Book Review: Locked Down: Information Security For Lawyers

← Back to Stories (view on slashdot.org)

Book Review: Locked Down: Information Security For Lawyers

Posted by samzenpus on Monday May 20, 2013 @07:24AM from the read-all-about-it dept.

benrothke writes "Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security. With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers." Read below for the rest of Ben's review. Locked Down: Information Security for Lawyers author Sharon Nelson, David Ries, John Simek pages 319 publisher American Bar Association rating 9/10 reviewer Ben Rothke ISBN 978-1614383642 summary Required reading for all lawyers Such a title is needed as the legal field has embraced digital technology. Wireless (often insecure) networks are pervasive in corporate offices throughout legal America.

The underlying problem is that while attorneys often know the intricacies of tort law, court proceedings and the like; they are utterly unaware of the information security and privacy risks surrounding the very technologies they are using. In many firms, the lawyers think that someone is protecting their data, but don't understand their requirements around those areas of data protection.

Legal IT systems are a treasure trove of personal data. Many small law firms are extremely attractive to identity thieves gives their systems have significant amount of personal information via social security numbers, credit card information, birth dates, financial information and much more. Small law firms are notorious for weak information security controls and attackers will scan those systems and networks for vulnerabilities.

A pervasive aspect of the book is ABA rule 1.6 regarding the confidentiality of information regarding client-lawyer relationships. The rule requires that a lawyer not reveal information relating to the representation of a client unless the client gives informed consent. The lawyer though can reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary. The myriad details of 1.6 can be left to the bar association to enforce, suffice to say that a lawyer can find themselves on the wrong side of the law if they are not careful with information security controls.

The authors note that although lawyers are all well aware of rule 1.6, the challenge is how to keep client data secure in the digital age. In a world of paper, things were much easier and cheaper This is why the authors note that so many otherwise competent layers fails so miserably in reference to their duty to maintain the confidentiality of digital client data.

The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach. It is figures like those which show that attorneys really need to read this book and take the information to heart.

The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices. Written in an easily understandable style and non-technical for the technologically challenge lawyer.

When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don't want to touch with a ten-foot pole. But it has reached a point where attorneys must understand how and when encryption should be used. Just as important, they need to know about key managements, and what good encryption is. The chapter provides a high-level detail on what needs to be done regarding encryption.

Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.

Chapter 14 on outsourcing and cloud computing is an area where too many attorneys are oblivious to of the security and privacy risks. For example, the authors advise attorneys against the use of the free Gmail service since the terms of service allow Google to do anything it wants with the data. That opens a Pandora's Box when it comes to securing client data. The authors advise to use premium Google business versions, so attorneys can stay in control of their data with added security and privacy features.

Two omissions in chapters 13 and 14 are that the authors don't reference NAID (National Association for Information Destruction) or the CSA (Cloud Security Alliance (CSA).

Firms that outsource their digital disposal to non-NAID certified firms run the risk of having a glorified recycler do their work. As to NAID, it is an international trade association for companies providing information destruction services. NAIDs mission is to promote the information destruction industry and the standards and ethics of its member companies; while the mission of the CSA is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.

The authors include many real-world stories and case law to reinforce their point.

The book closes with a number of appendices on various rules from the FTC, state information protection regulations, the SANS Institute glossary of security terms and more.

For the lawyer looking for an easy to read introduction to nearly everything they need to know about information security and privacy, the book is a great resource.

The book closes with the note that since lawyers have an ethical duty to protect their client's data, they have no choice but to keep themselves as well educated as possible.

For the attorney that wants to ensure their requirements remain current and are looking for an easy to read introduction about information security and privacy Locked Down: Information Security for Lawyers should be considered required reading.

Reviewed by Ben Rothke.

You can purchase Locked Down: Information Security for Lawyers from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

43 comments

Min score:

Reason:

Sort:

Redacting PDFs with black lines over text by DickBreath · 2013-05-20 07:29 · Score: 4, Funny

How many times have we seen 'redacted' legal documents as a PDF with black bars overlaying the text? (See Groklaw for past examples.)

1. Open the PDF in Acrobat Reader.
2. Select All
3. Copy
4. Switch to text file editor (not Edlin!)
5. Paste
. . . .
6. Profit?

Does this demonstrate a failure in understanding information security?

