The law firm of choice for internationally focused companies

+263 242 744 677

admin@tsazim.com

4 Gunhill Avenue,

Harare, Zimbabwe

The Legal Landscape Of Privacy: Why Lawyers Must Keep Up With Change – Above the Law

Posted on by TSA Press

Ed.
note:
This
is
the
latest
in
the
article
series,


Cybersecurity:
Tips
From
the
Trenches,
by
our
friends
at

Sensei
Enterprises,
a
boutique
provider
of
IT,
cybersecurity,
and
digital
forensics
services.

We
are
nearing
the
end
of
another
year
filled
with
significant
advancements
in
cybersecurity
protections
adopted
by
law
firms
to
combat
the
constant
cyberattacks
they
face.
Law
firms
are
finally
embracing
Endpoint
Detection
and
Response
(EDR)
software,
cybersecurity
awareness
training,
and
phishing
simulations.
The
reality
is
that
the
measurement
of
cybersecurity
protections
can
never
be
genuinely
quantified.
The
primary
reason
is
because
the
goalpost
everyone
aims
for
keeps
moving
farther
and
farther
away
with
each
new
vulnerability
or
attack
method
discovered
or
developed
by
attackers.
The
continually
evolving
and
complex
world
of
cybersecurity
shows
no
signs
of
slowing
down.


More
Governance.

What
else
must
law
firms
endure
besides
constant
cyber
and
phishing
attacks?
How
about
further
governance
regarding
data
privacy?
Law
firms
got
a
taste
of
this
in
2016
with
the
EU’s
passing
of
the
General
Data
Protection
Regulation
(GDPR),
touted
as
the
world’s
strictest
privacy
and
security
law.
The
GDPR
imposes
obligations
on
any
organization
that
targets
or
collects
data
related
to
people
in
the
EU.

The
California
Consumer
Privacy
Act
(CPPA)
went
into
effect
in
January
2020,
providing
residents
of
California
with
greater
control
over
personal
data
collected,
including
the
ability
to
request
a
business
to
delete
any
harvested
personal
information.
This
legislation
applies
to
anyone
who
does
business
in
California
that
meets
certain
thresholds.
That’s
just
California’s
privacy
law.
There
are
now
20
states
that
have
varying
degrees
of
data
privacy
laws.

As
a
result
of
governance,
law
firms
have
adopted
privacy
and
data
collection
policies
to
meet
these
requirements,
including
GDPR
policies
and
popup
notifications
regarding
Cookies
and
the
types
of
data
collected
when
visitors
browse
their
websites.
Failure
to
abide
by
and
comply
with
these
changing
regulations
may
result
in
malpractice
claims,
lawsuits,
or
fines
for
non-compliance.
That
certainly
has
gotten
the
attention
of
many
law
firms.
Suddenly,
law
firms
are
taking
the
long-standing
regulations
seriously,
which
have
largely
been
ignored
in
the
past.


Driven
by
Client
Demand

It’s
not
just
the
cyber
insurance
carriers;
clients
have
also
gotten
smarter
about
data
protection.
Law
firms
commonly
receive
cybersecurity
questionnaires
from
larger
corporations
or
defense
contractors,
which
must
be
completed
before
engaging
with
the
law
firm.
Clients
demand
to
know
what
protections
are
in
place
to
keep
their
data
safe
and,
in
some
instances,
want
proof—not
just
self-attestation.
These
questions
are
very
similar
to
those
asked
by
cyber
insurance
providers.

