January 2015 | Volume 16, Number 1

Continued on page 3

A tool will languish in the marketplace and inside a law firm if it cannot be demonstrated how it materially improves a current system that already adequately services clients and generates reasonable profits.

Another new tool? What’s the compelling reason? If none, I’ll resist. There’s a general perception that law firms and lawyers shy away from using technology in their practice, even when those tools would materially improve work efficiency and increase law firm profitability. In support of this understanding, commentators look to legal technology solutions

providers, many of whom are seeing slow sales compared to the pre-2009 legal market. They also see law firms that have purchased a variety of legal technology solutions, but don’t appear to be leveraging them for their maximum value. These are valid data points, but they do not tell the entire story.

Lawyers are pragmatists. It’s their job to solve the problems—typically, the complicated problems—of other people, and do so in a cost-effective yet profitable manner. Anything less, and a lawyer is likely to find it difficult to attract clients and stay

in business. One would think that lawyers should be receptive to deploying additional tools that help them deliver better results, increase client satisfaction, and, most importantly, increase bottom line law firm revenue.

Indeed, historically, we have seen rapid adoption of certain technologies in the legal community. Law firms eagerly embraced word processing systems and later personal computers because this technology permitted them to create legal documents and pleadings and fix typos faster and with much less effort—and also reduced the need for armies of salaried and nonbillable secretaries and typists. Other than the high initial purchase cost of early systems, lawyers saw immediate value in changing their existing workflow to leverage the features of these tools, and they quickly incorporated these tools into their work. Similarly, today’s law firms, both large and small, operate enterprise-class e-mail systems and offer a variety of remote access solutions. Again, lawyers immediately saw how these tools permitted them to be more responsive to clients and have greater flexibility in where and how they could perform client work.

Deconstructing the Myth of Low Technology Adoption in Law Firms

By Conrad Jacoby, Adjunct Professor, Georgetown University Paralegal Studies Program, Washington, DC

Please direct any comments or questions to either of the editors in chief:

PracticeInnovations

In This Issue EDITORS IN CHIEF

2

EDITORIAL BOARD

Smartphones as the New “Swiss Army Knife”

By Jean O’Grady

In the burgeoning world of mobile apps, a smartphone is no longer simply a phone. Able to support a multitude of downloaded apps, the pocket phone has become as indispensable and versatile as a Swiss Army Knife.

Legal Pricing Technologies

By Toby Brown

Although very simple technology, spreadsheets allow pricing people to understand profitability, model different options, and understand costs and margins. However, they are a very manual way of meeting these needs.

Safe Travels in the Age of Digital Espionage: Protecting Your Assets on the Road

By David Herst and Don Philmlee

Traveling with technology has increasingly become a perilous affair. Gone are the free days of easy travel with just a laptop and phone and hotel wireless.

Deconstructing the Myth of Low Technology Adoption in Law Firms

By Conrad Jacoby

A tool will languish in the marketplace and inside a law firm if it cannot be demonstrated how it materially improves a current system that already adequately services clients and generates reasonable profits.

Client Data Security Audits—A Preemptive Checklist

By William P. Scarbrough

Law firms are receiving and responding to a growing number of data security audits from clients, particularly those in heavily regulated industries such as banking. This checklist provides some common areas of focus.

William P. ScarbroughChief Operating OfficerBodman PLC6th Floor at Ford Field1901 St. Antoine StreetDetroit, MI 48226office: 313-393-7558fax: 313-393-7579email: wscarbrough@bodmanlaw.com

Janet AccardoDirector of Library Services Skadden, Arps, Slate, Meagher & Flom LLPFour Times SquareNew York, NY 10036-6522212.735.2345email: janet.accardo@skadden.com

Sharon Meit Abrahams, Ed.D.National Director of Professional DevelopmentFoley & Lardner LLP Miami, FL

Toby BrownChief Practice OfficerAkin Gump Strauss Hauer & Feld LLPHouston, TX

Silvia CoulterPrincipalLawVision GroupBoston, MA

Elaine M. EganManager, Information Center Shearman & Sterling LLP New York, NY

Ronda FischDirector of Research and Library SystemsReed Smith LLP Pittsburgh, PA

Lisa Kellar GianakosDirector of Knowledge Management Pillsbury Winthrop Shaw Pittman LLP Washington, DC

Jean O’GradyDirector of Research Services DLA Piper, US, LLP Washington, DC

Don PhilmleeLegal Technology ConsultantWashington, DC

Kathleen SkinnerDirector of Research ServicesMorrison & Foerster LLPSan Francisco, CA

William P. ScarbroughChief Operating OfficerBodman PLCDetroit, MI

Janet AccardoDirector of Library Services Skadden, Arps, Slate, Meagher & Flom LLP New York, NY

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us

By Don Philmlee

Technology has rapidly moved from the computer room to the desktop to the laptop to the handheld. With each move it becomes a more personal and intimate part of both our business and personal lives. Today’s technology is becoming wearable—adorning our bodies and becoming even more intimate and central to our lives.

3Practice Innovations | January 2015 | Volume 16, Number 1

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us — Continued from page 1

Law firms do have less consistent tool adoption when the benefits of a given technology are less immediately apparent. That’s not to say that the tools lack functionality or benefits; rather, it is to say that the tools require more careful marketing so that lawyers can understand the value they will receive if they interrupt their existing work flow to incorporate a given tool. “Interrupt” is a deliberate term; lawyers (appropriately) view technology implementation as secondary to their primary goal of servicing clients and their immediate deadlines. Lawyers will interrupt their ongoing work, but only if they believe it is for a good reason.

