
DLA Piper hired Rena Mears, managing director of data risk, cybersecurity and privacy at Am Law 200
firm BuckleySandler, as a principal for its cybersecurity group in San Francisco. Mears, a former leader
of privacy and data protection services at accounting giant Deloitte, does not provide legal services as a
nonlawyer.
—❖—
The publisher of this newsletter is not engaged in rendering legal, accounting, financial, investment advisory
or other professional services, and this publication is not meant to constitute legal, accounting, financial,
investment advisory or other professional advice. If legal, financial, investment advisory or other professional
assistance is required, the services of a competent professional person should be sought.
To order this newsletter, call: 800-756-8993
On the Web at: www.ljnonline.com/ljn_cybersecurity