F’s Proposed Data Privacy and Security Rulemaking for ... Lear Avvo Seattle, WA ... data breaches,...

25
June 2016 In This Issue: Navigating New Terrain: Law Firms Facing Unprecedented Cyber Risk Benefits and Risks of the Internet of Things FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers International Cybersecurity Compliance Concerns EU Cybersecurity Directive Update Measure to Manage: Understanding and Using Data to Affect Firm Change and Client Relationships e-Discovery and Security The Inevitable Reinvention of the e-Discovery Industry Movers & Shakers

Transcript of F’s Proposed Data Privacy and Security Rulemaking for ... Lear Avvo Seattle, WA ... data breaches,...

June 2016

In This Issue:

Navigating New Terrain: Law Firms Facing Unprecedented Cyber Risk

Benefits and Risks of the Internet of Things

FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers

International Cybersecurity Compliance Concerns

EU Cybersecurity Directive Update

Measure to Manage: Understanding and Using Data to Affect Firm Change and Client

Relationships

e-Discovery and Security The Inevitable Reinvention of the e-Discovery Industry

Movers & Shakers

Cybersecurity Law & Strategy June 2016

Volume 1, Number 1

To order this newsletter, call: 800-756-8993

On the Web at: www.ljnonline.com/ljn_cybersecurity

Cybersecurity Law & Strategy Editorial Director: Wendy Ampolsk Stavinoha

Managing Editor: Steven Salkin, Esq.

Editor-in-Chief: Adam Schlagman, Esq.

Board of Editors:

Jonathan P. Armstrong

Cordery

London, UK

John Beardwood

Fasken Martineau DuMoulin LLP

Toronto

Brett Burney

Burney Consultants

Cleveland, OH

Alisa L. Chestler

Baker Donelson

Washington, DC

Jared M. Coseglia

TRU Staffing Partners, Inc.

New York

Jeffrey P. Cunard

Debevoise & Plimpton LLP

Washington, DC

Jake Frazier

FTI Consulting

Houston, TX

D. Reed Freeman Jr.

Wilmer Cutler Pickering Hale and Dorr LLP

Washington, DC

Alan L. Friel

BakerHostetler

Los Angeles

Collin J. Hite

Hirschler Fleischer

Richmond,VA

David F. Katz

Nelson Mullins Riley & Scarborough LLP

Atlanta, GA

Ari Kaplan, Esq.

Ari Kaplan Advisors

New York

Justin Hectus

Keesal, Young & Logan

Long Beach, CA

Staci D. Kaliner

Redgrave LLP

Washington, DC

Dan Lear

Avvo

Seattle, WA

Kelly Lloyd

McCarter & English

Newark, NJ

Emile Loza

Technology & Cybersecurity Law Group, PLLC

Washington, DC

Ian D. McCauley

Morris James LLP

Wilmington, DE

Jeffrey D. Neuburger

Proskauer Rose LLP

New York

Nicholas A. Oldham King & Spalding LLP Washington, DC

Mark Sangster

eSentire

Cambridge ON, Canada

Navigating New Terrain: Law Firms Facing Unprecedented Cyber Risk

By Mark Sangster

For years, various government authorities and security experts warned the legal industry about the

proverbial cyber target painted on their chest. And while a cornucopian crop of headlines bloomed about

data breaches, most concentrated on major retailers or recognizable brands. Given nebulous reporting

legislations, the data breaches at law firms remained below the press horizon. But you can only dodge so

many bullets until one hits the industry square in the chest. Recently, the legal industry found itself in the

spotlight as story after story about data stolen from law firms surfaced. And the media frenzy culminated

when Mossack Fonseca became the poster child for hacked law firms, earning the moniker of the Panama

Papers.

If the multi-law firm hack story was the first shot over the bow, then the Panama Papers leak will become

a torpedo. With a record-setting data heist and enviable client list of who’s-who in government, business

and entertainment, the Panama Papers leak struck a chord and unequivocally confirmed that legal wasn’t

just a target — it is the target. And it is a bellwether for an industry in a fugue, unable to conceive that

their firms held anything of value; certainly not anything worth stealing. Well, it turns out that boring old

shell companies and tax filings had a value.

Law Firms Are Full of Sensitive Data

It doesn’t matter the size of your firm. Large or small, your firm houses a treasure trove of sensitive data.

From personally identifiable information (PII) to M&A transaction details to contracts and plans, every

piece is desirable in the eyes of cybercriminals. Sure, larger firms have long felt that they’re not as

vulnerable to attack. They’ve been confident in the technological defenses they’ve established to protect

their sensitive data, and until recently they haven’t felt the need to question the efficacy of that

technology.

Small-to mid-sized law firms are at even greater risk. Unlike their larger peers, smaller firms simply don’t

have the budget and resources to allocate to internal IT management and technology investments. In many

cases, these bootstrapped firms are lucky to simply have the most basic technology in place, such as anti-

virus systems or firewalls. For these reasons, they’re perceived as an easy mark through the eyes of

attackers, and widely recognized as a conduit to larger targets.

Hackers Focus on People, Not Technology

In addition to evolving risk vectors, the nature of attacks themselves has shifted. Attackers no longer fear

technology because they know they can evade it. Recent successful breach events amplify that reality.

Today’s popular attacks focus on something far more malleable than technology. They focus on people

and their innate human nature. We all get busy. Dreadfully so. And it’s when we’re busy that we become

careless, particularly when it comes to our e-mail inbox. This is when we’re most vulnerable to the

epidemic that is e-mail spoofing.

Spoof e-mails have undergone a transformation. Once riddled with spelling errors and inaccuracies,

malicious content today is cleverly veiled in glossy, seemingly legitimate corporate branding. The correct

names are usually in the correct places, and the contents of the e-mail always appears to be reasonable

and typical of interoffice or vendor communications. As a result, phishing and Business Email

Compromise (BEC) are now big business for cybercriminals. The Ponemon Institute reported that large

companies now spend an average of $3.7 million a year dealing with phishing attacks. See, “2015 Cost of

Breach Data Study.” All firms have become a desirable target for phishing and BEC attacks.

Legislation and Guidance

Staggering breach cases are driving a larger conversation. At a micro level, cybersecurity is quickly

becoming a paramount issue for firms, whether large or small. At the macro level, industry, national and

governance discussions are turning their sights to the legal industry. The U.S. government’s

Cybersecurity National Action Plan (CNAP) passed last December and the Cybersecurity Act of 2015

officially ushered the government’s resolve to guard the pillars of the U.S. economy from cyber threats

and attacks. At a governance level, the industry is scrambling to ramp frameworks and measurements

with industry peers like the SEC, who since 2014 have worked to establish regulatory compliance

measures through a formal examination process and comprehensive frameworks.

The ABA, recognizing increased pressure from national compliance efforts and imminent threats from an

unseen army of cyber attackers has worked to architect a set of cybersecurity guidelines, as outlined in its

2014 Cybersecurity Handbook. The handbook has quickly become an indispensable tool for firms that

don’t know where to start. It outlines several pillars of regulatory focus, including: gaining an

understanding of what assets and sensitive data the firm has; who the regulators are; which threats are

targeting the firm; what protection firms have in place to guard against attacks; what risks exist; and,

whether firms can demonstrate cybersecurity claims.

Essentially, cybersecurity management can be divided into two clear buckets: the first focuses on policies

and planning, while the second centers on the day-to-day mechanics of cybersecurity and what kinds of

frontline defenses firms have in place to block or mitigate attacks.

Often, even tackling these questions can be a daunting task for firms, particularly those that don’t have an

in-house team to answer them. Commissioning a full, independent security assessment is a good place to

start. Security assessments are an effective way to assess your current security posture and identify gaps

in your processes, programs and technologies. An independent security assessment not only helps firms

build and augment their cybersecurity programs, but it also helps prepare a response for clients who will

request an audit report detailing your firm’s posture. A security assessment provides the clear direction

you need to build your program, policies and defense inventory. An assessment also benchmarks your

firm against that of your peers, examining the kinds of threats targeting you, and security considerations

that fit your organization based on those benchmarks.