A tool will languish in the marketplace and inside a law firm if it cannot be demonstrated how it materially improves a current system that already adequately services clients and generates reasonable profits. We can see this in the evolution of the e-discovery tool market. Initially, law firms had no tools that lawyers could use to help them review electronically stored information or easily incorporate these materials into their case development. Early litigation support and e-discovery tools that could deliver the goods, so to speak, were devoured by hungry customers. After this initial wave though, each successive generation of new e-discovery tools has needed to significantly raise the bar to attract attention and generate new sales. Simply being a comparable alternative to an existing product is not enough to move lawyers from one adequate tool to another adequate tool. In addition, thanks to thoughtful programming enhancements, existing e-discovery tools on the market are proving sufficient for the current needs of most case teams. In this maturing market, incremental improvement may be all that is possible, and solutions providers are left with the difficult task of selling slightly better adequacy to a community that already has generally adequate tools. It’s no wonder that new sales have slowed.

On the other hand, it’s also possible to find examples of technology purchased by law firms that are being underutilized, and each of these serve as helpful illustrations of the pragmatic approach lawyers use to evaluate technology tools. In the early 2000s, many law firms began investing in customer relationship management (CRM) systems. It was argued at the time that these systems would deepen existing relationships with current clients and make it possible to data mine historical client information, increasing the amount of repeat work and increasing law firm profits. However, the sales-focused philosophy of standard CRM systems alienated many lawyers already managing existing relationships, and they resisted sharing control and information with these systems, seeing them as barriers

and impediments to their own business development efforts. As a further complication, it has proven difficult for many law firms to quantify the extent to which CRM systems are actually improving the firms’ ability to retain clients and win new work that they would not have received without use of the CRM system. As a result, while many large law firms continue to deploy CRM systems, participation in them by firm rainmakers remains inconsistent. From the perspective of the partners managing client relationships, the technology simply isn’t seen to deliver a compelling improvement to existing practices.

Another legal technology that is underutilized in many law firms is automated litigation case management. Properly utilized, these specialized database systems are efficient repositories of all case related information, from court and docket information to pleadings, key correspondence, and e-mail messages. They permit lead attorneys to generate detailed status reports about tasks in the case, and many even offer client-focused Web portals so they can check on the status of their matters too. However, this functionality comes at a clear cost: it can take significant time and effort to enter all necessary information into the case management system, and in busy practices, firms may have to hire additional clerks or paraprofessional staff to stay on top of all the information flowing into and out of these systems. For some lawyers, the cost of operating case management systems exceeds the organizational and reporting value they receive in return; they decline to use such systems, even when they are available to them. For other lawyers, however, particularly those managing clustered, serial, or class-action litigation, the cost of operating such a system may be materially less—and offer much more functionality—than their existing, nonintegrated systems for managing the same information. Different lawyers and different practice areas have reached different conclusions.

Increasing law firm adoption of a new tool or technological approach requires careful positioning and lawyer education; in many ways, it’s much more of a marketing issue than a cost issue. Most importantly, lawyers should clearly see how a specific tool can generate additional revenue for a law firm. In making this argument, general platitudes are flatly inadequate; sponsors of the new tool must be able to describe, with specificity, how the cost of a tool and the short-term business disruption caused by changing existing work processes are outweighed by the increased revenue that the new tool will help generate once it has been successfully deployed. Lawyers may disagree with specific points within such a presentation, but the

4

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us

structure of this approach offers attorneys a framework they can use to construct their own alternate cost-benefit analysis.

Second—and only second to the financial argument—new tools should be described in terms of how they improve the lawyer work experience. This is a delicate approach; a typical tech marketing approach that tries to sell a tool by enumerating individual features will repel most attorneys—and most people. As with describing how tools increase revenue for a lawyer, educational efforts must stress specific ways in which the new tool directly improves existing processes that the lawyer audience is using in its existing work, ideally by wrapping the tool in an easy to understand workflow. Thus, instead of bludgeoning attorneys over the head with features, appropriate education, and outreach will permit lawyers to visualize use cases for their own matters, giving them an analysis that they will trust and act upon.

Text tk

5Practice Innovations | January 2015 | Volume 16, Number 1

Safe Travels in the Age of Digital Espionage: Protecting Your Assets on the Road

Traveling with technology has increasingly become a perilous affair. Gone are the free days of easy travel with just a laptop and phone and hotel wireless. Also, law firms are often rich repositories of corporate information and intellectual property. Travelers are increasingly carrying valuable data on a variety of devices from laptops, tablets, and smartphones to data watches and data fobs.

The increased volume of potentially valuable data coupled with the multiple entry points offered by the increased number of carried devices makes a business traveler increasingly attractive, not only to cyber criminals, but, in this age of global activity and access, to hostile foreign governments.

War stories abound in this new age of data warfare:

• Gregg Smith, CEO of Koolspan, a security company in Bethesda, MD, has seen cases of executives who have been personally targeted and one CEO who was compromised twice while traveling overseas.

• Kenneth G. Lieberthal, a China expert at the Brookings Institution, follows a seemingly paranoid procedure, choosing to leave his technology at home and only bring temporary loaner devices. He erases these devices before he leaves the United States and again when he returns. He turns off his phone and takes out the battery during meetings, in case his microphone is turned on remotely.

• Dave Anderson, a senior director at Voltage Security in Cupertino, CA, states that within an hour of landing in China, there will be malware on your mobile device.

There are several reasons why travel security is a concern.The first is data leakage. In this massively and increasingly interconnected world of ours, we put tremendous quantities of data out on the Internet. Despite our best efforts to keep it secure, data leaks away from our control.

The most common ways data leaks happen include:

• Malware. Bad guys have myriad tricks to fool users into downloading a malicious program to their devices. Once installed, the malware can communicate with a controller and steal data from a device.

