Yesterday I delivered a keynote presentation on the critically important topic of Security & Privacy at the Association of Legal Technologists Ctrl ALT Del 2019 Conference in sunny Scottsdale, Arizona. As a huge baseball fan I unfortunately just missed the opening of Spring Training in the Arizona Cactus League.

My primary message point was that in our world of rapid technology advancement that has generated and will continue to generate massive amounts of data, data privacy and data security are the big issues of our time in the technology space – especially as cybercriminals become more sophisticated, bolder and also include some nation-states.  Every company is increasing transforming into a data company and in order for all organizations to continue to earn trust with their clients and customers, we all need to be even more laser focused on data privacy and data security.

During my keynote I highlighted these “Top 20” cybersecurity best practices for ALL organizations to embrace – regardless of their size or industry:

  • Set the “Tone at the Top” for Cybersecurity: Senior leaders in all organizations need to appreciate, understand and embrace the importance of privacy and security in our data-first world so that they and their organizations can make the appropriate cybersecurity investments.
  • Get Help: As the data privacy and security landscape continues to change and grow more complex, don’t be shy in seeking out the assistance of subject matter experts.
  • Conduct a Cybersecurity Audit: If you haven’t already done so, consider having a highly reputable cybersecurity expert conduct an audit on your organization’s technology infrastructure to help identify security gaps and areas for potential vulnerabilities.
  • Focus on Data Classification: Be sure to clearly understand, classify and conduct an inventory of your organization’s different data types.
  • Develop Thoughtful Written Information Security Policies (WISPs): Develop meaningful and easy to understand WISPs for your organization – and make sure you follow them.
  • Employees & Data Access: Carefully consider which employees need to have access to certain types of more sensitive data and when they exit your organization be sure to immediately shut off their access to your company’s network and data.
  • Conduct Cybersecurity Training: Periodically deliver meaningful privacy and security training to your employees either in-person or online – but make it interesting to capture their attention.
  • Transparency: Be very proactive in communicating to your customers the specific steps that your organization takes to protect data. As an example at Microsoft we embrace this type of transparency via the Microsoft Trust Center.
  • Use Strong Passwords: It seems like we live in a password world. Make sure to avoid reusing old passwords, generate strong passwords, consider using a password manager and as technology continues to advance, we will increasing become passwords free as passwords will probably become a relic from the past.
  • Embrace Multi-Factor Authentication (“MFA”): Many cybersecurity experts agree that simply using MFA or two-factor authentication practices can go a long way to preventing cyber-related intrusions.
  • Be Careful of Phishing Attacks: Be wary of emails from financial institutions, social media sites, etc…that seem legitimate, but upon closer inspection are imposter emails that seek private information from you and which may contain malware. Microsoft Office 365 Advanced Threat Protection provides protection against phishing attempts.
  • Download Security Updates: Don’t ignore installing the latest versions of technology solutions that may contain more robust data security protections.
  • Work with Hyperscale and Trusted Cloud Services Providers: Generally speaking, large, hyperscale and trustworthy cloud services providers that operate state-of-the-art and highly secured data centers can do a much better job at protecting data than organizations who seek to secure data via their own servers in a traditional “on-premises” computing environment.
  • Conduct Careful Evaluations of Technology Providers: It’s always important to conduct thorough due diligence on the privacy and security practices of any technology provider, vendor or third party that may have access to your data.
  • Be Social & Secure: We are all spending a greater part of our day using social media so please be sure more to be cyber smart when using Twitter, LinkedIn, Facebook, etc….as social media is a key vector for cybercriminals.
  • Be Cyber Aware in Public: Leading technology increasingly enables many of us to work remotely, but when you use public WiFi, always be sure to use a Virtual Private Network (VPN) and be careful not to disclose confidential information in public places.
  • Develop Your Incident Response Plans: Build a clear playbook for what to do in case your organization suffers a significant data loss incident and stress test that response plan like a fire drill.
  • Consider Acquiring Cybersecurity Insurance: Another risk-mitigation technique is to acquire cybersecurity insurance from a reputable provider – but please be sure to clearly understand the scope and limitations of any such insurance.
  • Careful Emails & Texts: Unfortunately our digital worlds may eventually be compromised at some point in time so always, always be careful with the contents of your emails and texts and assume they could one day appear on the front page of The New York Times.
  • Learn from Others: Embrace a “growth mindset” mentality in this area by understanding the lessons from companies that have endured significant data loss incidents and learn from organizations like the International Association of Privacy Professionals (IAPP), the Cloud Security Alliance, the National Cyber Security Alliance and the Microsoft Secure Blog.