The ABA’s Tech Report, released late last year, revealed that on average, less than half of responding

firms have firm technology or security policies in place. With the number of vulnerable attack surfaces in

any given firm, security policies are an essential first step when it comes to defending the firm. Just as

critical are framework documents like NIST, which fuses practices, guidelines and standards to protect

critical infrastructure. The framework helps to prioritize and manage cybersecurity risk, and presents a

sturdy platform to further policy and program development.

Security Areas to Address

Within data and network protection there are several vectors that should be addressed: security models,

network assets, policies and procedures, data encryption, remote banking/transfers and mobile device

management. The Tech Report found that 62% of respondents reported that their firm had not

experienced a breach. But with so many threat surfaces, it’s unknown how many of those respondents

suffered a breach and didn’t detect it. The Panama Breach case is a prime example; the firm claims that its

mammoth data leak was a result of a year-old, undetected breach. One may assume that a firm like

Mossack Fonseca would have fairly robust security in place, particularly given its top-tier client base.

While the root cause of the breach hasn’t been reported, it has been speculated that the breach was the

result of a sophisticated cyber-attack, one that cleverly evaded whatever perimeter defenses Mossack

Fonseca had in place.

Conclusion

While the fate of Mossack Fonseca remains to be seen, lesser breaches have caused firms to shut their

doors entirely. Universally, attorneys are fundamentally obligated to protect their clients’ confidentiality.

By extension, firms are required to ensure that the technology they use in no way subjects client

information to an undue risk of disclosure. Pair this with the breach cases impacting firms, and suddenly

firms face greater pressure, more scrutiny and evolving regulatory implications. Clients are taking data

protection into their own hands, running due diligence that requires that firms demonstrate the

mechanisms they’ve build to protect sensitive data.

The legal industry was founded and is fueled by professionals driven by curiosity and the desire to ask

“why.” Cybersecurity has gone from simply being IT’s problem, to becoming everyone’s problem. If

your firm doesn’t currently have cybersecurity initiatives underway, start the conversation. Ask the

questions. Turn to your governance resources such as the ABA and leverage the tools they’ve created to

drive momentum in your firm. Collaborate with peers through intelligence sharing forums like the Legal

Services Information Sharing & Analysis Organization (LS-ISAO), which was founded to facilitate threat

sharing amongst firms. The cybersecurity terrain is ever evolving. Consider this: Today’s fastest growing

and most successful threats originate from a human culprit. You need human-driven defenses to stop

them; technology simply won’t cut it.

Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to

peripheral factors influencing the way that law firms integrate cybersecurity into their day-to-day

operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity

services provider eSentire, he also serves as a member of the LegalSec Council with the International

Legal Technology Association (ILTA). He is also a member of this newsletter’s Board of Editors and

may be reached at [email protected].

—❖—

Benefits and Risks of the Internet of Things

What Every Company Should Know

By L. Elise Dieterich

The buzz phrase “Internet of Things” is seemingly everywhere. What is it, what can it do for us, and what

concerns does it present? More specifically, while the Internet of Things (IoT) presents tremendous

opportunities for businesses, are there corresponding risks, or elements of the IoT that businesses should

consider staying away from?

The answer to the benefits-versus-risks question is as simple — and as complex — as understanding the

privacy and cybersecurity risks associated with any and all Internet-connected technology, be it your

personal smartphone or an enterprise-wide software application hosted in the cloud. The IoT, because it

connects and communicates via the Internet, is vulnerable to hacking and malware, the same as our e-mail

and computers. IoT devices also present, however, specific benefits and risks that are important for every

enterprise to understand.

What Is the IoT?

For starters, what exactly does the term IoT refer to? Like many buzz phrases, it depends on the user. A

Google search serves up this definition: “a proposed development of the Internet in which everyday

objects have network connectivity, allowing them to send and receive data.” And indeed, most consumers

interface with the IoT through connected devices such as wearable fitness trackers, connected televisions,

or that “puppy cam” connected to their smartphone. For businesses, though, a more nuanced definition is

in order.

The U.S. Department of Commerce (DOC) recently offered this: “IoT is the broad umbrella term that

seeks to describe the connection of physical objects, infrastructure, and environments to various

identifiers, sensors, networks, and/or computing capability. In practice, it also encompasses the

applications and analytic capabilities driven by getting data from, and sending instructions to, newly-

digitized devices and components.”

The Information Technology Laboratory at the National Institute of Standards and Technology (NIST), in

a 2016 draft report released for public comment, posited that “the current Internet of Things (IoT)

landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no

formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness,

and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident.” Thus,

the NIST report proposes “a common vocabulary to foster a better understanding of IoT” that assumes the

IoT will typically be comprised of, at a minimum, a sensor, an aggregator, a communication channel, an

external utility (a software or hardware product or service), and a decision trigger. Id. at 15.

A mundane example of this is the FitBit, which senses information about the wearer’s physical activity,

aggregates that information over time, and communicates it to the wearer’s smartphone or computer,

where the wearer can evaluate and act on the information. Sensor-driven devices operating in the IoT

framework are all around us and range from connected cars and smart TVs to industrial controllers,

inventory trackers, and implanted medical devices with Wi-Fi built in.

A More Straightforward Explanation

At root, the IoT is fairly straightforward: my device senses something and uses the Internet to

communicate with me about it. Things get more complicated, though, when we take account of the fact

that most connected devices require an intermediary — usually the hardware or software provider — and

that intermediary typically also has access to our information. This FAQ on the website for Nest, a

Google subsidiary that sells home IoT devices such as smoke detectors, video cameras and thermostats,

illustrates the access that an IoT device provider can have to sensitive data when it asks “[d]oes Nest

know when I’m home or not?” and answers “yes”: “Our products can detect when someone’s there, and

we use information like this to make our products more thoughtful.” Nest reassures its users, however,

that “[i]f you want to be more literal about it, no one at Nest or Google spends the day looking at a screen

tracking if you’re home or not.”

With or without an intermediary, connected devices present unique vulnerabilities. A hacked “puppy

cam,” for example, can give the hacker a view inside the owner’s home. And whereas the risks to e-mail

and computers revolve primarily around data loss or misappropriation, the very functionality of an IoT

device is at risk. A staged hack that shut down a Jeep Cherokee while traveling on the highway at high

speed gained huge visibility last year when an article describing the hack was published in Wired

magazine.

Although hacking a car is a sophisticated exploit and likely not a routine danger, the fact that it could be

done alarmed both consumers and regulators, and highlighted the risks the IoT poses. Wired exposed

another frightening connected device vulnerability last year, when it reported hackers had been able to

override the Wi-Fi-enabled aiming system on a rifle. And, regulators have expressed life-and-death

concern about the risks to medical devices connected to the IoT. The Food and Drug Administration in

2014 issued medical device guidance that includes the following statement: “Failure to maintain

cybersecurity can result in compromised device functionality, loss of data (medical or personal)

availability or integrity, or exposure of other connected devices or networks to security threats. This in

turn may have the potential to result in patient illness, injury, or death.” It has been reported that doctors

disabled the IoT functionality of Vice President Dick Cheney’s pacemaker while he was in office, for just

that reason.

Is This a Real Problem?

How pervasive are these concerns? DOC reports that “by 2015 there were around 25 billion connected

devices. Devices now outnumber people by 3.5 to 1.” Even more astounding, “[i]t is expected by 2020

there will be up to 200 billion connected devices … .” DOC notes, further, that “thus far no U.S.

government agency is taking a holistic, ecosystem-wide view that identifies opportunities and assesses

risks across the digital economy,” although numerous regulatory agencies have addressed aspects of the

IoT in some way.