• Social engineering. Though the population at large has undoubtedly become more Internet savvy, bad guys still use fake websites and bogus e-mail to fool users into entering sensitive data into a form.

• Unsafe networks. Insisting on being connected all the time, we occasionally use network infrastructure that is unsafe.

• Outright theft. Even if users do nothing wrong, firms that capture personal and credit card information

By David Herst, Data Privacy and IT Solutions Consultant, Dynatrace (formerly Compuware), New York, NY and Don Philmlee, Legal Technology Consultant, Washington, DC

6

Safe Travels in the Age of Digital Espionage: Protecting Your Assets on the Road

as part of commercial transactions may not secure it sufficiently to prevent its theft.

A second reason, deriving from the first, is black market traffic in personal data. In the early days, hacking was the sport of independent actors. But as e-commerce has become commonplace, data theft has become big business. Stolen credit card numbers are traded in bulk. An entire industry has sprung up to protect the unwary from identity theft.

Increasing interconnectedness has also brought theft of intellectual property—by no means a new pursuit—to the cyber realm. Businesses and countries routinely look for cyber vulnerabilities to steal secrets from competing firms. The difference today is that such secrets no longer reside only in an underground vault at headquarters, with a combination known only to three individuals.

If the secrets in question belong to governments rather than firms, we have a fourth reason for concern, geopolitical espionage. Hostile governments want to learn all they can about their enemies’ military secrets, diplomatic strategies and tactics, and the like. But such espionage exists even between friendly nations, as evidenced by the recent Edward Snowden revelations.

Risks and Best PracticesThe risks to travelers carrying and using technology abroad are diverse and significant, and it is no easy task to travel safely. Law firms have many years of experience securing laptops, but technology has expanded to include other equally capable devices, such as tablets and smartphones, that carry as much or more critical data and often are not well protected. Today’s technology travelers have to be aware of their environment and take additional precautions. Below are some best practices for savvy travel.

Public computers are an obvious risk to avoid. When you use a workstation in a hotel business center or an Internet café, you have no idea what malware might be lurking there. Looking up sports scores, or consulting Google Maps won’t expose any sensitive personal information. But check your bank balance or pay your credit card online, and a key logger can easily capture what you type and thus reveal your login credentials.

Even if you use your own laptop or smart device, most travelers still use public Wi-Fi hotspots to access the Internet. Public Wi-Fi is everywhere these days, offering the convenience of leaving your air card or MiFi at home. But public networks are inherently VERY unsecure. They cannot be password protected, and by their very nature, anyone can get on them and do

mischief. What’s more, bad guys routinely set up their own parallel wireless hotspots that impersonate the real ones to gather your critical information.

Cellular networks also can run the same risk of impersonation. Malicious actors can set up their own cell towers to intercept traffic from your smart phone. Cell phones are set to lock onto the closet cell tower. When roaming in a strange new land, how do you know that the service you’re using is legitimate? It can be hard to tell. Typically, lower connection speed is the only indication that you have locked onto a faux tower. Worse, many carrier updates to your phone can be permitted by default, meaning that bad guys can easily load their malware onto your phone.

Additionally, there are what we might call location risks. It’s one thing to visit a destination where ISPs try to act responsibly, quite another to travel to places where major cybercrime organizations are sanctioned, if not abetted, by government. The Russian Business Network operates with complete impunity and little fear of reprisal from Moscow. China’s counterpart is formally part of the Beijing regime.

Inevitably your data-carrying technology will get lost or left behind. Make sure to enable any “find me” feature on your technology so you have a chance to recover any lost device. If it cannot be recovered, many devices now have a “remote wipe” feature that essentially removes your data. Other obvious precautions to implement on critical portable devices that will make unauthorized access more difficult include putting a PIN or passcode on the device and making sure the data is encrypted.

An easy security measure to take is to minimize. If you don’t need it—don’t bring it. Consider traveling with fewer devices, less capable technology, or even perhaps throw-away technology with no data storage capability. Also, minimize can mean disabling features—for instance Bluetooth is a very handy feature, but can be used to gain entry into phones and tablets. By shutting off unneeded features that path is blocked.

Most portable technology today has a microphone and even a camera. It sounds paranoid, but eavesdropping is a very real possibility. At a minimum, consider turning off your phone and removing the battery (if possible) in confidential meetings to prevent eavesdropping.

A new best practice is to sanitize your devices before and after a trip. Securely formatting and reinstalling ensures any technology is as secure as can be when

7Practice Innovations | January 2015 | Volume 16, Number 1

Safe Travels in the Age of Digital Espionage: Protecting Your Assets on the Road

starting a trip. Sanitizing devices after a trip ensures any security issues collected during the trip are gone.

Most firms today have users connect to the Internet only via virtual private networks (VPNs). This provides a safe, encrypted, channel to the firm’s critical assets and data. One last risk, less common but not unheard of, is coercion. In extreme cases, if a foreign government cannot probe or steal your valuable information stealthily, it might resort to brute force, threatening frightening consequences if you don’t unlock your protected device and subject it to a cyber strip search. You may have no recourse but to comply. If you are carrying sensitive data, you should plan in advance what to do in such an event.

Where is this going? Expect to see more clever and sophisticated ways to gain access to your traveling data. Traveling with technology and critical data will always have inherent risks. With all of these threats has travel become too dangerous for data? No. Just like walking down a dark street at night, it always pays to be smart, be prepared, stay alert, and anticipate problems. Good diligence, care and caution mean you can enjoy safe travel.

SourcesDevlin Barrett, “Americans’ Cellphones Targeted in Secret U.S. Spy Program,” The Wall Street Journal, November 13, 2014, http://online.wsj.com/news/article_email/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533-lMyQjAxMTI0NTEwMzAxMTMwWj.