--

I'll see your senator, and I'll raise you two judges.
1. Re:Redacting PDFs with black lines over text by TheBestMerlinEver · 2013-05-20 07:30 · Score: 1
  
  Office 10 has a great redaction tool....but most users don't know about it.
2. Re:Redacting PDFs with black lines over text by cusco · 2013-05-20 08:05 · Score: 1
  
  My mom was a legal secretary for 17 years, with the result that she loathes most lawyers. From her description of the bozos that she worked with over the years most of them think that changing their default password to their pet's name or their brat's birthday is all the security that their laptop will ever need. After all, they only browse the vanilla porn sites on their work laptop, there shouldn't be any malware on those, right?
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
3. Re:Redacting PDFs with black lines over text by Anonymous Coward · 2013-05-20 14:41 · Score: 0
  
  yes, jackass,
  here comes pain in the ass editing it so can actually read it.
  woot woot
4. Re:Redacting PDFs with black lines over text by tlhIngan · 2013-05-20 17:11 · Score: 1
  
  My mom was a legal secretary for 17 years, with the result that she loathes most lawyers. From her description of the bozos that she worked with over the years most of them think that changing their default password to their pet's name or their brat's birthday is all the security that their laptop will ever need. After all, they only browse the vanilla porn sites on their work laptop, there shouldn't be any malware on those, right?
  I find this true of a lot of professionals. They can earn a ton of money, but they also can be extremely cheap. And even worse, their "superior" knowledge in one field makes them believe that they're superior in all other fields - thinking everyone else not in the same field
  It applies to all fields - be it IT, medical, legal, educational, etc. It seems just because someone spent a few years learning something specialized, they're suddenly above everyone else.
  Hell, you'll see spending on non-field related things to be extremely cheap as well - a lawyer may spend a lot on nice furniture and stuff to show they're good, but their IT and office assistant spending would be very low. Ditto doctors - I've finally seen the people who use the crappiest of the crappy laptops that get sold at Best Buy. Hell, they'll complain about it but not do a single thing about it - or spending a few more bucks and getting something that would frustrate them less.
  And yes, it applies to you, the IT worker as well - see how much money you spend on nice clothes rather than the jeans and T-shirt. Or even if you have a suit and tie (or are you the type that says "clothes don't matter"? Well, to a lawyer, IT doesn't matter, either. That includes security.).
  It won't be long until this comes and bites someone in the ass. Imagine a lawyer or doctor gets hacked and ends up violating lawyer-client or doctor-patient privilege. Will said information be allowed in a case? What if it was due to poor security? Who's responsible?
  IT workers are lucky though - there's no privilege that depends on them keeping secrets that a court respects. Other than maybe getting discredited because of poor dress.
Wait, what? by fuzzyfuzzyfungus · 2013-05-20 07:34 · Score: 3, Funny

I always carefully add:
"Confidentiality: The information contained in this e-mail is intended only for the
personal and confidential use of the designated recipients of the email. This message
may be an attorney-client communication and, as such, is privileged and confidential. If
you are not an intended recipient of this message or an agent responsible for delivering
it to an intended recipient, you are hereby notified that you have received this message
in error, and that any review, dissemination, distribution, or copying of this message is
strictly prohibited. If you have received this message in error, please delete it and all
copies and notify us immediately by reply e-mail or by telephone"
To the signature section of all my emails. Surely that qualifies as due-diligence concerning information security?
1. Re:Wait, what? by TheBestMerlinEver · 2013-05-20 07:44 · Score: 1
  
  Those disclaimers are worthless!
2. Re:Wait, what? by jeffmeden · 2013-05-20 07:46 · Score: 1
  
  I always carefully add:
  "Confidentiality: The information contained in this e-mail is intended only for the
  personal and confidential use of the designated recipients of the email. This message
  may be an attorney-client communication and, as such, is privileged and confidential. If
  you are not an intended recipient of this message or an agent responsible for delivering
  it to an intended recipient, you are hereby notified that you have received this message
  in error, and that any review, dissemination, distribution, or copying of this message is
  strictly prohibited. If you have received this message in error, please delete it and all
  copies and notify us immediately by reply e-mail or by telephone"
  To the signature section of all my emails. Surely that qualifies as due-diligence concerning information security?
  Sounds iron clad, you can just lock up everyone who calls/emails as they have obviously already broken your rule... [/snark]
3. Re:Wait, what? by fuzzyfuzzyfungus · 2013-05-20 07:47 · Score: 4, Insightful
  
  Those disclaimers are worthless!
  Oh, hardly. I find that they are an excellent heuristic for identifying people who are likely to be rather irritating in person, and quite possibly in whatever email resides above that vapid regurgitation... They really do a fine public service that way.
4. Re:Wait, what? by schneidafunk · 2013-05-20 07:48 · Score: 1
  
  So after I spent time reading your confidential email to a client, I see in your signature that it was a mistake and you would like me to call you on the phone?
  
  --
  Some people die at 25 and aren't buried until 75. -Benjamin Franklin
5. Re:Wait, what? by i.r.id10t · 2013-05-20 07:49 · Score: 2
  
  Unless your employer is automagically adding it to each outgoing email...
  
  --
  Don't blame me, I voted for Kodos
6. Re:Wait, what? by intermodal · 2013-05-20 07:51 · Score: 1
  
  I always carefully add:
  "Confidentiality: The information contained in this e-mail is intended only for the
  personal and confidential use of the designated recipients of the email. This message
  may be an attorney-client communication and, as such, is privileged and confidential. If
  you are not an intended recipient of this message or an agent responsible for delivering
  it to an intended recipient, you are hereby notified that you have received this message
  in error, and that any review, dissemination, distribution, or copying of this message is
  strictly prohibited. If you have received this message in error, please delete it and all
  copies and notify us immediately by reply e-mail or by telephone"
  To the signature section of all my emails. Surely that qualifies as due-diligence concerning information security?
  In plain English, that means "My password is weak and my inbox and outbox contain a lot of names, addresses, and social security numbers."
  