All in-house counsel have a tremendous opportunity to help their organizations earn more trust with their customers by actively encouraging their organizations to embrace leading privacy and security practices.  Also a big thanks to Legaltech News for publishing an article about my keynote.

Earlier this week I had the good fortune of leaving the remnants of Chiberia for sunny Miami to spend time learning from some of the best and brightest in the data privacy space at the annual Privacy Law Salon Roundtable Event.

This was my second time attending this fantastic event, Microsoft served as a proud sponsor and since Artificial Intelligence (AI) is such a hot topic in the data privacy law arena, we were also provided the opportunity to distribute copies of Microsoft’s book entitled The Future Computed: Artificial Intelligence and its role in society. 

While I learned so much at the Roundtable and had a terrific opportunity to network with many data privacy leaders, here were my primary takeaways: (1) the Roundtable provides a great “blueprint” for the legal and compliance community on how to produce an outstanding and high-impact event; and (2) as we are well into The Fourth Industrial Revolution that has resulted in leading technologies generating massive amounts of data that can help us achieve more but which needs to be properly used and protected, data privacy considerations needs to be top of mind for all in-house counsel.

Over the past several years I have attended my share of legal and compliance industry events, seminars, continuing legal educations, etc… Some have been excellent, some have been good, some have been mediocore and some have been a waste of my time.  In my opinion the Roundtable was better than excellent and here’s some reasons why:

  • No PowerPoints: There were no traditional presentations delivered during the Roundtable. As a result, instead of only a few people talking at you, everyone was talking with each other.
  • “Off the Record” Discussions: Attendees participated in various private group discussions – approximately 20 people per group – on leading data privacy topics. Participants have the opportunity to become acquainted with each other in such a smaller setting and these discussions are based on the Chatham House Rule so people feel more comfortable actively contributing to the conversation and learning from each other.
  • Highly Skilled Facilitators: The leaders for these group discussions are leading law professors who have outstanding credibility and privacy law subject-matter expertise. They are well skilled at keeping the conversations moving forward and drawing upon the insights of the participants to generate an even more robust dialogue. In fact, when I was in law school back in the day I wish I had professors just like them.
  • Built-In Networking Time: The Roundtable agenda is smartly designed with plenty of opportunities to network both between the group discussions and during meals/refreshments.
  • Great Venue: My wife is a realtor in the Chicago-area and she is constantly reminding her clients that real estate is all about location, location and location. In order for an industry event to be successful, the location also needs to be top-notch and you can’t get much better than being in Miami during February at The Four Seasons Hotel.
  • The Attendees: The Roundtable attendees are privacy leaders from a mixture of companies, law firms, cybersecurity practices, academia and the non-profit world. I’ve been impressed with the diverse nature of the attendees and their passion for the privacy space – which also rubbed off on me. After being at the Roundtable for a few days I’m fired up about the increasing importance of data privacy in our ever-changing world and I look forward to continuing the conversation during my keynote on Security and Privacy at the ctrl-ALT-del Conference in the Arizona desert next week.

Last month in a LinkedIn blog post, Microsoft President & Chief Legal Officer Brad Smith identified privacy as a Top Ten Tech Issue for 2019. In addition, here are some trends we are seeing in the data privacy area:

  • The “Internationalization” of Data Privacy: Countries across the globe have been leading the establishment of new data privacy laws. Last May the widely anticipated and transformative General Data Protection Regulation (“GDPR”) became effective in Europe and a few months afterwards in August Brazil enacted a new data privacy law that is GDPR-like.
  • The United States & Data Privacy: It will be interesting to see whether Congress is ready, willing and able to enact any sort of federal privacy law in the near future. Historically United States federal privacy law has been more industry focused with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA) focused on the financial services sector. In the meantime, California passed the California Consumer Privacy Act which goes into effect next year and other states are actively considering enacting their own data privacy laws.
  • Rise in Data Breaches:  Cybercriminals are becoming more and more sophisticated and as depicted in this graphic below from an article in The Economist magazine last month, data breaches in the United States continues to increase across various industry sectors:

  • It’s AI All the Time:  AI requires huge amounts of data to help train AI algorithms – and such data needs to be properly used and protected. Facial recognition technology can also present some unique challenges and late last year Microsoft published principles that it will adopt for Microsoft’s facial recognition work.
  • National Security Versus Privacy: Balancing the need for law enforcement to have access to key data in order to protect citizens in the interest of security with the data privacy rights of individuals can be very difficult. At the end of last year Australia passed a law providing law enforcement access to encrypted data.