Nicole Perlroth, “Traveling Light in a Time of Digital Thievery,” The New York Times, February 10, 2012, http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all&_r=0.

Robert McGarvey, “How to Keep Your Mobile Devices Secure,” Travel + Leisure, March 2014, http://www.travelandleisure.com/articles/how-to-keep-your-mobile-devices-secure.

Matthew Goldstein, “Law Firms Are Pressed on Security for Data,” The New York Times, March 26, 2014, http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/.

Judith Flournoy, “Law Firms Respond to Security Risks in Client Data,” Law Technology News, July 7, 2014, http://www.lawtechnologynews.com/id=1202662139978/Law-Firms-Respond-to-Security-Risks-in-Client-Data?slreturn=20141015103745.

Bill Flynt, “Protecting the Crown Jewels: Information Security for the Business Traveler,” Flynt Group White Paper, 2012, https://flynt.com/Flynt%20Group%20White%20Paper%20Protecting%20Intellectual%20Property%20While%20Traveling.pdf.

Chris Baraniuk, “World Changing Ideas, “Surveillance: The hidden ways you’re tracked,” BBC, October 27, 2014, http://www.bbc.com/future/story/20141027-the-hidden-ways-youre-tracked?ocid=global_future_rss.

Harriet Edelson, “Keep Your Data Yours While Traveling,” The New York Times, September 8, 2014, http://www.nytimes.com/2014/09/09/business/keep-your-data-yours-while-traveling.html.

8

Legal Pricing Technologies

The primary technology used initially by law firm pricing roles has been spreadsheets. Although very simple technology, spreadsheets allow pricing people to understand profitability, model different options, and understand costs and margins. However, they are a very manual way of meeting these needs.

even at the attorney level. Being able to quickly assess profitability is key to the pricing role. This information allows a pricing person to understand the profit drivers for a practice or client before exploring pricing topics for future work.

Pricing roles then have to develop pricing options. These are your classic fixed fees, blended rates, hold back success fees, and even varying levels of discounts. Each type needs to be modeled out and understood.

Sometimes before and sometimes after a pricing option is chosen, a budget needs to be developed. These can be as simple as a single number, to as complex as a per-task, per-phase budget. More often relatively simple budgets are developed. However, budgets need to be based on sound assumptions (also known as scope) and with an understanding of the cost associated with the deal.

The need for budgets then triggers the next function—that of mining past matters to use as benchmarks or budget starting points. This function requires access to past client and matter level numbers with an understanding of the costs of delivery and the margins for each budget or phase.

With a pricing model and budget in place, the pricing function can then model various scenarios to determine which options will enhance the bottom line while maintaining a focus on the client’s fee concerns. This function needs to compare various approaches, again

With the pricing role at law firms evolving and maturing, the need for new technologies to support these roles is growing as well. Traditional law firm technologies have been useful to a degree, but with pressures increasing and needs expanding, new technologies are needed for pricing. Without these tools, pricing as a function, will struggle to stay relevant and be limited in the value it can continue to add to law firms.

Pricing FunctionsBefore we get into the technologies, we should first understand the functions of a pricing role, to set an expectation for the needs that the technologies will have to address. Not all pricing roles perform each of the functions described below. No matter where the functions exist within a given firm, the firms will need technologies to support each one.

When firms get into pricing, a first and necessary condition is to understand profitability. Pricing needs to always be focused on profitability and many times becomes the voice of profitability in a firm. Profitability needs to be understood and accessible on the firm level, practice level, client level, matter level, and

By Toby Brown, Chief Practice Officer, Akin Gump Strauss Hauer & Feld, Houston, TX

9Practice Innovations | January 2015 | Volume 16, Number 1

Legal Pricing Technologies

with an eye towards understanding cost and margin for each option.

Finally, most pricing roles have been pulled towards the project management side of things. This is very apparent when they play a monitoring role on the pricing deals that win work for the firm. Here the role helps lawyers stay on top of their work, so they know early on when they are going off budget or out of scope. Monitoring is a project management function that inevitably leads back to the beginning of our story on how the firm will be able to successfully price out and win the next piece of work. The result is that many pricing roles are being pulled deeper and deeper into the project management space.

All told this draws a picture of the broad and deep technology needs for the pricing function. It also highlights some specific technologies that can help propel this role into greater value for the firm.

From Then Until NowThe primary technology used initially by law firm pricing roles has been spreadsheets. Pricing people acquired data from the time and billing systems and any other related financial systems, and then imported that into spreadsheets. Spreadsheets, although very simple technology, allow pricing people to understand profitability, model different options, and understand costs and margins. However, they are a very manual way of meeting these needs.

Early on, pricing roles dug into the data warehouse scene, with tools like Data Fusion’s Intellistat and Redwood Analytics. Tools like these are critical for understanding past work and for getting into the details of what drove margins for various levels and types of work, down to the client, matter, and even individual timekeepers. Without a tool like this, the pricing role cannot respond as quickly as needed to requests.

Going forward these types of tools need to evolve to provide simpler views into the numbers such that lawyers and others in the firm can quickly access and understand the profit drivers of their work.

To develop pricing options, the role needs tools that allow simple and quick model development. These tools need to include all lawyer cost rates and billing rates, along with the ability to modify the parameters at the top level. This could include changing the staffing leverage by adjusting it generally, instead of manually altering every timekeeper’s hours. Redwood has a planning module that performs some of these functions. There are other tools out there that do the same, like Budget Manager from Randy Steere. Some of the legal

project management systems can meet this need as well, like Engage from Thomson Reuters.