To begin to remedy this lack of a holistic view, DOC published in the Federal Register on April 5, 2016, a

request for public comments on “The Benefits, Challenges, and Potential Roles for the Government in

Fostering the Advancement of the Internet of Things.” 81 Fed. Reg. 19956-19960.

The broad scope of the questions set forth in DOC’s request for comments is indicative of the IoT’s reach,

touching on technology, infrastructure, policy, and international considerations, among others. With

regard to the privacy and cybersecurity concerns raised by the IoT, the DOC request for comments notes

that: “A growing dependence on embedded devices in all aspects of life raises questions about the

confidentiality of personal data, the integrity of operations, and the availability and resiliency of critical

services.” Id.

Your enterprise may currently be using the IoT for functions as diverse as encouraging employee

wellness through a FitBit program, managing inventory using RFID tags, tracking the location of

company vehicles using GPS, and improving products through automated feedback from connected

software or hardware products. Indeed, your company may be using the IoT in ways you’ve never thought

about — for example, providing QR codes on your products that individuals scan with their smartphones

to access information on your company’s website. Or, your enterprise may proactively be creating and

marketing to consumers products that feature IoT connectivity as a selling point. The benefits of

participating in the IoT are myriad, and include convenience, better and more timely data, and higher

levels of engagement. Nonetheless, in all these instances, there are important privacy and cybersecurity

pitfalls to be avoided.

Privacy Concerns

On the privacy side, IoT device consumers — be they individual or enterprise — should insist on

knowing: 1) what data the device is collecting; 2) what data is being shared, and with whom; and 3) how

consumers can control data collection and sharing. Purveyors of connected devices should have answers

to these questions at the ready, and clearly communicate their data collection, use, and disclosure

practices in privacy policies that are easily accessible to consumers. Collecting and using consumer data

without informed consent is generally a no-no that can result in significant penalties, not to mention

liability in the event of a breach of consumers’ information.

Cybersecurity Issues

On the cybersecurity side, the Federal Trade Commission (FTC) recently issued helpful guidance titled

“Careful Connections: Building Security in the Internet of Things.” Here, the FTC recommends the

following best practices for companies developing and selling IoT devices to consumers:

Encourage a culture of security at your company. Designate a senior executive who will be

responsible for product security. Train your staff to recognize vulnerabilities and reward them

when they speak up. If you work with service providers, clearly articulate in your contracts the

high standards you demand from them.

Implement “security by design.” Rather than grafting security on as an afterthought, build it into

your products or services at the outset of your planning process.

Implement a defense-in-depth approach that incorporates security measures at several levels.

Walk through how consumers will use your product or service in a day-to-day setting to identify

potential risks and possible security soft spots.

Take a risk-based approach. Unsure how to allocate your security resources? One effective

method is to marshal them where the risk to sensitive information is the greatest. For example, if

your device collects and transmits data, an important component of a risk-based approach is an

up-to-date inventory of the kinds of information in your possession. An evolving inventory serves

triple duty: It offers a baseline as your staff and product line change over time. It can come in

handy for regulatory compliance. And it can help you allocate your data security resources to

where they’re needed most. Free frameworks are available from groups like the Computer

Security Resource Center of the National Institute of Standards and Technology, or you may want

to seek expert guidance.

Carefully consider the risks presented by the collection and retention of consumer information. If

it’s necessary for the functioning of your product or service, it’s understandable that you’d collect

data from consumers. But be sure to take reasonable steps to secure that information both when

it’s transmitted and when it’s stored. However, it’s unwise to collect or retain sensitive consumer

data “just because.” Think of it another way: If you don’t collect data in the first place, you don’t

have to go to the effort of securing it.

Default passwords quickly become widely known. Don’t use them unless you require consumers

to change the default during set-up.

Conclusion

For enterprise consumers of IoT devices, these best practices provide a template for due diligence

questions to ask regarding technology your company may be considering.

The goal of the enterprise participating in the IoT should be to maximize the benefits while minimizing

the risk. Transparent and carefully tailored privacy practices, coupled with thoughtful and robust security

measures, will go far toward achieving this goal.

Applying the FTC’s guidance, the device provider’s security culture should be such that the security of

data collected by the IoT device is a primary consideration, baked into the design of the device, not an

afterthought or an add-on. The device should collect no more data than is necessary for its functions, and

the device provider should be clear about who has access to the data, for what purposes, and for how long.

Security settings should be readily accessible, user-friendly, and easy to apply. Users should set their

own, complex passwords, and protect them. And, consumers of IoT devices should insist on robust

security, and avoid devices that fail to provide it, or are unclear about their security practices.

When incorporating IoT devices into critical functions (think of the car, rifle, and pacemaker examples)

consider “worst case” scenarios, and have a disaster recovery plan. With these measures, enterprises can

partake of the IoT’s benefits, without the risks keeping anyone up at night.

L. Elise Dieterich is a partner with Kutak Rock LLP and leader of the firm’s privacy and data security

practice in Washington, DC. She is a member of this newsletter’s Board of Editors.

—❖—

FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers

By Alan L. Friel and Suchismita Pahi

In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet

Order, applying Section 222 of the federal Communications Act to broadband Internet access services

(BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service

Providers (ISPs). In doing so, it declined requests by some advocacy groups to take jurisdiction over

online service providers that do not offer broadband access, even if they offer services that, in ways,

arguably look like a communications provider — so-called “edge networks” like Facebook, Google, and

Yahoo. Indeed, doing so would have stretched the global Commission’s jurisdiction even beyond the

significant expansion required to regulate BIAS.

Having taken on BIAS, the commission needed to address that the FCC’s privacy and data protection

regulatory scheme was designed to address traditional telephone carriers, and the expanded jurisdiction

necessitated refinement of the approach to address BIAS and the different kinds of data involved between

data services and telephonic services. On March 31, 2015, the FCC issued a Notice of Proposed

Rulemaking (NPRM) in proceeding 16-39 (In the Matter of Protecting the Privacy of Customers of

Broadband and other Telephonic Services) for the privacy and data security regulatory scheme for ISPs, a

copy of which is available here. In short, the proposal would create a very burdensome privacy protection

scheme that applies to BIAS but to no other types of online services.

As a result, BIAS providers will have a much more difficult time providing interest-based advertising and

other services that take advantage of big data, even if in doing so they can provide consumers lower-cost

broadband. Much of the proposal calls for express opt-in consent to ancillary use and sharing of consumer

data, but the Commission questions whether some practices like exchanging discounts for consent should

be banned outright.

Key Aspects of the NPRM

The NPRM would regulate customer proprietary information (customer PI), defined as both customer

proprietary network information, which the NPRM proposes to expand beyond the telephone services

definition to include any information the provider collects or accesses in connection with provision of

BIAS, including service and traffic data, IP addresses, device IDs, and other unique identifiers, as well as

personally identifiable information (PII) collected by the BIAS provider, which also includes unique

identifiers. Unlike telephone services, directory data and phone numbers are not exempt from restrictions.

BIAS providers must offer transparency through privacy policies that explain data collection, use and

sharing, and the consumer’s choices. Great detail is given about how and when this must be done.

Choice is the most controversial aspect of the scheme. The NPRM would require explicit opting in for all

but the most narrow use and sharing:

Consent is implied for use and sharing that is necessary to provide broadband (but not

ancillary) services — “for example, to ensure that a communication destined for a certain

person reaches that destination.”

Providers and their affiliates that provide communications services may use customer PI to

market (but not to provide) communications-related services (but not ancillary services like

edge network services), subject to the customer’s ability to opt out of such use and sharing.

