However, that optimistic outlook didn’t necessarily translate into new tech adoption, as fewer small law firms adopted new technologies in 2022 than in either of the previous two years. What small firms did focus on, however, was supplementing and formalizing technologies that had been recently adopted, such as video conferencing platforms that were pushed into use during the pandemic. Further, there’s reason to believe that as small firms anticipate a business boom in 2023 and beyond, business development and marketing upgrades are firmly on their radar.

Just 41% of small law firms adopted new technologies in 2022, according to the report, which was down from 50% in 2021 and 45% in 2020. That decrease in new tech adoption may largely be a function of technology budgets that were static — 78% of small law firm leaders said their budget for legal-specific software in 2022 was unchanged from the year prior, and similarly 82% said their budget for non-legal-specific software also was unchanged. A higher proportion of firms had reported increasing budgets for both types of software in 2021.

A more status quo state of being didn’t surprise Stephen Curley, former chair of the American Bar Association’s GPSolo Division and principal at the Connecticut-based Law Offices of Stephen J. Curley. At his firm, technology spend largely focused on bolstering the use of recently adopted technologies, such as Zoom, Curley says.

“Some of the investments that I made back in 2020 that were more or less done in an ad hoc or an emergency basis, I just backed up,” Curley explains. “I didn’t branch out into something new or different come ‘21 and ‘22.”

Focusing on business development & marketing

When small firms did plan tech investments, however, the report found that business development & marketing priorities played a bigger role than ever before. For example, the percentage of firms planning on purchasing billing & invoice software rose from 6% in 2021 to 18% in 2022. The firms investing in marketing software or a firm website, meanwhile, rose from zero of the 80 respondents in 2021 to 14% of respondents in 2022. These shifting tech priorities mirrored a rising goal for small firms: To grow the size of the firm, which respondents ranked as their top firm goal for the first time.

Part of the reason for these increases could be simple: the emergence of a larger potential client base since the pandemic, Curley notes, adding that previously, as an attorney located in Stamford, Conn., he focused his business development & marketing efforts on clients in his immediate vicinity and out of his local courthouses. Now, with virtual meetings and remote court proceedings, it was possible to take on business in other areas of Connecticut, such as in the state capital of Hartford.

“The reach of a solo who has expertise in those areas isn’t necessarily confined to where you can drive or get to on a Monday morning, when it might have been five years ago,” Curley explains. “Now you can have a more statewide practice, and you can be competitive in other regions of the state that you wouldn’t have otherwise been able to thoughtfully do.”

Curley doesn’t see remote proceedings ending any time soon, indicating that he was planning on continuing to invest in video and other related technologies. Indeed, the report echoed this point: More firms than ever before (73%) said that more than 10% of their initial client meetings were done remotely. More than two-thirds also said they preferred having marketing events, product trainings, and sales & renewal conversations with outside vendors in a virtual setting. And while the proportion of firms with more than 10% of attorneys working remotely dipped slightly from 2021, the survey still reported more than half of firms (60%) with that level of attorney remote work.

Taken together, the report paints a picture of small law firms that are conscious that changing business development and legal practice strategies is necessary for the evolving legal world and are solidifying their efforts to do so.

Not surprisingly, this technology adoption is not only taking place among younger, potentially more tech-savvy attorneys, but also among more seasoned attorneys who find themselves at the frontlines of technology now that the virtual legal world has proven to not be a fad, Curley says. “I think, to a degree, those who didn’t throw in the towel and are still practicing are going to find themselves more and more wedded to it by choice or otherwise.”

And particularly among attorneys who are a decade or more into their career and may be at the peak of their revenue-generation power, it’s even more crucial to keep up with the changes. “If you’re not up to speed on that technology, you’re losing your edge and you’re losing the ability to maximize the most productive years in your career,” Curley adds.

As those cyber risks have increased, so too has the growth of insurance coverage for cyber incidents. But while cyber insurance has begun to receive more uptake, increasingly stringent standards for coverage as well as confusion about the options available for cyber incidents could leave some companies in the lurch.

According to the 2022 Cyber Readiness Report from insurance provider Hiscox, almost two-thirds (64%) of companies now have cyber insurance as either a standalone insurance policy or as part of another policy. This represents a small rise from 58% two years ago. The highly regulated financial services sector has the highest rate of cyber insurance adoption at 74%, while the construction and travel/leisure industries have the lowest adoption at 53% each.

Crimes of opportunity

Judy Selby, a partner in the insurance practice at law firm Kennedys and a regular speaker on cyber issues, said that she’s beginning to see an improvement of companies’ general cyber awareness that current hacking incidents are largely “crimes of opportunity,” rather than dependent on the industry in which a company operates.

“I think for years, there was a thought process that nobody would be interested in my data, my company’s data,” Selby said. “And if you remember the days of the big retail incidents, the data breaches, I remember companies saying to me personally, well, we don’t have credit cards, so nobody’s going to want our information.”

Now however, she added, “I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Indeed, the Hiscox survey found a strong correlation between exposure to a breach and a desire for cyber insurance. Out of the firms that did not have cyber insurance or did not plan to get it, nearly 80% had not experience a cyber-attack within the past year. Just over half (51%) of those were also considered “novices” in cyber readiness, according to the Hiscox scale.

Even among those companies that had cyber insurance, however, there remained some stratification between the types of coverages they held. Notably, companies were split roughly down the middle as to whether they held a standalone cyber policy or covered cyber as part of a larger policy. Among companies with 250 or more employees, 35% had a standalone cyber policy in place, and 40% had cyber coverage as part of another policy. At companies with under 250 employees, those figures were 28% and 29%, respectively.