Budget development can be an extension of the modeling need, but can also become quite complex. Engage is an example of a tool that allows very complex budget building, including the use of templates. This approach takes budget building down to a very detailed, task level basis. The approach can be useful in some situations, but most pricing deals do not require that much detail. There are also project management tools that function for budget building like Cael from Elevate Services and Lean4Legal from ERM Legal Solutions.

Most of the tools already mentioned allow for different levels of scenario modeling. Here one can take a single budget, then apply a number of pricing options against that, such as a fixed fee, holdback success fee, blended rates or even fee caps. The goal is to know the margin and risk associated with each approach. Being able to see the options side-by-side has tremendous value. The monitoring function may ultimately become the most important. Most lawyers really want to stay focused on budgets and margins, but they don’t have actionable information available to them. Many of the previous tools have some level of monitoring, but much of that is overly detailed or delayed in how it is delivered. As a result, many firms have developed “Dashboards” for showing real-time (or some approximation of that) information to their lawyers. Redwood has separately developed a “BI” tool focused on this need. As the demand for this type of technology becomes more apparent, more options should come into the market.

At the top of all of these technology needs, is the need for integrated solutions. Existing technologies focus on meeting one or a segment of the needs outlined above. Part of this is a result of the nature of current legal technology. Major law firm systems exist in isolation, so that data is sectioned off. The pricing role needs much of this data to be integrated.

Some tools are emerging to meet this holistic need. One is Umbria from Prosperoware. This tool combines many of the functions outlined above into one system. It also anticipates lawyer access and has relatively simple data presentations (graphs, charts, etc.). A recent entrant to the market, the full value of this approach has yet to be realized. However, other technology providers, including many of the ones listed here, are moving in this same direction.

10

Legal Pricing Technologies

The FuturePricing roles have significant technology needs. Current options are only beginning to scratch the surface. With pricing driving the future profitability for law firms, the technology opportunities are significant and quite meaningful for law firms. Technology providers and IT staff have a big job ahead. They also have a great opportunity to show higher and higher levels of value for their customers and firms.

Post Script One event designed in part to help drive these types of technologies is the P3 Conference held each June in Chicago. This conference brings pricing, legal project management and other emerging roles together to share ideas and best practices. The conference is also designed to generate a dialog between these new roles and the technology providers focused on these opportunities. For more information about the conference and to get a sense of the technologies involved, go to: www.legalmarketing.org/P3Conference.

Text tk

11Practice Innovations | January 2015 | Volume 16, Number 1

Client Data Security Audits—A Preemptive Checklist

Law firms are receiving and responding to a growing number of data security audits from clients, particularly those in heavily regulated industries such as banking. This checklist provides some common areas of focus.

One of Bodman’s core areas of practice is transactional banking work. The firm represents a number of regional banks, national banks, and local banks. Particularly the larger national and regional banks are dedicating increasing time and resources to data security, their own as well as that of key vendors such as law firms. At Bodman we have responded to a

number of client questionnaires, audits, and surveys relating to information and data security. We have found the process to be a useful way to verify and continue to improve our data security infrastructure and procedures. The following checklist is based on questions we have received from a number of clients, and serves as a roadmap for all firms in reviewing and improving their data security.

• Access control

▪ Security policies control creation of all accounts

▪ Physical access to servers, applications, network infrastructure, and communications systems limited to designated staff

• Administration

▪ Management approval required for all administrator accounts

▪ All administrator activity logged

▪ All user accounts assigned to individuals and never shared

▪ Re-authentication required after period of inactivity (e.g., 30 minutes)

▪ All accounts disabled after certain number of access attempts (e.g., 10)

▪ User identity verified for password reset requests

▪ Strong and uniformly enforced password standards (e.g., 8 characters, 1 letter, 1 number, 1 special character)

▪ Required password change every 90 days with no or restricted reuse (e.g., after 5 changes)

▪ Password encryption and no visual display

▪ Hardware token or smartcard required for remote access

▪ For passwords assigned to contract personnel, disable accounts every 90 days

▪ Wireless users required to acknowledge acceptable use before connecting

▪ All cloud-based data encrypted

By William P. Scarbrough, Chief Operating Officer, Bodman PLC, Detroit, MI

12

Client Data Security Audits—A Preemptive Checklist

• Employee control

▪ E-mail encryption, including blocking of outbound protected personal information

▪ Restricted use of CD, DVD, and flash drives

▪ Outbound Internet monitoring

• Hardware and software control

▪ Use of firm-approved devices only meeting firm security standards

▪ No ability to save data from multifunctional devices to removable media

▪ Inventory of all hardware and software assets

▪ Prohibition against installing unauthorized hardware or software

• Disaster and recovery planning

▪ All primary systems and services included

▪ Key third party vendors included

▪ Documentation reviewed by management regularly

▪ Business impact analysis part of plan

▪ Specific recovery time and point objectives set

▪ Notification, escalation and communication plans/contact numbers current

▪ Plan accessible by all staff involved in recovery

▪ Roles and responsibilities of recovery team clear and documented

▪ Voice and data networks designed to avoid single points of failure

▪ Data backup and redundancy

▪ Special attention to facilities in disaster-prone areas

▪ Plan and systems tested regularly

▪ Information security responsibility assigned to individual

• Compliance

▪ Acceptable use policy in place for all software and hardware

▪ Information security/privacy policy in place and enforced

• Operations

▪ Network diagrams and data flowcharts up to date and restricted to authorized staff

▪ Antivirus and firewall systems restricted to authorized staff

▪ Change management process in place and followed

▪ Alternate data center for full system redundancy

▪ Paper files and removable media stored in secure location

▪ Laptops and mobile devices encrypted

▪ Security event logs monitored regularly

▪ Unneeded user accounts disabled promptly

▪ New systems deployed only with latest security patches

▪ Anti-virus and anti-malware installed and current on all servers and clients

▪ Robust Internet firewall implementation

▪ Network equipment and server rooms secured

▪ Two-factor authentication for remote access

▪ Concurrent connections to second network prohibited

▪ Wireless network access only with strong encryption

▪ Network intruder detection system for all external network connections

▪ Regular network penetration tests conducted

▪ Separate development/test and production environments

▪ Incident response procedures in place

▪ Adequate fire suppression systems for computer room(s)