Some
of
the
cybersecurity
measures
asked
about
by
clients
include:

  • Are
    100%
    of
    endpoints
    protected
    by
    “next-gen
    antivirus”
    and
    “EDR”
    software?
  • Have
    you
    had
    a
    penetration
    test
    and
    vulnerability
    assessment
    performed
    within
    the
    last
    year,
    and
    if
    so,
    were
    all
    the
    medium,
    high,
    and
    critical
    vulnerabilities
    remediated?
  • Are
    your
    information
    systems
    monitored
    by
    a
    Security
    Information
    and
    Event
    Management
    (SIEM)
    solution
    backed
    by
    a
    24/7
    Security
    Operations
    Center?
  • Are
    your
    critical
    systems
    backed
    up
    to
    an
    offsite
    location
    protected
    against
    ransomware
    attacks
    or
    infections
    (immutable
    backups)?
  • Have
    your
    employees
    attended
    a
    cybersecurity
    awareness
    training
    session
    within
    the
    last
    12
    months?
  • Is
    MFA
    required
    for
    access
    to
    all
    firm
    resources?

These
are
some
very
tough
questions
from
clients,
but
they
underscore
the
importance
of
data
protection
and
privacy
from
the
client’s
point
of
view.
Law
firms
that
haven’t
implemented
the
requested
measures
often
use
the
request
as
a
catalyst
for
positive
change
to
implement
the
solutions
before
responding
to
the
questionnaire
and
are
willing
to
take
on
the
cost
to
get
the
client.
It’s
a
win-win.


Risks
of
Litigation

It
was
only
a
matter
of
time
before
the
data
breach
attorneys
showed
up
to
the
party.
 Class
action
lawsuits
have
now
become
a
nightmare
for
law
firms
who
have
suffered
a
data
breach.
Law
firms
are
becoming
subjects
of
class
action
lawsuits,
which
often
tend
to
settle
relatively
quickly
without
the
details
being
outlined
in
court.
Class
action
lawsuits,
expensive
data
breach
notification
requirements,
and
monetary
fines
from
State
Attorney
Generals
for
data
privacy
violations-
what
more
can
be
done
to
drive
the
point
home
about
the
need
for
rigorous
data
security
protections?
For
a
long
period
of
time,
law
firms
hesitated
to
take
on
class
action
lawsuits
against
other
law
firms
which
suffered
data
breaches.
Those
days
are
long
gone.

Mandated
privacy
and
data
protection
are
here
to
stay,
as
are
cyberattacks.
Law
firms
must
remain
proactive
in
adopting
these
measures
which
benefit
the
firm
and
its
clients.
Serious
reviews
of
your
cybersecurity
and
annual
security
changes
mitigate
risk
and
exposure
and
will
keep
class
action
lawsuits
at
bay.
As
an
added
benefit,
you
may
even
get
your
cyber
insurance
carrier
to
lower
your
premium
(or
not
increase
it
as
much
as
they
usually
do)
with
all
the
added
security
measures
you’ve
implemented.


Michael
C.
Maschke
([email protected])
is
the
President
and
Chief
Executive
Officer
of
Sensei
Enterprises,
Inc.
Mr.Maschke
is
an
EnCase
Certified
Examiner
(EnCE),
a
Certified
Computer
Examiner
(CCE
#744),
an
AccessData
Certified
Examiner
(ACE),
a
Certified
Ethical
Hacker
(CEH), and
a
Certified
Information
Systems
Security
Professional
(CISSP).
He
is
a
frequent
speaker
on
IT,
cybersecurity,
and
digital
forensics
and
he
has
co-authored
14
books
published
by
the
American
Bar
Association.


Sharon
D.
Nelson
([email protected])
is
the
co-founder
of
and
consultant
to
Sensei
Enterprises,
Inc.
She
is
a
past
president
of
the
Virginia
State
Bar,
the
Fairfax
Bar
Association,
and
the
Fairfax
Law
Foundation.
She
is
a
co-author
of
18
books
published
by
the
ABA.


John
W.
Simek
([email protected])
is
the
co-founder
of
and
consultant
to
Sensei
Enterprises,
Inc.
He
is
a
Certified
Information
Systems
Security
Professional
(CISSP),
a Certified
Ethical
Hacker
(CEH),
and
a
nationally
known
digital
forensics
expert.
He
is
a
co-author
of
18
books
published
by
the
ABA.