“I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Selby said she is a proponent of standalone coverage, if possible, for a few reasons. First is simply “because the coverage is so comprehensive, you have all this great first-party coverage for dealing with an incident.” Particularly with more sophisticated cyber-attacks, policies that include business interruption coverage, regulatory coverage, and liability coverage are coming into play.

Concerning the latter, Selby noted that many companies are “not technically or financially able to respond to an incident on their own.” When a network is encrypted and the company’s access to it is blocked, for example, even the simplest of questions become complicated: How do we communicate with each other? How do we hire vendors to come in and help us? And even if we wanted to pay a ransom, how would we do that?

“These are things you don’t want to have to learn on your own,” she explained. “And so, the first-party coverage can be a real lifeline to companies to efficiently and effectively manage this incident from [not only] a financial standpoint [and] an operational standpoint, but also from a reputational standpoint.”

Preparing for a cyber incident

Outside help on cyber incidents may be increasingly necessary because overall cyber readiness is falling, the Hiscox survey notes. Respondents’ self-assessment of overall cyber readiness fell by 2.6% overall during the past year, with the number of companies qualifying as “experts” falling from 20% to 4.5%. The survey attributed those decreases to awareness of new vulnerabilities such as the Apache Log4j logging library vulnerability, as well as a continued talent crunch for cybersecurity experts.

That’s why Selby said she tells clients to not only get to know the details of their insurance providers’ coverage options (and subsequent limits on policies), but also what she calls providers’ “cyber squad” team. A typical cyber insurance provider will have a mix of panel firms, forensic analysts, notification vendors, and more that can be a godsend in a pinch, often provided at discounted rates.

This extra value can be important when making a business case for cyber insurance as well, she added, as the insurance has become more expensive and the scrutiny for coverage has gotten more intense. Some security measures, such as multi-factor authentication, are now table-stakes for coverage, which could scare off some businesses. However, Selby drew an analogy to property insurance: Every provider is going to ask not only about fire incidents that happened in the past, but sprinkler systems and fire exits that could help prevent them in the future.

“It always surprises me when people… complain about having to provide the information,” Selby said. “It’s like, if you don’t understand your own risk, why would you expect another company to say, okay, we’ll insure that for you, we’ll take that risk on your behalf when you don’t know what it is? And then when you say that, they go, oh yeah, that makes sense.”

Ultimately, cyber issues aren’t going away, particularly as the Hiscox survey found the median cost of a cyber-attack nearly doubled in the both the United States and the United Kingdom last year. That means cyber insurance will also continue to represent a piece of companies’ risk mitigation profile by necessity.

“The issues that people have with applying for the coverage, that shouldn’t stand in the way,” Selby said. “I think people should proceed and get the coverage, and when you get it, keep it, even if the price has gone up.”

In a May decision from the US District Court for the Southern District of New York, Upsolve, Inc. et al v. James, Upsolve, a nonprofit that helps individuals file for bankruptcy for free, challenged the state’s application of the unauthorized practice of law to other trained professionals. To help low-income individuals facing debt collection navigate and respond to their suits more readily, Upsolve launched the American Justice Movement program in January, which trains professionals to offer complimentary legal advice about whether and how to respond to debt collection lawsuits. Specifically, the volunteers sought to help New Yorkers fill out checkboxes on a one-page answer form provided by the State of New York to avoid automatic default.

In the Upsolve case, the New York Attorney General argued that such guidance was the unauthorized practice of law, but ultimately, the judge ruled that those rules did not apply to the program because the legal advice was protected as speech under the First Amendment. The court also stated that the advice mitigated the risk of harm to the consumer while addressing a significant legal problem area, further in favor of the decision.

In our new column, NextGen Justice Tech, by Kristen Sonday, we will take a look at the people, trends, and technology shaping the future of access to justice.

The ruling is monumental because it allows legal professionals to provide guidance on completing legal forms that might be applied to other areas of law, including through online tools that can reach exponentially more individuals.

“By ruling in favor of Upsolve, the Southern District of New York… established a new First Amendment right in America: the right for low-income families to receive free, vetted, and accountable legal advice from professionals who aren’t lawyers,” said Rohan Pavuluri, Upsolve’s Co-Founder and CEO.

If further applied to online forms and filing apps, then tech companies, court employees, and other volunteers would be able to assist people with basic questions about whether and how to respond to government requests, vastly expanding the number of people who can help. For individuals who are too afraid or uncertain of navigating such services on their own, this support would provide peace of mind and tangible next steps to assist significantly more low-income folks in managing the legal process.

The “sandbox” model

The implementation of state-run legal tech sandboxes is another opportunity to spur justice-related innovation. Utah was the first state to launch such a sandbox in August 2020, in which lawyers and legal professionals can develop and promote new legal solutions under the supervision of the state’s Supreme Court. One year in, the Utah Supreme Court had approved 30 companies, including those that created initiatives to provide individuals help completing court forms and receiving legal advice via chatbot.

The sandbox concept helps mitigate risk for justice tech founders since they’re building and testing ideas alongside a legal authority. In addition, through this model, “justice technology companies can partner with authorized legal services providers to offer consumers actual legal advice. Attorneys are the most obvious partners, but authorized document preparers, among others, are an often-overlooked partner,” says Natalie Knowlton, Founder of Access to Justice Ventures.

Finally, the Association of Professional Responsibility Lawyers (APRL) has made a powerful recommendation to update the American Bar Association’s (ABA’s) Ethics Rule 5.5 and permit lawyers who are admitted in any jurisdiction to be able to practice across others. “Our proposal advocates that a lawyer admitted in any United States jurisdiction should be able to practice law and represent willing clients without regard to the geographic location of the lawyer or the client, without regard to the forum where the services are to be provided, and without regard to which jurisdiction’s rules apply at a given moment in time,” the APRL wrote in its letter to the ABA president.