▪ Laptop usage and security monitored closely

• Physical security

▪ Building access restricted and controlled

▪ Guests escorted at all times

▪ Process for collecting access badges from former employees and guests

▪ Access to client files restricted to authorized personnel on “need to know” basis

▪ Information security policies defined, documented and circulated

▪ Security awareness training for new employees and annually

13Practice Innovations | January 2015 | Volume 16, Number 1

Client Data Security Audits—A Preemptive Checklist

▪ Confidentiality agreements with vendors

▪ External social media use only when approved by risk manager

• Vendor management

▪ Information security review of key vendors

▪ Due diligence (e.g., background checks) on key vendors

14

Smartphones as the New “Swiss Army Knife”

In the burgeoning world of mobile apps, a smartphone is no longer simply a phone. Able to support a multitude of downloaded apps, the pocket phone has become as indispensable and versatile as a Swiss Army Knife.

The idea of the “Swiss Army Knife” has become a kind of shorthand for compact, handy, and versatile devices with functionality limited only by the imagination of the developers. According to Wikipedia, this ingenious little device was invented for the Swiss Army with a limited goal of providing a tool which could be used to cut open a rations tin and disassemble a Swiss Service Rifle. The original

1891 knife included a blade, reamer, can opener, and a screwdriver. By 2006, there were 87 different tools supporting 141 functions. There is even a version which includes a flash drive and Bluetooth capability.

Thanks to the burgeoning world of apps, the owner of a smartphone soon realizes that this compact little device is no longer simply a phone. In fact, it may be least of all a phone. A mobile app is a software program designed to run on mobile devices. According to one source there are over 1.3 million apps available in the Apple App Store alone. Early smartphone apps mimicked the standard desktop functions and supported e-mail, contacts, and calendars.

A Thousand Devices in Your PocketToday our smartphones seem to provide the same limitless versatility and adaptability as the Swiss Army

Knife. Gone is the need to travel with dozens of devices including calculators, GPS devices, tape recorders, flashlights, mirrors, alarm clocks, radios, and filoFAXes! A smartphone also offers functionality we never dreamed of. Live video chat apps offer the equivalent of a TV studio in your pocket. Smartphones are even portable weather stations.

Shortly after the release of the first smartphone, app developers with no knowledge of legal publishing began pushing out apps containing primary legal content, such as statutes and court rules. Arlene Eis, publisher of the online directory Mobile Apps for Law, reports a decline in the explosion of new legal apps. According to Eis, since the start of the directory in 2011, about 300 apps from 60 different publishers have disappeared. It is not surprising that small app developers overlooked the critical importance of continuously updating legal content as the laws and rules were amended. Major publishers such as Thomson Reuters, LexisNexis, Bloomberg BNA, and American Lawyer Media continue to offer new legal content based apps which provide eBooks, newsletters, database searching, and cite checking.

Apps Supporting the Business and Practice of Law According to the 2014 ABA Legal Tech Survey, 91 percent of attorneys use a smartphone. Various surveys and legal trade publications report that lawyers are using a variety of general business apps to support their practice. Popular business apps include LinkedIn to network and check profiles on the go. GoodReader allows lawyers to read any kind of document. Auditorium Notes supports

By Jean O’Grady, Director of Research Services, DLA Piper LLP (US), Washington, DC

15Practice Innovations | January 2015 | Volume 16, Number 1

Smartphones as the New “Swiss Army Knife”

note taking and recording of a meeting. TripIt organizes flights and hotels. CamScanner scans and photographs a document producing a better quality image than using the smartphone camera. Dragon Dictation transforms voice to text. Dropbox is used for storing and sharing documents. Evernote manages lists, calendars, and documents.

Legal Research Apps According to the ABA Survey the most popular research apps include Fastcase, Westlaw, LexisNexis, legal dictionaries, and access to dockets.

Litigation Management The image of a lawyer weighed down with a heavy litigation bag is fading as apps connect to cloud repositories and offer an array of app solutions. Large publishers such as Thomson Reuters offer apps for their well-established products such as Case Notebook. Thomson Reuters developed a new product, Firm Central, for practice management with mobile apps in mind from its inception.

There is also an abundance of small app publishers that target very specific aspects of the trial process. SmartDocket manages legal calendars and deadlines. AgileLaw supports the deposition process. TranscriptPad and Mobile Transcripts provide trial notebooks. Shake supports the creation and signing of legal documents. Exhibit A provides exhibit presentation software. Deponent facilitates the creation of question and exhibit outlines. There are a wide variety of products that support the jury selection process including iJuror, Jury Duty, Jury Pad, and iJury.

One of the more unique apps Eis highlighted is called uFaker. It is a sophisticated anticounterfeiting management system that helps IP attorneys track counterfeit goods from anywhere around the globe.

Put a Law Firm in Your PocketLawyers recognize that their clients also live on mobile devices and have begun to explore mobile outreach by developing their own apps. The first round of law firm apps has been app versions of law firm brochures, which didn’t offer much functionality. There is a growing recognition that apps have the potential for serving serious client needs while also enhancing the firm brand.

The website Law Firm Mobile, which produces an annual survey of law firm apps, reported that there was a 62 percent increase in law firm apps between 2013 and 2104.

