{"id":10725,"date":"2015-10-22T11:00:23","date_gmt":"2015-10-22T18:00:23","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=10725"},"modified":"2020-04-21T14:29:00","modified_gmt":"2020-04-21T21:29:00","slug":"the-cybersecurity-canon-locked-down-information-security-for-lawyers","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2015\/10\/the-cybersecurity-canon-locked-down-information-security-for-lawyers\/","title":{"rendered":"The Cybersecurity Canon: Locked Down: Information Security for Lawyers"},"content":{"rendered":"

\"cybersec<\/span><\/div><\/a><\/p>\n

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite<\/a>.\u00a0<\/em><\/p>\n

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!<\/em><\/p>\n

Book Review by Canon Committee Member, Christina Ayiotis<\/a>:\u00a0<\/strong>Locked Down: Information Security for Lawyers<\/em>\u00a0(2013) by Sharon D. Nelson, David G. Ries, and John W. Simek<\/p>\n

FULL DISCLOSURE<\/em><\/strong>: I have known Sharon and John personally and professionally for more than a decade and consider them good friends. We have participated together on panels, spoken at the same conferences, and served on committees and boards of directors together. We have similar areas of expertise and civic commitment.\u00a0 <\/em><\/p>\n

EXECUTIVE SUMMARY<\/h3>\n

Sharon, David and John published an important book on information security for lawyers and law firms three years ago. Given the number of law firm breaches since, it appears that few lawyers read or heeded their advice. Locked Down<\/em> is an easy-to-read overview of why lawyers need to implement good information security, not just cybersecurity, and how. It is even more relevant today<\/u><\/em><\/strong> than when first published. This book belongs in the Cybersecurity Canon<\/strong> because it provides cybersecurity professionals context regarding the legal profession\u2019s requirements and strategies for dealing with cyber and information risk and obligations.<\/p>\n

Introduction<\/h3>\n

Cybersecurity is such an important topic in the legal field that lawyers are starting to pay actual money to be a part of a brand-new Legal Services Information Sharing & Analysis Organization (sold to them by the FS-ISAC) [1]. While my fellow Cybersecurity Canon Committee member Ben Rothke wrote an Amazon review of this book in May 2013 [2], he did so from a Cybersecurity\/IT professional\u2019s perspective. My review will primarily be from the perspective of a Cyber Attorney, former Deputy General Counsel of a technology services multinational, Privacy Expert, Certified Records Manager and active member in good standing of the Virginia State Bar for 24 years.<\/p>\n

REVIEW<\/h3>\n

When Locked Down<\/em> was published, the American Bar Association (a private sector voluntary professional association with no lawmaking power or regulatory authority that relies on the<\/p>\n

State Bars as an independent enforcement organization ) was still considering updates to its Model Rules of Professional Conduct that would bring them into the 21st Century. While those updates are now in effect, and they include being competent regarding the \u201cbenefits and risks associated with relevant technology,\u201d there is little evidence that the more than one million lawyers in the U.S. have sufficiently educated themselves to be considered competent. Reading this book would be a good start. Then, taking it to their IT colleagues (or consultants, if they are solo or a small firm) and working together to understand how the various strategies are (or could be) implemented would be the next logical step.<\/p>\n

While the book starts with \u201cdata breach nightmares,\u201d it\u2019s probably no longer necessary to start with fear. Information security is now a business<\/em><\/strong> imperative for clients, and they drive the requirements (most of which are conveniently explained). While it is 319 pages in total, the text runs only 170 pages; the rest of the book contains helpful Appendices and an Index.<\/p>\n

Yes, lawyers have ethical obligations to keep client information confidential, but there are common law duties, as well as regulatory\/statutory requirements for certain data types (that affect both lawyers and clients alike) and the authors provide that as background. The book then delves into all aspects of security (physical, information, cyber and personnel) and use real case studies to make their point. For example, the authors recount the horrifying and \u201camusing\u201d story about Kevin Mitnick taking on a new identity as Eric Weiss, \u201cthe real name\u2026of\u2026Harry Houdini (sic)\u201d to get a job as a systems administrator at a Denver law firm. Ironically, there has been an explosion of cybersecurity practices at law firms in the last few years\u2014the shoemaker\u2019s children excuse will definitely not work for them. It would not surprise me to see a day when a law firm is sued by a client because of a data breach and Locked Down<\/em> is entered into evidence to demonstrate the \u201creasonable care\u201d law firms should be taking with respect to security.<\/p>\n