This change would be significant for justice technology companies and non-profits in that their lawyers would be able to serve individuals across jurisdictions, regardless of lawyer or client location. Justice tech companies would save time and money by being able to serve more individuals virtually, and with a leaner staff, could free up capital for other initiatives. For tech companies that currently have to hire staff who are licensed in each state in which they want to provide lower cost legal services, this reform would be game-changing.

“As a startup, an update to Rule 5.5 would allow us to move much faster in expanding our services to those in need,” says Erin Levine, the Founder and CEO of HelloDivorce. “We would be able to hire and train fewer, high-quality lawyers that provide consistency in our services across jurisdictions, as well as quickly build out subject matter expertise that can increase the number of clients served.”

Further, under this scenario, legal services organizations would be able to refer pro bono clients to attorneys across the country, making those referrals more efficient and potentially better aligned. The rule also would greatly enhance access for folks in rural areas, as they often are limited to those lawyers in nearby metro areas who might work on their matters.

By being able to access legal assistance from anywhere in the United States — via in person or online, through lawyers or other approved professionals — the magnitude by which the legal profession could greatly help those in need through better legal reforms is significant for the justice tech community and underserved citizens across the country.

From there, Schwerdtfeger spoke on technologies of the future, from blockchain to Web 3.0, from solar batteries to the metaverse. Just about every industry is changing in some radical way, he explained, and legal is no exception.

However, there was one crucial detail that he may have forgotten: Schwerdtfeger was speaking to a room filled with veterans of the legal industry. The legal industry is built on precedent mixed with a healthy dose of risk aversion, after all, and the industry has received a well-earned reputation over the years of never even trying to explore use cases for next-generation technologies. So, of course, it’s reasonable to believe that the legal industry would be dragged kicking and screaming into the third generation of web technologies like the metaverse and blockchain, rather than trying to capitalize on those opportunities.

Some innovators in legal have envisioned blockchain as a way to explore more business-oriented applications of distributed ledger technology.

Along the way, however, a funny thing has happened. In recent years: Law firms and corporate law departments alike have gotten more intelligent about both being a part of the conversation surrounding these technologies’ development, and exploring novel ways to separate themselves from their peers. In doing so, many within the legal industry have started to take a proactive stance on innovations like blockchain and metaverse, with not only technologists but leading attorneys themselves jumping on board. Here’s what the ILTA conference revealed about how today’s legal industry is taking a practical approach to next-gen technology.

Blockchain by blockchain

Blockchain has received a lot of attention for being the underlying technology behind digital assets such as cryptocurrency and non-fungible tokens (NFTs). Some innovators in legal have envisioned blockchain as a way to explore more business-oriented applications of distributed ledger technology.

Law firm Hogan Lovells, for instance, sees blockchain technology as an opportunity to reform its real estate processes. The firm has developed DriveChain, a collaboration between the firm, banking company BNP Paribas and blockchain technology provider Integra Ledger, to automate parts of the real estate process. DriveChain looks to eliminate manual data entry or multiple layers of approvals by automatically coding deal details such as parties, sale price or amount for rent, and more into the document, which generates a unique deal ID. The data is then given a unique code called a hash, through which all parties are notified if any details of the deal are changed, with an automatically generated ledger of all changes and approvals for the document living on the blockchain.

“What we are doing with blockchain is validat[ing] that the document they received, that the metadata within the document, is still validated,” said Bob Shaeffer, senior manager of architecture and integrations at Hogan Lovells, during a panel on the use of blockchain in professional services firms.

Shaeffer was quick to add that DriveChain is not a piece of blockchain technology itself, but rather the name for the new real estate-centric workflow. Blockchain technology simply functions as a piece of the overall puzzle, and only the hash and the unique ID for the data actually sit within the blockchain architecture. This way, the firm still holds crucial deal details inside its own walls for the protection of clients, but still utilizes the new technology to cut time out of the process for approvals.

“The primary focus on DriveChain is not the blockchain, but the blockchain is an integral part of what we’re doing,” Shaeffer explained.

It’s this type of practical application that more and more firms are exploring on the blockchain, added Joseph Raczynski, a technologist and futurist with Thomson Reuters and author of the website JoeTechnologist.com. At a separate ILTACON session, Raczynski explored a number of business use cases for blockchain technology, from “smart” contracts that are automatically executed once specifically coded parameters are hit, to decentralized finance (DeFi) marketplaces that are increasingly becoming a hub for business transactions. He even pointed to one firm, Rose Law Group, that executed a legal wedding online, with both a prenuptial agreement and a marriage license coded as a legally binding NFT.

“They moved down the road of taking documents that are unique and making them an NFT, which is what we’re going to see in the not too distant future,” Raczynski explained.

Into the Metaverse

However, it’s not just business applications that have those in the legal industry excited about future technologies. Some see tech innovations, such as the metaverse and blockchain, as the platforms around which daily life will soon be centered – and thus, around which legal practices will also be centered.

Alejandro Vallellanes, knowledge services manager at law firm Baker McKenzie, has seen a lot of confusion about what the metaverse actually is, leading some to discount it entirely. Vallellanes, who spoke on a panel about the use of the metaverse in legal, said not to think of the metaverse as a place, but instead as a concept, a moment in time where things are beginning to change. “It’s a tipping point where our digital self is more valuable than our physical life,” he explained.