At the time of the 2014 survey there were 68 apps created by AmLaw 200 and Global 100 law firms. Eight

firms produced more than one app. While a significant number of apps are focused on recruiting, firm descriptions, and events, 62 percent of these apps offer legal content of some kind.

Several firms have focused on crisis management, helping clients respond to the arrival of government agents or a subpoena. DLA Piper offers Rapid Response. This app promises “legal crisis assistance at the touch of a button” for a dawn raid, a home visit, unannounced visits, and seizure of documents.

Pillsbury Winthrop Shaw Pittman offers a Crisis Management Toolkit. This app is intended to provide company executives and in-house counsel with guidance and tools for reacting to potential crises. It includes checklists broken down by crisis type—including Aviation, Chemical, Construction Collapse, Employment Emergency, Financial Crisis, Oil & Gas Incidents, and Privacy Breach. Pillsbury’s crisis toolkit also offers PR best practices and a crisis management process diagram with a toll-free hotline to the firm’s crisis management team. European law firm Noerr offers Dawn Raid designed to avert employee obstruction of government officials while providing guidance on basic rights during a search. The app also offers emergency access to a lawyer at Noerr.

Fox Rothschild offers Data Breach 411, which was designed to help companies understand privacy rules and regulations. The app includes state security breach statutes, HIPAA/HITECH statutes, information on the Children’s Online Privacy Protection Act, and links to credit monitoring agencies and services.

Transactional AppsOn the transactional side Pillsbury Winthrop Shaw Pittman also offers the Global Sourcing Tool Kit for calculating performance metrics and costs for global sourcing. The intent of the app is to provide a tool that helps sourcing deal makers negotiate and manage contracts. Interactive calculators cover downtime, cost of living adjustments, and service credit in multiple currencies (US dollars, Euros, and British Pounds).

Bracewell & Guiliani offers the ShalePlay app, which provides a resource on shale gas and hydraulic fracturing (“fracking”). Features include laws and regulations, an interactive map of shale plays, an historical timeline of fracking, a glossary of terms, and expert analysis of fracking issues from the firm’s attorneys.

Latham & Watkins has released seven Book of Jargon apps that explain the terminology used in a variety of corporate and financial contexts. Sutherland Asbill’s

16

Smartphones as the New “Swiss Army Knife”

SALT Shaker provides guidance on state and local taxes.

One small, high tech, Phoenix based law firm, the Kelly law firm, has developed a rather unique law firm app which focuses not on advice but on supporting the relationship it has with existing clients. A review in Law Firm Mobile indicates that this app provides live chat, access to the client’s files via Dropbox, payment for services using PayPal, and viewing case information using Basecamp, as well as news on blog feeds. There is also a case evaluation feature for potential new clients.

Conclusion The development of apps to support client needs may evolve from an exotic “value added extra” to a core competency for the law firm of the future. Recent trends suggest that law firms will continue to develop high value, interactive apps which keep them tethered to their clients and available at the moment of a client’s greatest need. The ultimate law firm app may be a portfolio of handy tools including a “hook” which lands new clients and keeps the existing clients coming back to the law firm in their pocket.

SourceLFM Big Law Report at http://lawfirmmobile.com/2014.

Text tk

17Practice Innovations | January 2015 | Volume 16, Number 1

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us

Technology has rapidly moved from the computer room to the desktop to the laptop to the handheld. With each move it becomes a more personal and intimate part of both our business and personal lives. Today’s technology is becoming wearable—adorning our bodies and becoming even more intimate and central to our lives.

Wearable TechnologyThere are many devices being developed in this fast expanding market. This new wave of wearables encompasses a wide array of devices including: watches, glasses, contact lenses, hats, textiles, and jewelry.

Watches: Apple, Microsoft, Samsung, Nike, Garmin, and

other companies have jumped into this new smart wristband and smart watch market. Currently these devices provide health monitoring (steps walked, heart rate, calories burned). As these devices mature and provide connectivity to a companion smartphone or directly to the Internet, expect to see more and more sophisticated features such as providing ways to make payments, unlocking doors, logging into computers, and starting cars.

Eyeglasses: Google is the most notable entry for this type of wearable with their product Google Glass. Glass is a groundbreaking pair of eyeglasses that provides a user with a heads-up display, camera and touchpad control. It can take photos, record videos, show maps, translate language, find information, and show messages.

Clothing Sensors: Sportswear is now being embedded with sensors to provide biometric feedback for athletes. Instead of wearing bulky medical monitoring devices, clothing is being designed to detect medical conditions such as breast cancer or epilepsy or provide feedback on a person’s existing condition. Another example of this type of wearable is a soldier’s clothing that is capable of tracking location, movements, and vital signs.

Embedded TechnologyWhile wearable technology can be put on or taken off, there is an emerging wave of embedded technology that can be incorporated into the body to create an even more intimate and convenient interface to information and technology.

Expect to see implanted subcutaneous devices to unlock a door, make a payment, provide deeper health monitoring, or even contact lenses that act as a computer interface, similar to Google Glass mentioned above. Embedded technology is just in its infancy and has enormous potential, but will likely not be without controversy.

There are already people who cannot wait for this type of technology to be made available and are commercially providing do-it-yourself instructions (called bio-hacking) and devices for implanting and embedding bio-magnets, near field communication (NFC) devices under the skin. The end result is the ability to control devices, unlock doors and other abilities. However, none of this is

By Don Philmlee, Legal Technology Consultant, Washington, DC

18

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us

medically tested or certified by any regulatory agency, so it is an interesting and possibly dangerous example of how this technology is rapidly evolving. There are even organizations, such as the nonprofit Cyborg Foundation in Barcelona, with a stated goal to help people extend their senses by applying cybernetics to their body.

IssuesAs with any technology there are issues surrounding the use of wearable and embedded technology.