All other use and sharing requires explicit opt-in consent, obtained subsequent to the sale

(i.e., subscription to BIAS services) and prior to first use or disclosure requiring opt-in

consent. Although the FCC invites comment on the details of how opt-in consent should

work, the NPRM proposes that providers notify consumers at the time consent is sought “of

the types of customer PI for which the provider is seeking customer approval to use, disclose

or permit access to; the purposes for which the provider is seeking customer approval to use,

disclose or permit access to; the purposes for which such customer PI will be used; and the

entity or types of entities with which such customer PI will be shared.”

The NPRM proposes specific data security practices based on the HIPAA Security Rule (including

assessments) and breach notification obligations for BIAS providers.

A Targeted Approach

Rather than taking a flexible approach based on key data privacy and security principles and concepts of

reasonableness and consumer expectations, the FCC’s proposed regulatory approach is very specific,

limits data usage and sharing absent consent, and requires very detailed data security and breach

notifications. It proposes to mandate express opt-in consent for types of data usage, such as for interest-

based advertising, that edge networks and other online services that do not offer broadband will not have

to follow.

The FCC’s approach differs significantly from the technology-neutral approach to privacy and data

protection of the Federal Trade Commission (FTC), which had historically been the sole privacy data

protection regulator for BIAS. The FTC’s authority to regulate privacy and data protection under Section

5 of the FTC Act is limited to prohibiting deception and unfairness, with unfairness requiring a consumer

injury not outweighed by benefit to consumer or competition. As a result, the FTC’s approach is to

prohibit express misrepresentations concerning data practices and to look at reasonable consumer

expectations under particular circumstances to determine whether a practice is implicitly deceptive absent

notice and/or consent.

Consent, even when necessary, may typically be in the form of opting out, except for highly sensitive

information. The FCC, however, arguably has much broader authority, and the proposed rules exercise

that putative authority in creating a new sectorial privacy and data protection scheme for ISPs where the

default is limitation on data usage and sharing absent consent, which is proposed to be opt-in consent for

all but the most limited circumstances. Further, the FTC proposes that such consent must be separate from

the consumer’s subscription agreement and potentially not bargained for by offering discounts.

As noted in dissents by Commissioners Pai and O’Reilly, the result will be vastly different rules for

different types of online services, with consumers being subject to different privacy principles and data

protection schemes depending on the type of platform and service they are using online. And the practical

impact will be to put BIAS providers at a competitive disadvantage over non-BIAS providers in the area

of digital advertising, which relies on targeted consumer, and other emerging commercialization of big

data, than would otherwise be the case. As Commissioner O’Reilly concludes, “applying heightened

standards to one segment of the Internet economy will hamstring competition with the largest users of

consumer data.”

Conclusion

The FCC’s proposals would result in BIAS providers having constraints on their data practices, such as

those related to interest-based advertising, that do not apply to other digital service providers like Google

and Facebook, at least to the extent they remain edge networks. To the extent BIAS providers want to

compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they

would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC’s

approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected

data and the level of consent required to collect, use, and share such data. The comment period for

proposals ended May 27, 2016, and reply comments thereafter are due by June 27, 2016.

Alan Friel, CIPP and CIPM, is a partner at Baker Hostetler in its Los Angeles office and a member of

the Board of Editors of Cybersecurity Law & Strategy. He may be reached at [email protected].

Suchi Pahi is an Associate in the Houston office of Baker Hostetler. She practices privacy and security

law, and can be reached at [email protected].

—❖—

International Cybersecurity Compliance Concerns

By Steven Rubin and Stephen Milne

Compared with the rest of the world, the United States has historically been a more open framework when

dealing with information. Social media has made even the most mundane and possibly personal pieces of

data available to many with a press of a finger. Such an open relinquishment of private information is

almost assumed and has become part of the American culture. Those who think about how easy it is to

access data understand how their own data has become part of the searchable cyberspace.

The European culture and laws are different. Privacy rights are assumed, information confidentiality is

maintained, and the concept of the United States “discovery” is scorned. There is a concern that European

sensitive data should stay outside of the United States because the protection of such data in the United

States is not sufficiently strong. It is therefore not a surprise that the laws in the United States and in

Europe are inconsistent when it comes to cybersecurity.

Cybersecurity Law in the United States

The most significant piece of federal legislation in this area is the Cybersecurity Information Sharing Act

(CISA) passed in December 2015 (Division N of the omnibus spending bill). The purpose of this Act,

purportedly, is to promote information-sharing between the government and the private sector for issues

relating to cybersecurity and new threat vectors. The idea is that sometimes industry is aware of new

viruses or technical threats, but does not share the information with the government so that the

government may protect itself and/or inform the public. CISA creates a voluntary means for companies to

share their threat data with the government.

There are problems with sharing this information. While the act of sharing appears to be protected by

statute, the underlying problem may not be. If I see a threat to my system, I could tell the government

about that threat and the act of telling would not create a new cause of action. But, the law is not clear as

to whether that sharing could then lead to a lawsuit relating to the cause of the sharing. Stated another

way, I can tell the government I have a virus, and telling the government should not in itself expose my

company to liability. But, I could later get sued for failing to comply with certain cybersecurity

requirements because my system was infected with a virus and I did not take proper steps to protect the

data.

So, trying to comply with United States laws alone creates a dilemma. But if you consider complying

with CISA, you may also expose yourself to legal issues in Europe.

European Laws on Cybersecurity

Disclosure of personal data (capable of being used to identify a living person either on its own, or in

conjunction with other data in the possession of the person controlling how the data is used) relating to

EU nationals could cause serious potential issues in light of recent developments overseas. Previously

(before January 2016), many organizations relied upon the approved “Safe Harbor” regime framework

developed by the Department of Commerce (DoC) in the United States and the European Commission,

under which organizations could self-certify that they adhered to its principles. The certifying company

gave binding promises that they complied with privacy policy requirements and provided protections for

personal data that were sufficiently high that transfers of personal data from the EU to the United States

would be permissible under the applicable Data Protection Directive (the Directive).

However, the Safe Harbor regime has suffered a huge blow by virtue of a recent decision in the Court of

Justice of the European Union (CJEU). See, Maximillian Schrems v. Data Prot. Comm’r,

ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14. Maximillian Schrems was an Austrian citizen

who had been a Facebook user since 2008. Facebook habitually transferred some data provided by its EU-

based subscribers from its Irish subsidiary to servers located in the United States. Schrems lodged a

complaint with the relevant supervisory authority in Ireland on the basis that the law and practice in the

United States did not provide sufficient protection in relation to his data.

Initially, Schrems’ complaint was rejected, particularly on the basis that the Safe Harbor regime ensured

sufficient protection. However, on referral to the CJEU, the court held that the powers available to

national supervisory authorities cannot be eliminated just because the European Commission originally

decided that the Safe Harbor scheme provided such protection. The authority must look at the situation

independently and determine whether the transfer of a person’s data to a third country complies with the

requirements of the Directive.

CJEU then proceeded to consider the fact that public authorities in the United States are not subject to the

Safe Harbor scheme. Further, national security, law enforcement and public interest all may prevail to the

extent that a United States entity holding or processing data may be forced to ignore the requirements of

the Safe Harbor scheme where it conflicts with any of the foregoing. As a result, data would not be

protected in such circumstances and there were no clear limitations or restrictions on the public

authorities’ abilities.

In addition, there was no clear ability for individuals to pursue legal remedies in order to access their data

or to have it rectified or erased, which the CJEU viewed as inherent in the existence of the rule of law and

as compromising “the essence of the fundamental right to effective judicial protection.” The CJEU

therefore held that the original European Commission decision that Safe Harbor privacy principles

provided adequate protection was invalid — effectively nullifying the Safe Harbor option.

What Now?

The Safe Harbor route is no longer a valid basis upon which personal data can be transferred from the

European Union to the United States. But, there is not yet clear guidance as to what will replace it.