Attorneys are now beginning to sort through the natural issues – who owns digital assets; what rights do human representations have in a digital world; does attorney-client privilege carry over; who owns digital likenesses; how to preserve, collect and analyze metaverse data; and more.

That tipping point may already be approaching. Indeed, between explosive cryptocurrency holdings, the value of social media advertising and an increasing emphasis on digital holdings like NFTs or virtual real estate, that point already may be here. “For some people, that asset class is more valuable than their physical assets,” Vallellanes added. “When that happens across the board, we can already consider ourselves living in some sort of metaverse.”

For legal and professional services organizations, then, the metaverse is quickly becoming not the realm of first movers, but simply where clients hold their own valuable assets. Cat Casey, chief growth officer at legal technology company Reveal, who spoke on the same metaverse panel, likens the current shift to the advent of the Internet and email – a curiosity at first, but one that quickly transformed into a daily necessity. “After a while, it became so ubiquitous that you couldn’t opt out,” she said.

Naturally, there is skepticism about whether the metaverse could truly become that pervasive. Are people really going to be holding all of their assets online? Yet, almost half (48%) of consumer respondents said they would be very interested or somewhat interested in shopping within the metaverse within the next five years, according to a McKinsey & Co. survey from February. More than 40% of respondents said they would be interested in using the metaverse to attend a telehealth appointment, attend a live learning course or even meet with friends and family, the survey showed.

Plus, where people are, money follows. Jerry Bui, a managing director at FTI Consulting who spoke on the metaverse panel as well, notes that Goldman Sachs has estimated the metaverse’s ultimate market size to be somewhere between a $2 trillion and $12 trillion opportunity. Even now, Bui added, virtual gaming has become a $200 billion business, dwarfing many other forms of media. “If you don’t think there’s momentum towards that end, just look at the money that’s flowing into this space,” Bui explained.

With any big business opportunity, legal problems will follow, and the panelists noted many attorneys are now beginning to sort through the natural issues – who owns digital assets; what rights do human representations have in a digital world; does attorney-client privilege carry over; who owns digital likenesses; how to preserve, collect and analyze metaverse data; and more.

However, for attorneys and their organizations, these open questions present a golden opportunity to drive the technology’s development with an eye toward risk management and proper legal reasoning, Bui said.

At times, however, this blind focus on achieving that singular objective could actually lead to a mismanaged AI process that doesn’t take potential biases into account, researchers say, adding that these biases could have been baked in the AI all the way back at the data collection stage. As a result, the idea of instituting fairness metrics into AI development is starting to gain popularity in the tech community — not only for ethical and social reasons, but to ensure a more complete end product emerges from the AI processes.

The idea of fairness within AI comes from the idea that not all data is created equal, whether it’s measuring human populations or words in a legal document. If an AI algorithm is measuring the potential risk within a procurement contract, for example, the context matters, whether that contract is procuring coffee mugs or nuclear material. If it’s measuring whether a public economic policy is being applied equally across different races, it matters whether the population data is New York City or the rural Midwest. Fairness in AI means planning for these differences in data to make the end result representative of the goal that developers are actually trying to have the AI process tackle.

Sometimes, however, modern cost and time considerations can get in the way of fairness, says Cao (Danica) Xiao, vice president of machine learning and Natural language processing (NLP) at software company Relativity. Xiao came into the legal industry recently, but she previously spent time as an AI research leader in the healthcare and technology fields. When discussing what fairness means when it comes to legal AI development, Xiao draws a parallel to a healthcare development with which many are now familiar: the COVID-19 vaccine.

A December 2020 study from MIT revealed that despite the COVID-19 vaccine efficacy figures touted by providers Pfizer and Moderna, the true efficacy of the vaccines varied highly by race. The study measured the number of people whose cellular immune system was not predicted to robustly respond to the vaccine; and those figures varied wildly by race, from less than 0.5% of white clinical trial participants without a robust response up to nearly 10% of Asian participants.

The issue, Xiao says, is one of initial sampling. White populations tend to be overrepresented in vaccine and drug clinical trials due to a number of factors, including education and income level, proximity to news promoting the availability of trials, and sheer population size in the US. But many clinical trials, particularly for a vaccine as time-sensitive as COVID-19, tend to have one constraint that rules over all: the time it takes to recruit trial participants.

“So if we only want to minimize time, then the majority of cases, the majority of patients and people we recruit to the trial, they represent the majority group of the population,” Xiao explains. “That’s a fact that we cannot avoid.” As a result, the trial’s results will be skewed towards that overrepresented group.

Awareness of those differences can go a long way, however, whether in developing healthcare trials or creating representative data samples to run against an AI algorithm. That’s why, while Xiao concedes that she’s heard the legal industry is largely behind the healthcare industry in its adoption of AI technologies, she’s more interested in changing how legal organizations approach artificial intelligence before ever running a single algorithm.

Tools to lessen AI bias

Drawing from AI development in other industries, there are a number of fairness metrics that those data scientists exploring legal AI can take into account up front. A simple one is identifying subgroups early on to make sure there are representative populations of each type, be it demographic-centric subgroups such as race or gender, or contextual subgroups such as various types of matters across a firm.

A slightly more complex metric that Xiao points to is known as privacy-preserving federated learning — the idea that researchers should consider data sets from multiple locations, lessening the bias that occurs in each individual data set by combining them in a federated manner. “We train a local model from each location, but we don’t use the local model to represent the total behavior,” Xiao says. “We train a global model on top of the local model, and we will adjust the parameter of the model to make sure the final global model will consider each different heterogeneous pattern, and the web will be equally good for different populations.”

