Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1502513
28 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 2 3 exercises run by third-party vendors because they don't have a contract with the vendor that specifies how their data will be used. The second session was entitled "Legal Ethics and Cybersecurity: The Duty of Law Firms to Protect Client Data in 2023." I spoke along with Ben Weinberger, a man of many titles, among them Lawyer and Law Professor of Which?, Visiting Lecturer at The University of Law in London, and virtual CIO (vCIO) of several US law firms. Ben covered new regulations that have been enacted worldwide that affect privacy and security issues, while I covered the ABA's recent comments to model rules as well as recent formal opinions that have addressed the virtual practice of law, among other things. In working with Ben, I determined a major pet peeve of his: firms whose lawyers write about cybersecurity practices whilst not internally practicing what they preach. He called attention to a few firms in the presentation and advised those in attendance to check their own firm's websites to ensure that no such conflict exists for them. If the lawyers at their firms are advising clients to do things that their own firms have not put into practice, this provides the leverage those in attendance can use to affect change when they return to their firms after the conference. My third session was about one of my favorite topics, one that nobody else likes to discuss: retention policies. The session was called "How Effective Data Retention Policies Can Reduce an Organization's Threat Surface." Stacy Joseph, Information Security Governance Manager of Alston & Bird, led the session, with some assistance from me. We covered retention policies for email as well as why there should be different policies governing firm work product and client data, necessitating the need to keep them separate or at least classify them differently. Retaining data creates risks to security and privacy as well as potential financial risk of penalties for non-compliance, and risk to firm reputation. Data classification is critical to a retention policy. If you can't identify which records are subject to a policy, you can't apply that policy. Aside from my responsibilities as a member of the Planning Committee, I volunteered to assist with two additional sessions. I am also involved with ILTA's Women in Security subgroup of Women Who Lead. Misty Stacy, Managing Partner at Tested Cyber Talent, and I led a discussion on building and diversifying the security staffing pipeline during a breakfast meeting on Friday morning. After a quick recap of last year's breakfast and what had been done since then, we embarked on what can sometimes become a difficult conversation: how can you promote diversity while ensuring that your team is fully qualified for their positions? In the cybersecurity arena, several attendees pointed out that they often hire people who have the F E A T U R E S "If you can't identify which records are subject to a policy, you can't apply that policy."