Indeed, different data protection authorities (DPAs) have been taking different approaches to this

evolving situation.

For example, the Information Commissioner’s Office (ICO), the supervisory data protection authority for

the United Kingdom, has been advocating that continued use of the Safe Harbor principles may still be a

sensible proposition in the interim. The ICO further indicated it will not take enforcement procedures

until an approved alternative to Safe Harbor has been determined. However, this guidance is not legally

binding and the ICO is keen to reiterate that companies need to review their compliance processes and

procedures.

This approach has been somewhat reflected in guidance from the Spanish regulator, which has indicated

that it will not rush to take enforcement action against companies provided they are working on

appropriate proposals and arrangements to ensure adequate protection of personal data. However, in stark

contrast, the data protection authority in Hamburg, Germany has already made it public that it does not

expect organizations to continue relying upon Safe Harbor and that it will take immediate enforcement

proceedings against any that do continue to transfer personal data outside the EU in this way. Such

proceedings could lead to fines up to €300,000 Euros (roughly U.S. $340,000) per data breach.

Some Proposed European Solutions

The Article 29 Working Party (which is made up of representatives from the data protection authorities of

the EU states) recently confirmed that it views use of binding corporate rules and model contract clauses

as valid options to enable the transfer of data from the EU to the United States.

Binding Corporate Rules are essentially rules operated by an organization that put in place adequate

safeguards for protecting personal data in line with the Article 29 Working Party’s requirements. They are

not, however, a quick fix — as such rules require an application to, and approval from, the relevant data

protection authority via a relatively cumbersome design and implementation procedure, which usually

takes in the region of 12-18 months.

Model contract clauses are, on the other hand, considerably easier to implement provided both parties are

in agreement. These provide for an approved set of contractual obligations that eliminate the requirement

for the transferee of data to make their own assessment regarding the adequacy of the protections

provided. There are different sets of clauses depending upon the parties’ relationship and what they do

with the data.

A further possibility is to obtain express consent to the transfer of the data. However, even the more

relaxed data protection authorities are closely scrutinizing this route to effecting transfers, as the key

concern is whether consent is specific enough for what is happening to the data and whether it provides

any real protection to the individual. Much has been made in recent months of high-profile examples of

data having been harvested from individuals on the back of a generic data consent and having then been

retransferred, reused and resold multiple times in manners the individual who gave “consent” could not

possibly have anticipated. Consent on its own may well not be enough.

Privacy Shield

The European Commission and the DoC have agreed upon a new arrangement, known as the “Privacy

Shield,” as a replacement for the now defunct Safe Harbor scheme. The Privacy Shield is in fact a

collection of principles including:

Choice: Individuals will have the ability to opt-in or out as far as sensitive data is concerned, as

regards third-party marketing and in relation to any new use of their data which was not initially

contemplated.

Notice: Individuals must be informed of their rights, the principles of Privacy Shield, and given a

contact for complaints. They must also be given details about sharing and disclosure of their data

(including public authorities), and organizations will have to confirm their liability for data

processing.

Accountability: Organizations will be required to put in place formal, written contract

arrangements for onward transfers of data to other controllers or processors (with only limited

exceptions).

Security: Security measures must be implemented that are reasonable based on the nature of the

processing and the personal data being processed.

Integrity and Limitation: Data will have to be kept up to date and accurate, and data collection

will have to be limited strictly to what is relevant in the circumstances.

Access: Individuals will have the right to access their data and to require its correction and/or

deletion (unless the cost of doing so would be overly burdensome).

Recourse/enforcement: This is one of the crucial proposals and it provides for a free means of

recourse for individuals to be provided by the organization with the ability for individuals to

escalate complaints to local data protection authorities if the issue is not satisfactorily dealt with.

If that does not resolve the matter, then there is even scope for individuals to potentially initiate

arbitration claims.

Although intended implementation for Privacy Shield was set for June 2016, there are still a number of

criticisms being leveled by both politicians and commentators, so implementation will likely be delayed.

In addition, the General Data Protection Regulations are upcoming (albeit not until April 2018), and these

will bolster both the European Union’s data protection authorities’ powers (including the ability to

impose fines of as much as 4% of global turnover in cases of breaches of data subject’s rights) and their

likelihood to crack down on enforcement.

Conclusion

Each organization needs to review its current compliance arrangements and re-evaluate on the basis of the

above issues, implementing sensible interim solutions, at least, to avoid falling foul of the more

aggressive data protection authorities and their willingness to impose potentially sizeable fines.

Steven Rubin is a partner with Moritt Hock & Hamroff LLP in New York where he serves as Chair of

the firm’s Patent practice group and as Co-Chair of its Cybersecurity practice group. Stephen Milne is a

consultant with Memery Crystal LLP in London where he focuses on business law and commercial

contracts, including outsourcing, agency and distribution agreements, joint ventures, tender responses,

franchising, marketing, introduction, reseller and maintenance and support agreements and key ancillary

issues such as data protection and cybersecurity.

—❖—

EU Cybersecurity Directive Update

By André Bywater and Jonathan Armstrong

Cyber attacks and IT security breaches are being constantly reported (the “Panama Papers” being the

most recent spectacular example), and almost certainly represent just the tip of the iceberg. No one can

doubt that cybersecurity is a very significant global issue with cybercrime a major international menace

— any statistics about these issues always make for grim reading.

In the European Union (EU) a number of EU Member States already have some sort of national

cybersecurity rules in place, but there is nothing uniform at an EU-wide level and so the EU is

introducing new rules aimed at redressing this gap in the form of the (European Commission proposed)

“Directive of the European Parliament and of the Council concerning measures to ensure a high common

level of network and information security across the European Union” (EU Cybersecurity Directive,

sometimes also referred to as the NIS Directive).

At the end of last year, high-level EU political agreement was reached on these rules and their finalization

is now awaited. This article sets out in brief the main features of these forthcoming rules.

Why Should Businesses Be Concerned?

The EU Cybersecurity Directive is mainly aimed at EU Member States in that it requires them to improve

both their national cybersecurity capabilities and cooperation between them on cybersecurity. But, the

new rules will also affect businesses because appropriate security measures will need to be put in place

and incidents will have to be reported to national regulatory authorities by providers of critical services,

and of certain digital services. It must be emphasized that these new rules do not impose breach

notification obligations on everyone, unlike the recently published EU General Data Protection

Regulation (GDPR; to be fully applied from late May 2018), which imposes mandatory breach

notification to a regulator (within 72 hours) on all organizations.

What Are the Components of the New Rules?

The forthcoming rules can in effect be divided into the following three components.

First, EU Member States will have to adopt a “Network and Information Security” (NIS) strategy and

designate a national NIS regulatory authority, which must be adequately resourced, to be able to prevent,

handle and respond to NIS risks and incidents, and, set up “Computer Security Response Teams” to

handle incidents and risks.

Second, an EU cooperation mechanism will be set up between the EU Member States and the European

Commission to share early warnings on risks and incidents through a secure infrastructure, which will

include a network of “Computer Security Incident Response Teams.”

Third, affected organizations will be required to assess the risks they face and adopt appropriate and

proportionate measures, and, report to regulators major security incidents on their core services.

What Sectors Will Be Affected?

Two categories of sectors will be affected.

First, organizations in the following “Operators of Essential Services” sectors will be covered under the

EU Cybersecurity Directive: energy (electricity, oil, and gas); transport (air, rail, water and roads);

banking (credit institutions); financial market infrastructures (trading venues and central counterparties);

health (healthcare providers); water (drinking water supply and distribution); digital infrastructure

(Internet exchange points (which enable interconnection between the Internet’s individual networks),

domain name system service providers, and top level domain name registries).

It will be up to the EU Member States themselves to identify these operators specifically (upon

implementation of the EU Cybersecurity Directive into national laws) on the basis of specific criteria,

significantly for example, whether the service is essential for the maintenance of critical societal or

economic activities.