Fairness in AI means planning for differences in data to make the end result representative of the goal that developers are actually trying to have the AI process tackle. Sometime, however, modern cost and time considerations can get in the way of fairness.

Using data science techniques, there are also ways to amplify rare outcomes, which are crucial to find in healthcare and law alike. Or put a different way, if the purpose of a particular AI algorithm is to find a needle in a haystack, it’s important for the needle to stick out rather than be dismissed as noise. These rarities can also identify anomalies that are important to investigate further. The goal of rarities detection is “to amplify the pattern in those rare samples to amplify their voice, to boost their patterns, to make sure our final model will be able to capture those patterns and will learn the patterns in those data,” Xiao notes.

For legal organizations dipping their toes into AI for the first time, perhaps the most straightforward way to lessen bias in AI models is to make sure data sets are up to date. For example, if you are looking at a natural language processing test that links women to their profession and the training data comes from 20 or 30 years ago, professional titles for women may look a lot more different than they do today.

This is not only a question of fairness, Xiao says, but one of correct outputs. “If we only test the model against the old data, we might see lower accuracy,” she adds. “We need to consider those new trends and consider those new advancements and all those inclusion metrics in the model, and the model will be more and more accurate moving forward on the future data.”

As AI models become relied upon for more and more legal and professional work, particularly as technology’s capabilities for analyzing data and making predictions continue to grow, it’s crucial for the legal industry to adopt fairness methodology now and develop fairness metrics into AI development early.

“When we make a prediction, we need to consider this advanced context information to make sure the prediction is more accurate, but it will be a long process,” Xiao says. “We need to continue improving the solution.”

The end goal of Shearman Analytics, says Glenn LaForce, the firm’s Global Director of Knowledge and Research, “is really modernizing firm systems.” After he and his fellow tech leaders joined the firm in early-2019, they enacted a plan to remove and replace legacy tech systems within a three-to-five-year window, re-architect them with a data link at the center, then be able to filter that data in and out across the organization “to provide greater transparency, decreased cost, decreased risk, [and] increased profit.”

Even if the concept may sound simple, the execution is anything but. The Shearman team is still executing the Shearman Analytics modernization program, only recently undertaking some larger-scale implementations after focusing on the firm’s underlying tech infrastructure and data governance. Indeed, Chief Knowledge and Client Value Officer Meredith Williams-Range jokes that over the last several years, the firm was not “bringing the sexy back — now we’re getting to the sexy.”

On the way, Shearman learned some lessons about implementation that other firms can model. Here are the six steps of the Shearman Analytics model that the team undertakes at the beginning of every tech implementation project.

1. Governance — Law is a heavily-regulated industry, after all. Before actually implementing a piece of technology, Shearman says it’s crucial to determine what regulations will cover its use. “Do we need any new policies in place? How are we going to regulate this data? How are we understanding the governance aspects of that?” Williams-Range says. “Because if you put technology in place with zero governance, it is a crapshoot at that point.”

2. Change management — Before actually starting the technical work on implementing technology, Shearman begins its communication strategy around why it is making the change early. Williams-Range dubs this an “engagement plan,” which solicits more active feedback than a training or communications plan. “If it’s going to take them out of their norm day-to-day, we have to have an engagement plan to do that,” she says.

Lawrence Baxter, Shearman’s chief technology officer, agrees, adding that leadership backing is crucial to affect change. “We don’t do stuff without sponsorship,” Baxter explains. “You’re going fail, and you work harder than you thought.”

3. Rip & replace — With the baseline governance and change management underway, now comes the beginning of the technology portion, specifically how to remove a legacy technology system and replace it with something new. By necessity, this comes with a technology analysis of not only how the new system will work, but also how it will interoperate with the firm’s pre-existing technology stack. “It’s an octopus with 42 arms that are the other systems. So you have to look at it holistically, otherwise you’re going to lose a leg,” Baxter notes.

4. Process analysis — Simultaneously with the technology change, Shearman analyzes whether the new technology will change firm processes and how the firm’s employees actually extract value from the tool. Or as Baxter puts it, “If you throw technology at a bad process, you just end up with a really fast bad process, right?” The firm will map out what type of processes interact with the piece of technology; and if any can be re-architected to provide more efficiency and less risk, the firm will map out a plan to begin that change. “Wherever possible, it is easier to change your processes to fit the technology as opposed to changing the technology to fit your processes,” he adds.

5. Data analysis — This type of data analysis is less tracking the metrics of the tool’s use or its ROI, and more the actual data that the technology uses. Determining what data is actually being utilized can provide an opportunity to dispose of data that could provide another risk vector for the firm. Williams-Range notes that with Shearman’s recent financial system implementation, “we are literally going point-by-point of data. Why is it here? ‘Well, because it’s always been.’ That is not the answer. The answer is, should it be here? Is this the right placement for this? Is this the golden source for that data architecture, and should it go somewhere else?”

6. Architecture — Finally, the technology team determines the method of implementation and what is driving the technology on the back-end. Increasingly, the answer is the cloud. In recent years, the firm has implemented a new global background based on SD-WAN [Software-Defined Wide Area Network]; Office 365 across the organization; and an Azure-based active directory single sign-on.

Jeff Saper, Shearman’s Global Director of Enterprise Architecture and Delivery Services, says the firm’s tech leadership intends for the cloud to continue to be the architecture answer moving forward. “We had the very similar mindset of saying, it gives us greater agility,” Saper says. “We become less reliant on capital expenditures and more reliant on agile services.”

At the same time, a parade of collaboration technologies such as Microsoft Teams and Slack began to take even more prominence, creating new touchpoints for law firms to track and measure.