Need for More Security and Privacy: Personal information is gathered and stored—personal health information, location, financial information, personal authentication information, and more. Wearable technologies are far more intimate and need to provide a deeper level of privacy as well as security.

Protection of Intellectual Property: With the increasing ability to surreptitiously record audio or video, firms may need to restrict the use of wearable technology where people have access to intellectual property.

Increased eDiscovery: Wearable technology can interact with a cloud account, a smartphone, a computer, or take photos and videos. Since these devices may contain relevant electronically stored information, litigating lawyers will need a deeper technical appreciation of what wearable technology can store and provide.

Technology Dependence: Increasingly we are becoming dependent on our technology. As it plays a more intimate role in our lives there is no doubt we will become more dependent on wearable or embedded technologies. Such dependence puts an increased importance on safety, security, and understanding possible long-term psychological effects.

Where is this going? Wearable technology is in its infancy and an early market of devices is just starting to emerge, so it is difficult to predict what this technology will offer in the coming years. The following are possible directions wearable technology could go.

Sophisticated Interface: Gone are the mouse and keyboard—wearable/embedded technology may give rise to a whole new interface with subtle and intuitive expressions and micro-gestures. Nod at something to approve it, take a photo by blinking, stare at something to select it or for privacy, click your teeth, or swallow. If we are wired with sensors any of these are possible.

Persistent Identity: Already smartphones carry a person’s “identity” allowing people to do many things

including: verify who they are, make payments, log on to computers, or open doors, among many things. Technology that is worn or embedded could potentially do all of the above with the wave of a hand or literally the blink of an eye.

Becoming Big Data / Crowdsourcing: Researchers foresee patients using wearable technology to crowdsource, share and aggregate information about their body, allowing large sets of data for possibly better analysis and research.

Body Power: Wearable technologies to be recharged, but what if the human body could be the power source? Our bodies generate heat and motion and this could be converted into electricity. Researchers with the Defense Advanced Research Projects Agency are working to harness this body energy to power wearable technology.

Augmented Reality: Embedded devices may eventually allow us to overlay our everyday reality with visual data as well as computer-generated sounds and sensations. Examples are enhancing a meeting with additional data about people, topics or presentations, or enhancing a walk in the woods with overlays of plant or bird names. This could potentially range from a light augmentation of information to a total immersive experience.

Augmented Senses: An added benefit of embedding technology could ultimately be the ability to augment or improve our senses: hearing additional audio frequencies, seeing more light spectrums, or even feeling magnetic fields.

Blurring of lines: How much wearable or embedded technology is too much? Technology typically gets smaller and faster as it progresses. If embedded technology becomes sophisticated synthetic biology and merges with organic biology, the line between where the technology starts and stops becomes blurred. Will synthetic technology disappear into our organic biology, or vice versa? We are at the early stages of this discussion with more questions than answers.

Wearable and embedded technologies are in their infancy and already provide highly useful features that are fast becoming part of our lives. This technology is also quickly evolving and potentially can change how we interact, not only with each other and our environment, but also with our technology and data. However, as these technologies mature, the line between what is human and what is computer will no doubt blur. Where does a human stop and the computer begin? There are no doubt enormous debates to come regarding the legality, ethics, privacy,

19Practice Innovations | January 2015 | Volume 16, Number 1

Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us

spirituality, and efficacy of using such technology on or in ourselves.

SourcesFiona Graham, “Wearable Technology: Clothing designed to save your life,” BBC News, August 25, 2014, http://www.bbc.com/news/business-28844162.

Catherine de Lange, “Clothes with hidden sensors act as an always-on doctor,” New Scientist, April 3, 2014, http://www.newscientist.com/article/mg22229634.300-clothes-with-hidden-sensors-act-as-an-alwayson-doctor.html#.VHCz6ofJu8s.

Jonathan Follett, Designing for Emerging Technologies: UX for Genomics, Robotics, and the Internet of Things, November 7, 2014, ISBN: 1449370519.

Michael Belfiore, “Embedded Technologies: Power From the People,” Smithsonian Magazine, August 2010, http://www.smithsonianmag.com/40th-anniversary/embedded-technologies-power-from-the-people-1090564/?no-ist.

Samuel Gibbs, “Court sets legal precedent with evidence from Fitbit health tracker,” The Guardian, November 18, 2014, http://www.theguardian.com/technology/2014/nov/18/court-accepts-data-fitbit-health-tracker.

Andy Goodman and Marco Righetto, “Why The Human Body Will Be The Next Computer Interface,” Fast Company, http://www.fastcodesign.com/1671960/why-the-human-body-will-be-the-next-computer-interface.

“Protecting Data Against Wearable Technology Risks,” Security Magazine, June 1, 2014, http://www.securitymagazine.com/articles/85549-protecting-data-against-wearable-technology-risks.

Danie D. Taylor, “Apple, Google Push Wearable Tech--But Can They Keep Your Data Safe?,” Forbes, August, 19, 2014, http://www.forbes.com/sites/symantec/2014/08/19/how-safe-is-the-data-on-your-wearable-tech/.

Keith Lee, “The Newest Field of E-Discovery: You,” Above the Law, November 20, 2014, http://abovethelaw.com/2014/11/the-newest-field-of-e-discovery-you/.

Julianne Pepitone, “Cyborgs Among Us: Human ‘Biohackers’ Embed Chips in their Bodies,” NBC News, July 11, 2014, http://www.nbcnews.com/tech/innovation/cyborgs-among-us-human-biohackers-embed-chips-their-bodies-n150756.

Melanie Swan, “Crowdsourced Health Research Studies: An Important Emerging Complement to Clinical Trials in the Public Health Research Ecosystem,” Journal of Medical Internet Research, March 7, 2012, http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3376509/.