Second, key digital businesses, called “Digital Service Providers,” also fall under the EU Cybersecurity

Directive, in the following areas: Online marketplaces, which allow businesses to set up business on the

marketplace in order to make their products and services available online; cloud computing services; and

search engines. In contrast to “Operators of Essential Services,” Member States will not designate

particular businesses as “Digital Service Providers.” The new rules will apply to all entities falling within

the definition of “Digital Service Providers” set out in the EU Cybersecurity Directive, throughout the

EU.

It appears that, on the one hand, “Operators of Essential Services” will be required to ensure that systems

that they use to provide their critical services are “robust enough to resist cyberattacks,” while on the

other hand, “Digital Service Providers” will only be required to ensure that their infrastructures are

“secure.”

Both “Operators of Essential Services” and “Digital Service Providers” will, however, be required to

report major security breaches to the EU Member State regulators in question.

Please note that the sectors involved still need to be confirmed under the final version of the EU

Cybersecurity Directive — micro and small digital companies, and, social networks, will likely be

exempt. It still remains to be seen in the final version of the EU Cybersecurity Directive to what extent

the new rules will apply in the same way or differently to “Operators of Essential Services” and “Digital

Service Providers.”

These FAQs also state that the regulatory national authority in question may also require that the public is

informed about incidents — public announcement is not mandatory under the EU Cybersecurity

Directive, but this will need to be confirmed in the final agreed version.

Are Internet Service Providers or Network Owners Affected?

These organizations are already reporting incidents under the risk management and incident reporting

obligations under other EU rules, namely the so-called EU Telecoms Framework Directive.

Who Is Exempted from the Reporting Obligations?

Hardware manufacturers and software developers are exempted from the risk management and reporting

obligations. The same applies to specific sectors or sub-sectors, for example insurance, and, food supply.

Will Every Incident Have to Be Reported?

No, according to the European Commission FAQs issued with the original proposed EU Cybersecurity

Directive in 2013. This states that only incidents that have “a significant impact on the security of core

services provided by market operators and public administrations will have to be reported to the

competent national [regulatory] authority.” By way of examples, the FAQs provide the following: “an

electricity outage caused by an NIS incident and having a detrimental effect on businesses; the

unavailability of an online booking engine that prevents users from booking their hotels or of a cloud

service provider that inhibits users to get access to their content; the compromise of air traffic control due

to an outage or a cyber attack.”

Will Incidents Have to Be Reported To 28 EU Member States’ Systems?

According to the European Commission FAQs issued with the original proposed EU Cybersecurity

Directive, common reporting systems will be developed through implementing measures for the EU

Cybersecurity Directive. Specific templates might also be developed by the EU agency the European

Network and Security Agency (ENISA), whose general objective is to improve network and information

security in the EU, and which has already brought together national regulators to develop harmonized

national measures for risk management and incident reporting as part of the EU telecoms rules.

What Are the Next Steps?

The EU Council and the European Parliament need to formally approve the new rules, which may occur

before this summer.

Once the EU Cyber-Directive is finally adopted at the EU level, EU Member States will then have to

adopt it into national legislation within 21 months, and, as mentioned, also officially identify “Essential

Services Operators” from the sectors in question within a further six months. The EU Member States will

also have discretion as to what sanctions to apply for breach of the EU Cybersecurity Directive as

implemented under national rules. The original version of the EU Cybersecurity Directive stated that

when there is a security breach involving personal data, the sanctions for infringing it must be in line with

sanctions imposed under the GDPR. As mentioned above, the GDPR has now been published and the

financial sanctions are set at a very high rate (maximum €20 million or 4% of total worldwide annual

turnover), so it will be important to see if this aspect of the EU Cybersecurity Directive will be

maintained.

Despite the aim of having EU-wide rules in place, because the legislative format being used is a

Directive, there will inevitably be a degree of divergence on some aspects, possibly such as indicated

above concerning public announcements about incidents. This said, divergence might be mitigated at least

as regards risk management and incident reporting for “Digital Service Providers” as it expected that this

work will probably be developed by ENISA, with the involvement of stakeholders, at a later stage.

What Preparation Is Needed?

Those businesses that are likely be asked in the individual EU Member States to take part in a

consultation before the EU Cybersecurity Directive is implemented into national law. Those businesses

that are likely to fall under the new rules could start to prepare by undertaking the following actions: alert

the Board about the incoming EU cybersecurity regime and plan resources to address it; set up procedures

to address risk assessment, crisis management response, internal investigation (guided by legal counsel),

and, incident reporting; update and/or revise policy documentation; undertake training; re-evaluate and/or

prepare a press strategy in the event of an IT security breach; and; either reassess existing cyber insurance

or take out a new policy. Also, businesses doing business with “Essential Service Operators” and key

“Digital Service Providers” will have to consider how to factor in any possible downstream effects on

them.

André Bywater and Jonathan Armstrong are commercial lawyers with Cordery in London, UK, where

they focus on regulatory compliance, processes and investigations. Reach them at

[email protected] and [email protected].

—❖—

Measure to Manage: Understanding and Using Data to Affect Firm Change and Client

Relationships

By Justin Hectus and Peter Zver

Organized and meaningful data has been leveraged in progressive organizations for years, but now that

data and information is highly accessible and easily consumable via the ever-expanding digital mesh,

enterprise-level expectations and related legal business impact have been elevated. With this new reality

come many questions: What data should we collect? What needs to be measured? By whom? And, how

can metrics and key performance indicators (KPIs) not only affect change but provide a common

communication and measurement base for firms, their clients, and technology suppliers alike? Recently,

myself (Director of Information at Keesal, Young & Logan (KYL)) and Peter Zver (Tikit North

America’s President), had the opportunity to present a business information “measure to manage”-themed

educational panel session as part of ALM’s 12th Annual Law Firm Chief Information & Technology

Officer’s Forum (CIO Forum). Our panelists, including industry pundit and founder of Procertas Casey

Flaherty, Google’s head of legal operations Mary O’Carroll, and Tikit’s customer value engineer Ryan

Steadman, discussed how to best organize and use data in ways that are useful to attorneys, firms, and

clients, while promoting positive behavioral change that impacts the bottom line and client relationships.

Specifically, we drilled down into real world ‘measure to manage’ examples including time data, system

utilization, technology proficiency, client KPIs and pricing.

This article takes into account Peter’s (PZ) technology innovator perspective and my (JH) law firm

technology and operations experience as it relates to the panel session. In my additional role as this year’s

CIO Forum Chair, I wanted to make sure to go beyond law firm concerns and challenges and focus on

what in-house legal operations professionals are looking for in terms of law firm service delivery. The

topic of baseline metrics that can be measured and subsequently managed and leveraged across the legal

ecosystem definitely fit this core objective.

PZ: Technology vendors need to claim responsibility when it comes to meeting firms’ client demands.

How can we leverage technology to contribute to overall client efficiency and what are some proven,

objective metrics that can help create win-win-win scenarios?

Benchmarking and Measuring the Basics

JH: From the law firm perspective, one of the most interesting things about what’s going on in the

landscape of metrics is that while there is ample ability to measure big data and analyze the complexities

of enormous data sets, many firms are overlooking the mundane repetitive tasks which, if optimized, can

have a big impact in terms of cost efficiency. For example, at KYL, we look at usage across all

applications and can determine who is using which applications, how much, and how well. If our

attorneys are knee-deep in a specific set of applications, we can custom tailor training to ensure that they

are using those technologies to the greatest effect, often resulting in certification. Instead of relying on

perceptions, we can use this new data reality [what’s actually happening vs. where usage and productivity

should be based on client expectations] and develop a measured action plan. This “360 perspective” really

provides a clear picture and road map ahead. So, even though there are a lot of really fancy tools we can

use and amazing things we can do with metrics and data analysis, there is considerable value to be had

from just measuring baseline technology use and maximize usage and effectiveness.