The result has seen an explosion of customer relationship data to help firms make decisions and better establish connections with their clients. In order to best take advantage of this new paradigm, however, it’s still important to utilize both this new data as well as a more traditional, personal touch, said panelists at the Thomson Reuters Institute’s recent 5^th annual Emerging Legal Technology Forum. The key, of course, is finding the right balance.

The data in hand

Joy Cruz, Director of Business Intelligence & Data Analytics at management consulting company RSM US, said during the Forum’s panel, Ascendant Engineering: Emergent Techniques in Data Analytics and Strategic Account Management, that some of the common metrics that law firms should be using to measure their client relationships haven’t changed: profitability, productivity, client satisfaction, realization rates, and related data “bringing that whole story together in terms of understanding what you have, what you’re doing, how you operate historically, [and] what you can do.”

But what’s different since the pandemic is that data sources have exploded, meaning that even knowing where all of the necessary data resides is an even harder challenge than ever before. For a law firm trying to gather a response for an RFP, 85% of the time may be spent hunting for the relevant answers, Cruz estimated. And while many law firms are talking about executing a data plan, many firms can’t even take the first step of having insight into their data.

“The goal is to flip that so it becomes easily accessible to you.” Cruz explained. “One of the things we’re missing is that we’re not able to do the analysis piece yet, because it’s not available to you.” Indeed, without the data gathering step, “you’re making decisions based off of data that’s provided to you, but that might not be the full story,” she added.

Panelist Olalekan (Wole) Akinremi, a partner at law firm Deeth Williams Wall, noted that from his days on the corporate side, clients have already begun to take that step in evaluating their outside firms — particularly when it comes to tracking costs. He said that tech-enabled analysis can better look into outside counsel time and billing, contracts, and automation to free up time for more complex matters that are becoming more commonplace. Law firms also can take cues from their clients about how to use data to augment their arguments, Akinremi noted.

For example, “you can also go to management and say, we have two paralegals handling 1,000 requests, we need more support,” he said. “The proof is in the results.”

With the rise in data-driven decision-making, however, can come a tantalizing misstep: Over-reliance on data at the expense of other tools in the relationship-building toolbox. Panelist Philipp Thurner, CEO of relationship management software company Nexl, said that while raw data figures certainly help, “that might not tell you the quality of the relationship.

“Data can tell a story,” Thurner added. “But you can have one data set and can tell a million different stories from it.”

Thurner gave the example of counting email interactions: a hundred emails back and forth between a firm and their client could be construed as a strong relationship, particularly if those emails are increasing over time. But if those emails are surface-level interactions or about administrative tasks, the raw number may not reveal a relationship on rocky ground. “How do you judge a relationship?” he asked. “I think it’s up to us as human beings.”

Where data & relationships collide

In a later panel, titled Journey’s End: Maximizing Value in Client Experience, the discussion elaborated on that general premise. Suzanne Donnels, Chief Business Development & Marketing Officer at law firm Davies Ward Phillips & Vineberg, said she has noticed a difference between corporate clients who are actively involved in the firm/client relationship, and those purely focusing on data. “It’s harder for Davies to compete when you’re dealing with procurement departments, [because] they’re just looking at a number next to a name,” she explained, adding that a closer relationship means differentiation with “understanding their clients and the business that they’re in, and really figuring out solutions.”

Panelist Janet Sullivan, eDiscovery Counsel and Global Director of Practice Technology at White & Case, agreed with Donnels, noting that success metrics will inherently be different for different clients. Her firm’s strategy is called LIFT — Local Information, Firmwide Transformation — which establishes a standardized firm goal of how to drive success, but with the flexibility for bespoke solutions for each client.

To actually measure whether a firm relationship is successful, Sullivan said that repeat business is of course important, but that is just the baseline metric. What can set a firm apart, she said, is consistently gauging and collecting those success metrics throughout the life of a matter. “Not waiting until the end to say, ‘How did I do?’, then having to do a post-mortem and go back to all the things we might have done wrong.”

Sullivan admitted that it can be a fine line between asking for this data while not placing an undue burden on the client; however, there’s more than one way to tackle the issue depending on the type of data that’s needed.

However, panelist Fernando Garcia, who has served as General Counsel for a number of smaller legal departments, noted that law firms should approach this process with caution because of the time and personnel resources needed, as well as another hidden danger in soliciting client feedback.

Firms then need to respond to what they’ve learned, Garcia explained. “Be careful when you ask,” he said. “Because you’re going to get answers, and you have to act on those answers when you get them.”

You can learn more about how to create the kind of partnerships that will drive the strategic, financial, and operational priorities of your corporate law department here.

Underprepared for significant business threats

Cyber-incidents are topping the lists of the KPMG 2022 CEO Outlook report and the Allianz Risk Barometer 2022. KPMG’s report highlights the rapid evolution of the cyber environment and details how CEOs recognize that they are underprepared, with 24% admitting so in 2022 compared to only 13% saying the same thing in 2021. In 2022 thus far, ransomware attacks occurred worldwide every 11 seconds (a 20% increase from 2019). Some of these attacks are high-profile breaches.

The Allianz report places “cyber incidents” as the most significant business risk in 2022, outranking more conventional business threats such as business interruption, climate change, and workforce issues. Allianz notes that its respondents say that cyber is not as well understood as some traditional threats; consequently, mitigations are less well-developed.

