Sam Chi has been working at the intersection of lawyers and technology for more than 15 years. He spent a decade managing a team of e-discovery technical consultants at Latham & Watkins before moving to FRONTEO, where he is a senior vice president in discovery services. He’s witnessed the tension that can crop up when IT and Legal are forced to collaborate under the pressure of, say, a data breach. His experience has given him insight into the problems and ideas for solutions. And he thinks in-house lawyers are ideally situated to help make things better.
MCC: Cybersecurity has been a very big issue in the legal industry for quite a while. In recent years, a lot of attention has been focused on the relationship between in-house lawyers and their outside counsel. Why is that?
Chi: I think it’s an economic issue. IT departments within an organization think of things in terms of prevention: preventing hackers, preventing malware, preventing all other cybersecurity threats. The legal department gets involved, typically, in response to a bad situation, whether it be regulatory requirements or lawsuits. So they are more reactive. But I think the more important question is: At what point is there a dialogue between the IT departments and their in-house lawyers and their outside counsel?
MCC: Early on, law firms seemed slow to respond to the concerns of their clients. Do you think that’s a fair assessment?
Chi: I don’t think it’s a fair characterization to say that law firms are slow in response. Rather, as I said, law firms tend to be reactive. Again, it’s more economics – a supply and demand issue. The law firms have, in recent years, addressed cybersecurity and brought it to the forefront as demand has grown from in-house lawyers and corporations.
Just look at what’s happened in the last five years: big time cybersecurity issues. For example, the Target matter, where some cyberthieves accessed customer credit card information through a subcontractor. That led to $10 million in damages and a class action lawsuit, $39 million to financial investors and institutions and another $60 some-odd million to a credit card company. I think with the emergence of these lawsuits in recent years, the law firms are now beginning to respond with lawyers who are very knowledgeable in the cybersecurity realm.
MCC: So, you think it took some big headline cases and some very big numbers to get their full attention. Is that what you’re saying?
MCC: I guess that could certainly be said of in-house lawyers everywhere. I think if there is someone who isn’t paying attention, now, you have to ask what planet they’re living on.
Chi: Yes, exactly. And with in-house lawyers – I’m probably going to go a little off-topic here – but FRONTEO is an e-discovery services and consulting provider, so we’re on the technical end, serving law firms and corporations. In my former career, I was part of a law firm. One of the biggest disparities I saw was simply communication. IT speaks a different language than Legal. This is not just with cybersecurity, but with information governance, litigation and any other regulatory and legal-type of services. The language disparity and the understanding between the two groups has impeded progress in all avenues where Technology and Legal should be more involved, more transparent and more understanding of each other.
MCC: Tell me a little bit about how you think IT departments and law departments have learned to communicate better over the last few years. What has been successful? When have you seen that seems to be working well in some of these instances, and what do you attribute that to?
Chi: Bringing in outside vendors or having internal resources that not only understand the legal issues, but also understand IT can be successful. Law firms have added internal resources to bridge that gap. They’ve added internal experts who have backgrounds in technology, but also understand the legal issues. They can act as translators, if you will. That was a huge change for law firms and in-house counsel to initiate. Recent lawsuits and requirements have forced IT and legal counsel to start collaborating and talking to each other because the sensitivity of the data and the nature of the data has become so important and crucial that law firms and in-house counsel have been forced to understand these issues.
MCC: So in-house law departments have done the same thing?
Chi: Yes, absolutely. You see this with larger corporations that have evolved, unfortunately, because they’ve been on the losing side of things. They’ve either had a security breach or been on the receiving end of a big fine. Some larger corporations with larger in-house legal departments have added technical experts. Smaller companies reach out to outside counsel, and because of these questions and requests to outside counsel, the outside counsel have also added technical experts to their staff.
Chi: Now, the smaller law firms will engage outside vendors, but it’s a downstream effect where everybody has had to beef up their staffing and expertise in one way or another.
MCC: So, it sounds like if you were advising in-house departments, if they haven’t already either hired people in-house who are bilingual in IT and legal, and can translate and function as a liaison, that would be something you would recommend. Or if they’re smaller, they find partners who can function that way. That’s some of the advice you give companies that are wondering what they can do to more effectively respond to these situations, correct?
Chi: Correct. They should have the resources readily available, whether it’s internal, through outside counsel, or through a partnership with a technical services organization. I think at the heart of it, you just simplify everything. As I said earlier, traditionally IT thinks of things from a preventive perspective; it would be beneficial for IT departments to bring in their in-house legal departments or outside counsel and think, “What happens if the preventive maintenance doesn’t work? Where are the potential security breaches, what’s out exposure and liability?” Thinking not only from a risk perspective, but what types of information can we afford to lose?
MCC: Are in-house lawyers in a good position to encourage and guide that dialogue?
Chi: Absolutely. Being in-house, you’re in a position where you have internal knowledge of your organization. Here’s the major difference: with in-house legal departments, they need to think of the business model as a whole and the organization as a whole. Whereas with law firms, what they’re really thinking about is a matter, whether it’s a lawsuit or a legal transaction. The law firms are thinking about that particular project or that particular issue. In-house counsel, on the other hand, are in a position to think about the business in its entirety.
MCC: Yeah, yeah. That puts them in the right frame of mind to figure out how to protect the company as a whole. So, is there other advice you have for, in particular, in-house lawyers who are facing this kind of daunting challenge – this potentially existential risk for a company?
Chi: Open dialogue with the respective departments that are in control of digital information is very important. Additionally, often we get so caught up in digital information, we forget about paper. Communicating about paper documentation is also very important.
In-house counsel should start with understanding where the data is in the organization, what it’s used for and how it’s used, as well as understanding the regulatory requirements by the various government bodies. If it’s an international corporation, they have to understand the governing laws and privacy laws for those respective countries. It’s hard to get their arms around, but I think the first step is just understanding where things are, where data is stored, whether it’s on the cloud, or it’s behind their four walls, understanding what data is accessible to subcontractors and their vendors, and understanding which data is critical and which data is less critical. Taking into account the budgetary requirements of the business is critical. Attempting to get their arms around all these issues is key. Also working with outside counsel to understand where their weaknesses are, what their exposure is and to seek any kind of remediation efforts, if they need to, and go from there.
MCC: One more question. One issue floating around is whether a corporation ought to have some designated cybersecurity officer in charge of this whole area. It’s a big area with big risks. Do you have an opinion of whether companies ought to designate a chief cybersecurity officer.
Chi: Yes, I do have an opinion. I think that goes back to what I was saying as an internal expert on cybersecurity issues. I think a lot of companies have already started doing that. You’re the chief security officer or chief compliance officer who has to be knowledgeable about these areas. A lot of companies have already started doing that. I think it’s worthwhile to have that in place.
MCC: Is there a particular kind of background that you’d be looking for from that person?
Chi: From my perspective, someone with an IT background and someone who understands government regulations. It needs to be an expert who understands both sides of the fence – that’s critical to bridging the gap between Legal and IT, for sure.
MCC: Well, what about you? Do you see yourself as a candidate for that kind of job?
Chi: I might. I do have the background. I was an IT manager for a number of years, and then went to the legal and e-discovery side of things. It’s an area that definitely interests me.