As organizations increasingly use data to help enable their digital transformation, I believe that both understanding and keeping up to speed on the constant evolution of data privacy/cybersecurity law is an absolutely necessary and foundational skillset for all in-house lawyers – regardless of their company or their area of legal practice. As you look for more opportunities to better serve your clients and earn their trust, think about how you can “skill up” on data privacy and cybersecurity.

 

 

 

The epic Academy Award winning motion picture “The Godfather” starring Al Pacino as organized crime family leader Michael Corleone is one of my favorite movies of all time.

An iconic scene in The Godfather is when Michael informs the family’s longtime consigliere Tom Hagen (portrayed by Robert Duvall) that Tom is “out” as consigliere. Michael is brutally honest with Tom and tells him, “You’re not a wartime consigliere, Tom. Things may get rough with the move we’re trying.” Ouch.

Our clients always deserve the very best from us as lawyers. In fact, I think our clients want us to be “wartime consiglieres.” Here are some guiding principles based on the spelling of the word C-O-N-S-I-G-L-I-E-R-E on how we can all be wartime consiglieres so we can better serve our clients:

Communication

A wartime consigliere needs to be an outstanding communicator. This means effectively communicating to our clients in less legalese and breaking down complex legal issues into more easy-to-understand layperson’s terms. Wartime consiglieres also do not write lengthy memos or long emails – instead they know when to tailor their mode of communication to their client by picking up the phone, connecting in-person, using Microsoft Teams, texting, etc…and they craft emails that are no longer than the screen size of a laptop. They also excel at delivering presentations that are not long and boring – but are short and full of energy and enthusiasm.

Openness

Wartime consiglieres also pride themselves in being open, honest and transparent. They understand that the foundation of any relationship is built upon trust, are always available at anytime to their valued clients and are always open to receiving and providing meaningful feedback.

Networker

Networking and building relationships with others is part of the DNA of any wartime consigliere. She/he is a schmoozer and knows how to “work a room” in order to create, develop and maintain relationships with the right people. Wartime consiglieres also leverage technology and they use leading social media platforms like TwitterLinkedIn and Facebook to develop meaningful relationships with clients, colleagues, partners and competitors.

Smart Risk-Taker

To be considered a wartime consigliere, a lawyer needs to constantly demonstrate excellent judgment when dispensing legal advice to clients. She/he should not focus on theoretical risk when counseling clients – but instead a wartime consigliere provides practical, easily digestible and “street smart” advice to clients. Here is a link to an article that I wrote about the art of Smart Risk-Taking.

Impact

Wartime consiglieres are viewed as business enablers and not as business inhibiters. They invest time to understand the business needs of their clients and are problems solvers who drive positive impact by proposing solutions that are aligned to these business needs. They are also skilled at measuring the impact of their work in a tangible and quantifiable fashion to help demonstrate their high-value add to their clients.

Grow

The willingness to embrace change and to stretch professionally is another important attribute of wartime consiglieres. As Winston Churchill once said, “To improve is to change, to be perfect is to change often.” Wartime consiglieres are “learn-it-alls” and not “know-it-alls” as they continue to adapt and grow so they can better serve their clients. The growth mindset” mentality as outlined in the book “Mindset” by Dr. Carol Dweck is embraced by wartime consiglieres.

Listener

Being an active listener is critical to the success of any wartime consigliere. Listening to your clients, asking the right questions and understanding their important needs positions wartime consiglieres to be customer obsessed and impactful problem solvers.

Inclusiveness

In order to provide more thoughtful legal counsel wartime consiglieres understand they need to consider diverse and different perspectives on a particular matter. They also recognize that diverse and inclusive teams are higher performing than teams who are less diverse and inclusive in nature.

Ethics

Embracing a non-negotiable mindset of high integrity and ethics is vital for any wartime consigliere.  They do not “cut corners” and instead they lead by example to promote a culture of compliance within their respective organizations and on behalf of their clients.

Responsiveness

Wartime consiglieres are lightning fast when responding to their clients and colleagues. Even if she/he cannot provide an immediate answer to a client’s or colleague’s request for assistance, at a minimum a wartime consigliere acknowledges receipt of the request, let’s them know that she/he is working on it and provides a realistic timeframe as to when a meaningful response can be provided.

Empathy

During an Association of Corporate Counsel – Chicago Chapter Board of Directors annual retreat I was pleased to learn via a StrengthsFinder assessment that empathy was my number one quality since being empathetic is an underrated and important attribute for all lawyers.  When providing legal counsel wartime consiglieres put themselves in the shoes of their clients. They do their best in identifying with and being empathetic to their client’s specific needs so they can offer bespoke and differentiated legal services.

Always be sure to be a wartime consigliere so you can avoid being “Tom Hagened” by your clients.