\u201cTwo lawyers and an IT expert\u201d sounds like the beginning of a good joke, but it is the unique blend of perspectives and expertise the authors bring that makes the book so readable. A SANS Institute Glossary of Security Terms is conveniently located in Appendix M, so lawyers unfamiliar with such terms can easily look them up. Topics such as authentication, secure configuration, virtual private networking (VPN) should be part of every lawyer\u2019s lexicon, if for no other reason than their clients have the exact same issues protecting information in their own environments.<\/p>\n

Advice regarding securing desktops, laptops, mobile devices, email, voice communications, etc. are all general business issues that all professionals should be aware of. Outsourcing and cloud computing are even more prevalent today and managing that third-party risk is not just an ethical duty but also a business requirement; the authors\u2019 recommendations in that regard are critical. It\u2019s also important for law firms to acknowledge that clients consider them to be third-party vendors that must similarly meet baseline security requirements. Appendix H: \u201cLockdown: Information Security Program Checklist\u201d is an excellent starting point.<\/p>\n

The Certified Records Manager in me applauds the inclusion of Chapter 13: \u201cSecure Disposal\u201d and the authors get extra points for citing a relevant NIST standard. While the book focuses on information security<\/em>, it is important to recognize that end-to-end information management (for both client and law firm information) is the goal (to mitigate risk and reduce costs). Chapter 15: \u201cSecuring Documents\u201d is particularly important for lawyers because legal advice provided within documents and relevant communications channels must be kept secret in order to be protected by the attorney-client privilege (not to mention the requirements for trade secrets). There is also an important discussion regarding metadata (from both operating systems and applications perspectives) \u2013 not surprising given Sharon and John (along with Bruce A. Olsen) wrote The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines<\/em>.<\/p>\n

They cover cyberinsurance but caution that policies are confusing and care must be taken to understand what exactly is covered (and what is not). They end the book looking at \u201cThe Future of Information Security\u201d and readers should beware that the topics covered (laws and regulations, BYOD, passwords, policies and plans, mobility, cloud computing, social media, and training) are all everyday issues now.<\/p>\n

CONCLUSION<\/h3>\n

Given how quickly technology evolves, in the next edition of Locked Down<\/em> the authors will likely have to add sections on wearables, biometrics as part of multifactor authentication, quantum encryption, virtual law practices, etc., but lawyers should feel comfortable knowing that mastering what\u2019s in this book puts them in a defensible position. \u00a0Furthermore, good information security is now a business differentiator. Law firms that implement all of the book\u2019s recommendations can use their superior cybersecurity standing when marketing their services. [3] They can even give clients a copy of Locked Down<\/em> for their own use (and no, I\u2019m not getting paid a commission on book sales).<\/p>\n

SOURCES<\/strong><\/p>\n

[1] \u201cLegal Services Information Sharing & Analysis Organization,\u201d by the FS-ISAC, Last Visited 21 October 2015,\u00a0http:\/\/www.fsisac.com\/ls-isao<\/a><\/p>\n

[2] \u201cTop Customer Reviews: Locked Down: Information Security for Lawyers,\u201d by Ben Rothke, Amazon, 20 May 20 2013, Last Visited 21 October 2015,\u00a0http:\/\/www.amazon.com\/Locked-Down-Information-Security-Lawyers\/dp\/1614383642<\/a><\/p>\n

[3] Law firm makes a case for security certification,\u201d by \u201cMary K. Pratt,\u00a0 CIO.COM 28 August 28 2015, Last Visited 21 October 2015,\u00a0http:\/\/www.cio.com\/article\/2969323\/security\/law-firm-makes-a-case-for-security-certification.html<\/a><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting …<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,4521],"tags":[251,1529],"coauthors":[1364],"class_list":["post-10725","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-canon","tag-cybersecurity-canon","tag-locked-down"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/10725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=10725"}],"version-history":[{"count":5,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/10725\/revisions"}],"predecessor-version":[{"id":109921,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/10725\/revisions\/109921"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=10725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=10725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=10725"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=10725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}