For us, it goes beyond investing in technologies that our clients want us to use and into listening to recent

client feedback (via RFP’s, Outside Counsel Guidelines, and one-on-one conversations) focused on

increased technology proficiency. Progressive clients expect us to validate that our attorneys have the

requisite skills to effectively leverage the best technology available, and now we’re seeing client-driven

technology audits similar to risk assessments focused on an objective confirmation that our timekeepers

are making the grade.

Designing to Measure

PZ: As a legal technology company, the focus on metrics has affected change for our clients, preceded by

how our clients interface with our technology. Here’s some reverse engineering logic to help explain: The

metrics are really a derivative of good data and good data is the derivative of good quality input by users

which in turn is the result of good UI/UX user experience.

As illustrated by this example, the needs of the law firm and how they will interact with specific

technologies are vital aspects to product development. Essentially that’s what brought along our latest

next generation timekeeping software. We had to consider the various consumer-centric user personas

right from the beginning so that we could develop technology that would not only address firm

timekeeping productivity needs but also provide value to the law firm-client relationship in the form of

metrics and KPIs that demonstrate billing transparency and accountability. Getting back to the reverse-

engineering paradigm, we had to start at the user engagement level — how would each user interact with

the application, on which platform? This goes back to creating the appropriate UI/UX which in turn

prompts engagement which prompts good data and accurate metrics. Now, law firms can take these

accurate metrics directly to their clients and demonstrate their service commitment and focus on

transparency.

We have learned over time that proper metrics measurement relies heavily on knowing your audience,

how they consume information and in turn delivering it in the proper format.

In the old days, consumption was easy. You would print out a report and put it on someone’s desk and

that was the route to transmitting information and creating specific action. Today, you have a

smorgasbord of endpoints that can be leveraged when looking to engage your users, so the $64,000

question becomes: “what are the 5-10 most popular endpoints and how can we create a user experience

that drives firm staff engagement?”

Impactful Law Firms Metrics

JH: The most important thing when you’re trying to determine where to improve operations is starting

with a real-time picture of where you are. Once you can get deep into the data, you can confirm

suspicions as well as learn new things that maybe you didn’t know before about usage patterns and the

direct correlation between things like realization rates and billing hygiene or technology proficiency.

From there, it is important to create transparency so that you connect the dots between what’s in the best

interest of the client, which is objectively the most important thing, and what the end users are doing. In

terms of users’ technology expertise, you can allow people to develop their own path to get to where they

should be or you can help them do that with very personalized one-on-one training. Ultimately, it goes

back to the same theme of “if you don’t measure, you don’t know.”

Metric Futures

We strongly believe in a “back to the basics” approach when it comes to determining where to start with

data analysis and measurement. Don’t get blinded by shiny metrics and complex analytics at the expense

of missing the mundane but major “low hanging fruit”; current behavior and engagement patterns that

with moderate tweaking of technology, processes and training, can yield significant gains. In a critical

application area like timekeeping, it might come down to providing firm users with an application

interface that best corresponds with how they work and interact with technology, ultimately leading to

better quality time data. For an MS Office power-user, it could mean a targeted training regiment focused

on maximizing productivity based on how they are currently using specific features and functions.

The same approach is equally effective in the areas of e-discovery and knowledge management. Effective

use of these common apps increases quality and consistency and reduces overall cost to the client. From a

technology development standpoint, this requires understanding user personas; user engagement and how

our consumer-driven professionals will best interact with specific applications. None of this is possible

without measuring the baseline, in order to determine where firm users are and how technology, processes

and common sense can take them to the next level.

Justin Hectus is the director of information at Keesal, Young & Logan, where he oversees a variety of

operational functions including the direction of the firm’s IT vision, strategy and execution. A member of

this newsletter’s Board of Editors, Hectus is a two-time ILTA Distinguished Peer Award winner. Peter

Zver is the president of Tikit North America and has been serving the legal technology market for over

two decades. His background in information systems and finance and his experience running technology

companies have enabled him to collaborate with law firms globally on delivering time and knowledge

management solutions to users.

—❖—

e-Discovery and Security

The Inevitable Reinvention of the e-Discovery Industry

By Jared Michael Coseglia

The e-discovery industry is on the precipice of major change yet again, and this time it is all about

security. What will distinguish the winners from the losers in the next few years will be an organization’s

ability to do one of three things: consolidate, innovate or reinvent.

Consolidation is clearly the strategy of larger service providers like DTI, Epiq and Consilio, which now

sit atop the “revenue castle” as the biggest players in the space. Innovation remains a viable option,

especially for up-and-coming companies with proprietary cloud technology like Everlaw’s Disco,

Driven’s One or Logikcull.

The innovation angle may be more challenging, however, for middle-market e-discovery vendors

(roughly $30-$60MM/year), which do not want to sell to larger companies and are entrenched in

Relativity service. These providers, as well as some law firms who still use Relativity to generate profit

for the firm, are wisely fearful of what kCura directly offering “a Relativity license through kCura using

Microsoft Azure to deploy on a cloud infrastructure” will do to their businesses. A third option for growth

(or survival) is reinvention.

This article delves into the evolving landscape of law firms, corporations and service providers in regard

to their e-discovery practices and businesses and explore what an organization needs to do to stay

competitive and profitable in today’s new security-centric environment.

What Are We Evolving Into?

At the 2016 ACEDS (Association of Certified eDiscovery Specialists) Conference held in New York

City, an entire day of preconference education and demonstration was fully dedicated to “cybersecurity

for legal professionals.” In fact, over the course of the three-day conference event, there was as much

focus on topics of security, information protection and governance and privacy as there was on what the

community typically considers e-discovery topics (project management, legal analytics and rule changes

affecting the practice of law).

Craig Ball, a thought leader in the e-discovery space for decades, gave an incredibly vibrant presentation,

“The Crystal ‘Ball’: A Look into the Future of e-Discovery,” in which he stated that “e-discovery will be

as much about privacy, security and information governance in the future” as it will be about all the

traditional aspects of EDRM that we have come to accept as standards. Our ALM sibling, Legaltech

News, has published numerous surveys and reports in the last few months stating that, among other

things, “corporate cybersecurity spending will increase 38% over the next 10 years” and “80% of [law

firms] consider cybersecurity and privacy one of their top 10 risks” in 2016 and beyond. The evolution is

clear: With continued e-discovery price compression, commoditization and consolidation, the next

frontier for all legal technology professionals is matters of cyber risk, security solutions and privacy.

Service Provider Reinvention

There is no doubt that consultancies are the front-runners, bolstering and recalibrating their talent force to

compete in the cybersecurity space. More practice groups have been developed and leadership hired with

a focus on legal security and privacy in the last year than in the five years prior combined. The

consultancies are generally pulling their leadership-level cyber talent from two places: corporations and

the federal government.

This is a huge departure from where e-discovery companies and consultancy divisions are acquiring

talent, which has become almost entirely from each other, occasionally from law firms or corporate

clients and almost never from government agencies. High-end hiring in e-discovery at service providers is

more about drawing talent for revenue and relationships than it is subject matter expertise, since there is a

far greater saturation of those skills in the legal market than ever before. However, when it comes to cyber

staffing and talent augmentation, hiring motivations are entirely about expertise with the belief in the

potential of those leaders to eventually drive revenue through new relationships and perhaps existing

relationships they developed in their government positions.