Right now, there are three steps law firms can take to bolster their existing cyber-risk profiles, including:

1. Enhancing hybrid workforce security

Since the global COVID-19 pandemic in 2020, many firms are still operating under a remote or hybrid workforce situation. The distributed nature of today’s workforces increases a firm’s cybersecurity vulnerability because workers either use their personal computers for work or use their work laptops for some personal tasks. Additionally, third-party apps designed to foster collaboration and increase productivity are increasingly problematic. They could open the door to a cyber-attack because many have limited security tools, their default security options are not optimal, and it can be challenging for IT teams to access an app’s cybersecurity settings.

Do your employees have the right skills to protect against cyber-attacks? One way to educate employees is to conduct cyber-crisis exercises. Best practices suggest this must happen more than once a year. A report in Dark Reading, a widely read cybersecurity news site, provides a benchmark for employee cyber-resiliency: “An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively.”

2. Strengthening the partner ecosystem

Three-quarters of the CEOs in KPMG’s report say they recognize that protecting their partner ecosystem — the network of suppliers, providers, contractors, and business partners — and supply chain is as important as shoring up their own organization’s cyber-defenses. As companies and their partners increase their mutual connectivity in the name of efficiencies and cost savings, these initiatives also expose vulnerabilities and gaps in systems and processes that cybercriminals can exploit.

What can you do to beef up your partners’ risk profiles? Experts recommend an approach that focuses on three Cs:

• • • • Tightening contracts and compliance to introduce additional controls and restricted access for third parties;
      • Exploring avenues for collaboration and community to share intelligence and increase knowledge; and
      • Increasing cooperation; because this issue is both global and systemic, it is challenging for a single function (IT) or entity (your firm) to do this alone. Exploring intra-industry, cross-sector, and public-private paths is essential to mitigating future cyber-risks.

3. Staying on top of technology innovations

The nature of cyber-attacks is that they are constantly evolving. While malware, ransomware, phishing, and social engineering attacks are common, newer technologies pose new risks. Security software company Symantec reports that, on average mobile app stores block 24,000 malicious mobile apps daily; while others have noted cybercrime is becoming more scalable and, therefore, more accessible for bad actors to launch more sophisticated attacks.

Indeed, the increased frequency of attacks is happening as experts are starting to realize the limitations of traditional risk-prevention methods such as standard password authentication, static networking, and trust-based security systems. But technology advancements also provide a way to mitigate this risk. Some of these are the ability to learn and modify behavior based on insights from artificial intelligence, machine learning, and adaptive networks technologies.

Given that October is National Cybersecurity Awareness month in the United States, this might be an excellent time to move beyond awareness and into taking action to better protect your firm and increase its cyber-resiliency.

Indeed, the two events in which I participated each offered a key, primary themes — deep security educational content offered to those in the legal technology realm for LegalSEC; and product awareness for current and prospective iManage customers at ConnectLive — as well as the usual parties and ubiquitous panels for all attendees.

However, over and above the expected content, these events featured a unique set of activities designed to motivate professionals to get out of their basements and living rooms and back in an environment that can better foster collaborative learning and skills expansion, such as workshops, focus groups, TED talks, networking sessions, and more. In short, it seem, at least to the organizers and many attendees, that it was time to get back to serious work.

Here are some highlights of some of the innovative tactics used to enhance the learning experience and engagement level at each conference.

LegalSEC Summit

SAN ANTONIO — Workshops were a key element of the LegalSEC Summit, with one full day of the conference dedicated almost solely to workshop content.

For example, one morning session, Using Your Work Behavior DISC profile to be More Influential and a Better Team Member asked participants to complete a behavioral self-assessment tool prior to the conference, with discussion of the results occurring at the workshop. The goal was to establish a performance development framework to help attendees understand their leadership styles and improve their workplace teamwork.

To summarize briefly, the DISC process was as follows: Prior to the conference, attendees self-identified, via the response to scores of questions, a ranking score in four areas: Dominance, Influence, Steadiness, and Compliance. This helped participants understand their “work styles” via comparisons like these below:

• • • Assertive vs. Reflective
    • Optimistic vs. Realistic
    • Predictable vs. Driving
    • Complaint vs. Pioneering

During the workshop, discussions and exercises provided guidance to help participants understand both their greatest strengths and developmental opportunities — crucial topics that are unfortunately rarely addressed in the day-to-day work lives of deep technical professionals.

In the afternoon, focus shifted back to core security content through a group play of Backdoors & Breaches, an incident response card game, from Black Hills Information Security and Active Countermeasures. The main goal of the game is to help security professionals conduct incident response tabletop exercises and learn attack tactics, tools, and methods in an interactive manner. Essentially, attacks within the game are triggered by an Incident Master, a combination of dice rolls and procedure cards occur, and there is an ability to use what are called Inject cards to add chaos into the game and facilitate further conversation. Ultimately, there are determinations made about actions taken by a Defender. Throughout the process, the game serves as a teaching tool about the different tactics and defensive actions one takes within the cybersecurity function.

The event’s keynote speaker, Kenya Parrish-Dixon, the General Counsel and the Chief Operating Officer for Empire Technologies Risk Management Group and an expert in information governance, cybersecurity, and e-Discovery addressed stepping into a leadership position when an organization is in chaos. In her speech, From Chaos, Opportunity, Parrish-Dixon reminded attendees about the value of continuous learning and how a combination of divergent assessments can help identify issues and reduce chaos. “The opportunities that presented themselves to me often came when organizations didn’t have the internal expertise to resolve problems,” she said. “Stepping into that chaos has led me to greater heights in my career and will lead you to better opportunities as well.  Don’t shy away from problems — be the leader that the moment needs.”

All in all, the LegalSEC Summit’s focus on soft skill development and security issues in a game theory approach within the context of multilateral workshops gave the event a unique flavor, and I believe enriched the overall experience for attendees.

