Locked Down: Information Security for Lawyers
Book Review by Canon Committee Member, Christina Ayiotis: Locked Down: Information Security for Lawyers (2013) by Sharon D. Nelson, David G. Ries, and John W. Simek
FULL DISCLOSURE: I have known Sharon and John personally and professionally for more than a decade and consider them good friends. We have participated together on panels, spoken at the same conferences, and served on committees and boards of directors together. We have similar areas of expertise and civic commitment.
Sharon, David and John published an important book on information security for lawyers and law firms three years ago. Given the number of law firm breaches since, it appears that few lawyers read or heeded their advice. Locked Down is an easy-to-read overview of why lawyers need to implement good information security, not just cybersecurity, and how. It is even more relevant today than when first published. This book belongs in the Cybersecurity Canon because it provides cybersecurity professionals context regarding the legal profession’s requirements and strategies for dealing with cyber and information risk and obligations.
Cybersecurity is such an important topic in the legal field that lawyers are starting to pay actual money to be a part of a brand-new Legal Services Information Sharing & Analysis Organization (sold to them by the FS-ISAC) . While my fellow Cybersecurity Canon Committee member Ben Rothke wrote an Amazon review of this book in May 2013 , he did so from a Cybersecurity/IT professional’s perspective. My review will primarily be from the perspective of a Cyber Attorney, former Deputy General Counsel of a technology services multinational, Privacy Expert, Certified Records Manager and active member in good standing of the Virginia State Bar for 24 years.
When Locked Down was published, the American Bar Association (a private sector voluntary professional association with no lawmaking power or regulatory authority that relies on the
State Bars as an independent enforcement organization ) was still considering updates to its Model Rules of Professional Conduct that would bring them into the 21st Century. While those updates are now in effect, and they include being competent regarding the “benefits and risks associated with relevant technology,” there is little evidence that the more than one million lawyers in the U.S. have sufficiently educated themselves to be considered competent. Reading this book would be a good start. Then, taking it to their IT colleagues (or consultants, if they are solo or a small firm) and working together to understand how the various strategies are (or could be) implemented would be the next logical step.
While the book starts with “data breach nightmares,” it’s probably no longer necessary to start with fear. Information security is now a business imperative for clients, and they drive the requirements (most of which are conveniently explained). While it is 319 pages in total, the text runs only 170 pages; the rest of the book contains helpful Appendices and an Index.
Yes, lawyers have ethical obligations to keep client information confidential, but there are common law duties, as well as regulatory/statutory requirements for certain data types (that affect both lawyers and clients alike) and the authors provide that as background. The book then delves into all aspects of security (physical, information, cyber and personnel) and use real case studies to make their point. For example, the authors recount the horrifying and “amusing” story about Kevin Mitnick taking on a new identity as Eric Weiss, “the real name…of…Harry Houdini (sic)” to get a job as a systems administrator at a Denver law firm. Ironically, there has been an explosion of cybersecurity practices at law firms in the last few years—the shoemaker’s children excuse will definitely not work for them. It would not surprise me to see a day when a law firm is sued by a client because of a data breach and Locked Down is entered into evidence to demonstrate the “reasonable care” law firms should be taking with respect to security.
“Two lawyers and an IT expert” sounds like the beginning of a good joke, but it is the unique blend of perspectives and expertise the authors bring that makes the book so readable. A SANS Institute Glossary of Security Terms is conveniently located in Appendix M, so lawyers unfamiliar with such terms can easily look them up. Topics such as authentication, secure configuration, virtual private networking (VPN) should be part of every lawyer’s lexicon, if for no other reason than their clients have the exact same issues protecting information in their own environments.
Advice regarding securing desktops, laptops, mobile devices, email, voice communications, etc. are all general business issues that all professionals should be aware of. Outsourcing and cloud computing are even more prevalent today and managing that third-party risk is not just an ethical duty but also a business requirement; the authors’ recommendations in that regard are critical. It’s also important for law firms to acknowledge that clients consider them to be third-party vendors that must similarly meet baseline security requirements. Appendix H: “Lockdown: Information Security Program Checklist” is an excellent starting point.
The Certified Records Manager in me applauds the inclusion of Chapter 13: “Secure Disposal” and the authors get extra points for citing a relevant NIST standard. While the book focuses on information security, it is important to recognize that end-to-end information management (for both client and law firm information) is the goal (to mitigate risk and reduce costs). Chapter 15: “Securing Documents” is particularly important for lawyers because legal advice provided within documents and relevant communications channels must be kept secret in order to be protected by the attorney-client privilege (not to mention the requirements for trade secrets). There is also an important discussion regarding metadata (from both operating systems and applications perspectives) – not surprising given Sharon and John (along with Bruce A. Olsen) wrote The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines.
They cover cyberinsurance but caution that policies are confusing and care must be taken to understand what exactly is covered (and what is not). They end the book looking at “The Future of Information Security” and readers should beware that the topics covered (laws and regulations, BYOD, passwords, policies and plans, mobility, cloud computing, social media, and training) are all everyday issues now.
Given how quickly technology evolves, in the next edition of Locked Down the authors will likely have to add sections on wearables, biometrics as part of multifactor authentication, quantum encryption, virtual law practices, etc., but lawyers should feel comfortable knowing that mastering what’s in this book puts them in a defensible position. Furthermore, good information security is now a business differentiator. Law firms that implement all of the book’s recommendations can use their superior cybersecurity standing when marketing their services.  They can even give clients a copy of Locked Down for their own use (and no, I’m not getting paid a commission on book sales).
 “Legal Services Information Sharing & Analysis Organization,” by the FS-ISAC, Last Visited 21 October 2015, http://www.fsisac.com/ls-isao
 “Top Customer Reviews: Locked Down: Information Security for Lawyers,” by Ben Rothke, Amazon, 20 May 20 2013, Last Visited 21 October 2015, http://www.amazon.com/Locked-Down-Information-Security-Lawyers/dp/1614383642
 Law firm makes a case for security certification,” by “Mary K. Pratt, CIO.COM 28 August 28 2015, Last Visited 21 October 2015, http://www.cio.com/article/2969323/security/law-firm-makes-a-case-for-security-certification.html