Consider some of the recent hires by some of the largest consulting firms in the country: K2 Intelligence,

“an investigative and integrity consulting firm founded in 2009 by Jeremy M. Kroll and Jules B. Kroll,

the originator of the modern corporate investigations industry,” recently brought Austin Berglas over as

the senior managing director and head of U.S. Cyber Investigations and Incident Response. Prior to K2,

Berglas spent just under 20 years at the FBI focusing on cybersecurity. Navigant Consulting just hired

Bob Anderson in January 2016 after a 21-year run at the FBI culminating in his appointment as executive

assistant director (EAD) of the Criminal, Cyber, Response and Services Branch.

The list goes on and will continue to do so as consulting firms look to the FBI, CIA and other elite

government entities to transition experts out of potential retirement and into the private sector. There is

simply no talent quite like the talent at such agencies when it comes to expertise in combating

cyberwarfare and defending against data theft and intrusion.

This year through 2018 will mark a peak period of opportunity for federal thought leaders in cyber to

matriculate into leadership roles at large global consulting firms; however, traditional e-discovery vendors

who may see the cyber arena as tangential to their business as opposed to mission critical may be well-

advised to consider bolstering their staff and imagining a future where these services don’t just command

a premium, but are a requirement to win business with larger global corporations and law firms.

Middle-market e-discovery providers can best begin to mature their staff and services with an eye toward

security in their forensic collections division. Forensics is the intersection between e-discovery and

cybersecurity careers and offerings. Kevin Treuberg, national director of forensic services at CDS Legal

in New York, makes a key observation regarding e-discovery forensics and cybersecurity forensics:

“Back when I began in the industry, computer forensics and cybersecurity were one and the same. A

technician was capable of straddling both disciplines: able to investigate the most complex data breaches

plus identify the actors responsible. With the advent of ‘push-button computer forensics’ in the early

2000s (due to the proliferation of advanced computer forensics software solutions), there was a demand

for technicians [who] were strictly focused on the static environment of computer forensics without the

focus on network intrusion analysis.” Treuberg goes on to profess that “in today’s environment, you now

need to be able to identify and react to threat vectors both on the network and static fronts to best serve

your clients.”

While some midmarket e-discovery vendors may still see forensics as “collections” and a means to serve

their processing and hosting businesses, consider also that for now, services focused on cybersecurity can

be unique differentiators, if not requirements.

The growing dominance of master service agreements (aka, subscription-based pricing models), coupled

with aggressive vendor consolidation in the e-discovery vendor market offers the opportunity to

distinguish one service from newer, more complex services that span a broader range of client-vendor

collaboration beyond the EDRM. Much of what happens in the CSRM (Cybersecurity Reference Model)

happens before EDRM, the greatest overlap being “information governance.”

As corporations decide which providers to engage in multimillion-dollar annualized contracts, the breadth

of service is slowly becoming as important as the depth of expertise in a particular service. Corporations

want to engage fewer vendors to get the job done, and with so much downstream e-discovery business

stemming from a client’s maturity around data governance and security, middle-market e-discovery

providers may need to have experts on staff who can consult on cyber and privacy-related issues to win

client business much earlier in the life cycle of data creation and maintenance.

Whether you are a $30MM e-discovery vendor or a $300MM player, having a go-to industry expert on

staff to drive conversations with existing clients while developing a practice in this new area is becoming

essential. The opportunistic reality of this advice is demonstrated by the hiring (or lack of hiring)

practices in the Am Law 200 and Fortune 1000.

Corporate and Law Firm Reinvention

Corporate cybersecurity leaders will also be ripe targets for recruitment as consulting firms develop more

mature teams in the security and privacy vertical. Shahryar Shaghaghi recently joined BDO Consulting as

national leader, Technology Advisory Services, and head of International BDO Cybersecurity after years

at Citigroup. Corporations will in turn do one of three things in the wake of losing their core information

protection talent: hire a similarly experienced replacement from another corporation, engage an outside

consultant or promote from within (consider that “outside consultant” often converts into a full-time hire

for the client). There will be CISO (Chief Information Security Officer) opportunities in the Fortune 500

in the next five years as a result of this matriculation.

The Am Law 200’s response to security staffing has been — and will continue to be — very different.

Law firms, notoriously slow to adapt advanced technology, are equally slow in adopting exclusively

dedicated roles for cybersecurity in-house. As mentioned earlier in this article, cybersecurity law is a

sector that is showing increasing demand for talent and salary potential for practicing attorneys.

Outside of the practice of law around privacy and security, law firms are not bolstering their staff with

technical security experts in order to address issues around their own data, and probably their clients’ data

as well. According to the ABA in 2015, “58% [of law firms with 500 or more attorneys] did not have a

dedicated Chief Information Security Officer (CISO) or another staff member charged with data

security.” Firms are instead leaning on the “Cyber 500” vendors and consultancies to help them or are

promoting someone from within (a CIO, global network manager, IT director) to learn security disciplines

and take control of the problem. This makes it a great time to be a vendor in the information security

vertical, especially if you are servicing law firms. However, most of the “Cyber 500” are focused on

corporations and not law firms, though that is slowly changing. Again, with timing being everything, now

could be a good window for middle-market e-discovery vendors whose relationships with law firm clients

are deep and lengthy to offer security services solutions before the market becomes as saturated with

players as e-discovery is.

Consolidation, Innovation, But Mostly Reinvention

The focus of this article has been on how and why an individual or a company needs to pivot thinking

toward an emphasis on security. For the profit-minded, security vendors and consulting firms are charging

healthy premiums for services and technology while the security market remains fractured and largely not

understood. Job hopping and practice group development in the consulting world is rampant as

opportunity is high and talent supply low.

Federal employees have a rare and unique window of opportunity to lead the future of the private sector’s

cybersecurity community. This is exactly where e-discovery was 10 years ago, and 10 years from now,

security will commoditize, consolidate and price compress, forcing another revolution and reinvention of

the standards for everyone making a living servicing law firms and corporations in the legal vertical. For

those of you who have lived, learned, succeeded, failed, but most importantly remained loyal to the art of

e-discovery, the time may finally have arrived to consider reinvention (personally and holistically) if you

wish to experience profitability, complex challenge and prestige in the legal community for the next

decade.

Jared Michael Coseglia is the founder and CEO of TRU Staffing Partners. A member of this

newsletter’s Board of Editors, he has over 12 years of experience representing talent in e-discovery,

litigation support, cybersecurity, and broadly throughout legal and technology staffing. Coseglia has

successfully placed over 2000 professionals in full-time and temporary positions at the AmLaw 200,

Fortune 1000, Cyber 500, Big 4, and within the e-discovery consultancy and service provider community.

He can be reached at [email protected].

—❖—

Movers & Shakers

Judy Selby, a frequent contributor to this newsletter’s predecessor, e-Commerce Law & Strategy, left her

position as co-chair of Baker & Hostetler’s information governance team, to become a managing director

at BDO Consulting, with a focus on cybersecurity and cyber insurance.

Saul Ewing added April Doss, previously an associate general counsel for intelligence law at the

National Security Agency, as a partner in Baltimore and Washington, DC, where she will lead the firm’s

newly formalized cybersecurity and privacy practice.

Richard Borden, a former senior vice president and assistant general counsel at Bank of America Corp.,

joined Hartford, CT-based Robinson & Cole as counsel for its cybersecurity and data privacy team.

DLA Piper hired Rena Mears, managing director of data risk, cybersecurity and privacy at Am Law 200

firm BuckleySandler, as a principal for its cybersecurity group in San Francisco. Mears, a former leader

of privacy and data protection services at accounting giant Deloitte, does not provide legal services as a

nonlawyer.

—❖—

The publisher of this newsletter is not engaged in rendering legal, accounting, financial, investment advisory

or other professional services, and this publication is not meant to constitute legal, accounting, financial,

investment advisory or other professional advice. If legal, financial, investment advisory or other professional

assistance is required, the services of a competent professional person should be sought.

To order this newsletter, call: 800-756-8993

On the Web at: www.ljnonline.com/ljn_cybersecurity