ConnectLive

CHICAGO — ConnectLive 2022 is iManage’s networking and information update event for its customers, partners, product experts, and users. As such, it exists most as an opportunity to convey the product roadmap, hold discussions on company strategy, and, importantly, facilitate the collection of feedback from clients on product issues or requests.

Yet, it was within the realm of client feedback that ConnectLive used many tactics to solicit information in new ways that proved most interesting and offered useful strategy suggestions to attendees. Focus groups and opportunities to pose questions to panelists in small groups or one-on-one formats were used with the idea that by creating a variety of input types, the quality of the feedback received would be enhanced.

Sharing data with participants was also done in different ways. In addition to the traditional panels and roundtables, other formats such as TED-style talks were leveraged to pass knowledge along in formats more consistent with how we all receive information today, specifically in shorter bursts of concise, denser messages.

On a personal level, I enjoyed the sessions outlining the iManage development roadmap, and was able to participate as a panelist speaking to building a business case for moving to the cloud. Some of the compelling reasons for such migrations include a desire to outsource certain elements of technical support to experts, improved security, and move to a fixed monthly expense.

Summing up

It was illuminating to see how both ILTA and iManage executed their vision of delivering content, albeit in different ways, to enhance the conference experience and make the most of the less frequent face-to-face time many legal professionals have together. Organizers went to great lengths to expand the manner in which conference participants received content and interacted with the various presenters, making each event a more interactive and useful session than the more traditional conference experience.

It would be heartening to see this model followed going forward as more in-person events make their way back to the forefront.

Traditional systems security for years has followed the Trust but verify method in which once users are logged into a system then they are automatically trusted. The emphasis there is on protecting internal systems and information from outside attackers by using firewalls and passwords.

Unfortunately, as technology and attackers have grown more sophisticated, the Trust but verify method has become harder to maintain and less effective. Organizations have had to change their approaches to systems security in order to accommodate traveling users, users that work from home, users that bring in their own devices, as well as cloud-based software, other repositories, and more. The traditional boundaries of a network perimeter are drastically changing.

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment.

With the growth of cloud computing, organizations are very globally connected; and their digital information is stored and used in private and public clouds of data and applications. Conventional boundaries for an organization’s network have expanded and become ever more obscure, opening the potential for cybersecurity problems. Zero trust offers a new way of viewing our computers and information that may make securing them easier.

With zero trust, implicit trust is eliminated, and continuous verification is required. By always assuming that a security breach has likely already occurred, a zero trust system will constantly limit access to only what is needed while continuously looking for malicious activity. Zero trust can reduce an organization’s risk from data breaches, ransomware, and insider threats. While zero trust is clearly more restrictive, it can simplify an organization’s cybersecurity defensive posture and provide a more easily secured system environment to better protect the organization’s data and assets.

In a security breach, trust is a vulnerability that is exploited. By eliminating trust as an issue, an organization’s systems become more secure and data breaches are prevented. However, this lack of trust doesn’t mean you don’t trust your users, instead it is akin to requiring users to use a key card every time they access a building.

Zero trust recognizes the reality that today’s computer systems are hostile places. Yet, zero trust is a not a product or an application. It is a set of principles that help you define a cybersecurity strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.

The first step with zero trust, as with any new method or technology, is to understand how it addresses your organization’s unique business problems. What outcomes do you expect? How does zero trust address your needs? Without understanding your business needs and problems first, any new method or technology will ultimately fail.

Building zero trust

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment. According to the US National Institute of Standards and Technology (NIST), many organizations may continue operating their newer zero trust in tandem with their older perimeter-based systems for years. To plan and architect your zero trust network, the following initial steps are suggested:

• • • Start by building leadership trust — You need to seek understanding, support, and input from your firm’s leadership. Management support is critical to a successful transition to zero trust.
    • Define your most vulnerable attack surfaces — Start by identifying your biggest risk areas both now and in the foreseeable future, and work to apply initial zero trust initiatives that encompass processes, people, and your existing technology. Moving gradually will keep your firm from becoming overwhelmed with implementing new technology and policies across entire systems.
    • Map how your data flows — Document how your data moves around your devices, applications, and assets. It is essential to understand this data flow. Who is using it? Where is it coming from? To identify which data flows should not be trusted, you need to know which are critical to your firm and should be allowed. This mapping of data flow is the key to making zero trust work.
    • Harden your identity management — Users are the weakest link in any security system. Review your user authentication process and implement multi-factor authentication and tougher password policies to harden your identity management. Also, implement and regularly review login names and make sure they match active users.
    • Assign minimum rights (least privilege) — Review how your systems and data are secured and assign the minimum rights to the minimum number of accounts needed to access data or systems. The default access should be no access.
    • Whom do you trust? — Build a whitelist of who to trust. This includes users, devices, applications, processes, and network traffic.
    • Micro-segment your security — Dividing your security into smaller segments allows you to minimize any damage in case of a breach or compromise of any one area.
    • Define your zero trust policies — After you have architected your new system, write the needed policies to match. Defining who, what, when, where, why, and how for every user, device, and network that gains access to your system.
    • Monitoring is critical — As you build your zero trust system, it is critical to have an aggressive monitoring system in place. For zero trust to be effective you will need to continuously monitor access and look for any area where trust should be revoked and any unwanted access and be identified.

Zero trust is a journey that will take years to complete. “Never trust, always verify” is a fundamental shift in how we currently think about security, but it is a necessary shift. Security breaches are on the rise, and our old paradigms of security are not working as more devices come online and local networks evolve to cloud networks. Our data is increasingly at risk, and zero trust is a new and more effective way to protect ourselves.