Laying Down the Law of Cybersecurity

Don Miller

Much has happened in the world of cybersecurity since last we posted.  bTrade will be publishing upcoming posts that hopefully will have interest or provide help to our MFT Nation readers.  In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.

For today, let’s touch on the 2016 LegalTech West Coast Conference, which we attended last month.  The conference provides a good glimpse into how lawyers and their bright IT professionals are approaching cybersecurity.  We’d like to share our thoughts about one particular comment made by an attendee, as it was echoed both during and after the conference.

Cybersecurity is Just Too Darn Difficult and Complex

Here’s the comment which was made in an article published after the conference:  “But while law firms, like companies in the financial and healthcare industries, are implementing security practices, ‘when you look outside of those areas, there’s not a whole lot of standards,’ said David Pluchinsk, partner at Beirne Maynard & Parsons.”  The article goes on to say:  “This, of course, can make cybersecurity a difficult and complex issue for outside and private counsel.”

We understand the feeling.  Data breaches have dominated headlines.  Due to the prevalence of cyber threats, many organizations in the legal field are feeling a bit overwhelmed and suffering from what has been described as “breach fatigue.”  For example, a Los Angeles-based boutique law firm specializing in divorce cases merged with a larger firm because one of the partners couldn’t sleep at night due to worries about cybersecurity.

But fear not, MFT Nation readers.  We have some information that can hopefully ease your fears about cybersecurity.

Pursuing the “Holy Grail”

Contrary to popular sentiment, the financial and healthcare industries have not discovered the panacea of cybersecurity standards.  The HIPAA standards do not amount to a cybersecurity “how-to” guide for the healthcare industry.  For example, this article explains that HIPAA does not explicitly require encryption; in fact, HIPAA doesn’t explicitly require the implementation of any specific security technology.  And as this article demonstrates, the apparent abundance of cybersecurity standards in the financial and healthcare industries does not necessarily translate into real “data security.”

Searching for Standards

We disagree with the statement that “there’s not a whole lot of standards” outside of the financial and healthcare industries.  It’s simply not true, as evidenced by the following:

  • In the FTC v. Wyndham case, a federal appellate court urged entities looking for cybersecurity standards to refer to the “expert views” provided by the FTC, the “agency responsible for administering the statute [which regulates cybersecurity practices].”
  • The appellate court in FTC v. Wyndham pointed to one particular brochure prepared by the FTC called “Protecting Personal Information: A Guide for Business,” which the court said contains the “characteristics” of a “sound data security plan.” In it, the FTC provides a clear and well-written list of “5 key principles” to help businesses “regardless of the size—or nature” with data security.  The FTC makes a bold statement in the brochure that “the principles in this brochure will go a long way toward helping you keep data secure.”  We wholeheartedly agree.
  • In this post, MFT Nation discussed some of the key FTC data security standards.
  • On the Data Security page of its website, the FTC has a wealth of other helpful information relating to data security standards. Please take advantage of these resources if you are searching for available data security standards.  The information is FREE, and as the first paragraph of the FTC’s Data Security page states, it “can help you meet your legal obligations to protect that sensitive data.”
  • Another FREE resource is the “Framework”published by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department.  NIST describes the Framework as a compilation of “standards, guidelines, and practices to promote the protection of critical infrastructure.”  The Framework operates on the principle that one-size-fits-all checklists are inferior to “risk-based” cybersecurity practices.  We here at the MFT Nation have written before about the Framework.  Suffice it to say that we consider the Framework better suited for larger organizations and advanced cybersecurity practioners.

Knowing lawyers like I do, I’m sure the search for the “Holy Grail” of cybersecurity standards will continue.  Hopefully, the above-mentioned resources will put the industry on the right path.

Contact bTrade for Help

People care about cybersecurity and the impact it has on their lives, both personally and professionally.  However, it is one issue over which they feel they have limited control.

Cybersecurity is not an easy thing.  But many aspects of running a business are complex and difficult.  We don’t want to understate the complexity of cybersecurity.  But deal with it like you would any other complex and difficult aspect of your business—get some advice from a subject matter expert/experts and devise a plan/solution that fits your company and budget.

If you need help, contact our data security experts at

Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.