  --
  In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
7. Re:Wait, what? by DougOtto · 2013-05-20 07:52 · Score: 2
  
  In all fairness, those disclaimers are almost never IT's idea. In every company I've worked, the idea came down from above; i.e. some executive read about it in an airline magazine.
  
  In those cases, you just roll your eyes, add the signature and collect your paycheck.
  
  --
  Solving Unix problems since 1989...
8. Re:Wait, what? by TheBestMerlinEver · 2013-05-20 07:55 · Score: 1
  
  Excellent point!
9. Re:Wait, what? by Anonymous Coward · 2013-05-20 07:56 · Score: 0
  
  Such disclaimers have no legal force but they are not worthless.
  Most people are idiots. They see the law as incomprehensible bad juju. If such an idiot receives a mis-sent email the warning may prompt them to delete it rather than publish it. And thus the disclaimer has some worth.
  However, to use such a disclaimer implies that you view people as idiots. Even if true, advertising this opinion is impolitic.
10. Re:Wait, what? by Anonymous Coward · 2013-05-20 08:02 · Score: 0
  
  In all fairness, I find the type of people willing to work for such an employer are more often than not annoying in person...
  It doesn't mean all are...but in terms of raw probability...
11. Re:Wait, what? by Jeremiah+Stoddard · 2013-05-20 08:04 · Score: 1
  
  This. In fact, where I work, IT is the only department where we don't have that disclaimer in our email signatures.
12. Re:Wait, what? by game+kid · 2013-05-20 08:18 · Score: 1, Interesting
  
  I call that the Fool's PGP.
  (This xkcd comes to mind.)
  
  --
  You can hold down the "B" button for continuous firing.
13. Re:Wait, what? by Anonymous Coward · 2013-05-20 08:24 · Score: 0
  
  You forgot to add:
  "This telecast is intended to be used by our audience for entertainment purposes. Any rebroadcast without the express written consent of the National Football League is prohibited."
14. Re:Wait, what? by Synerg1y · 2013-05-20 09:00 · Score: 1
  
  Using PGP is due diligence, adding meaningless messages... well scares the morons, which is good enough I guess. At least it's not a read receipt...
15. Re:Wait, what? by i.r.id10t · 2013-05-22 01:55 · Score: 1
  
  Please don't paint us all with such a large brush. We've just had a similar disclaimer automagically added to our emails (only one per mail, so replies, etc. don't have multiple copies on them), but according to our college's lawyer, it is state mandated.....
  
  --
  Don't blame me, I voted for Kodos
Why is this a surprise? by shankarunni · 2013-05-20 07:47 · Score: 1

I'll surmise that from a lawyer's point of view, information security is just another "feature" or "service" to take for granted (just like electricity or water). If any confidential information is lost, it is the _client_ who's injured, and hey, the lawyer will be happy to help the client sue whoever for absurd sums of money (for a small consideration, of course..).
1. Re:Why is this a surprise? by MozeeToby · 2013-05-20 07:59 · Score: 1
  
  I'll surmise that from a lawyer's point of view, information security is just another "feature" or "service" to take for granted (just like electricity or water).
  To be fair, why should the necessarily be wrong? I'm not talking about phishing or viruses or key loggers; I'm talking about whole disk encryption, network security, end to end messaging encryption. These things should be commodities by now, there's no reason every PC sold shouldn't have full disk encryption. There's no reason any business grade networking gear should work without encryption. It should be standard. It's really hard to get security perfect, but somewhere along the line the industry forgot that they can get as close to perfect as possible with relatively little effort.
2. Re:Why is this a surprise? by Anonymous Coward · 2013-05-20 08:28 · Score: 0
  
  It's all about support. Secure systems are hard to use, and most people don't need them. So why create extra support headaches for the sake of the few?
3. Re:Why is this a surprise? by Anonymous Coward · 2013-05-20 08:47 · Score: 0
  
  there's no reason every PC sold shouldn't have full disk encryption.
  Most people don't need it, and it's easy to lose your data.
4. Re:Why is this a surprise? by TheBestMerlinEver · 2013-05-20 08:55 · Score: 1
  
  SecureBSD is wonderful and secure....the down side...no one uses it.
Amazon Review (1) NOT GOOD by MrMagooAZ · 2013-05-20 07:47 · Score: 5, Informative

I post this having not read a single page of this book. I was interested in getting this book for my attorney wife. When looking at it on AMAZON.COM, I noticed that the post here is a copy of only ONE of TWO reviews the book has on Amazon.com. The other review is HORRIBLE. http://www.amazon.com/Locked-Down-Information-Security-Lawyers/product-reviews/1614383642/ref=cm_cr_dp_qt_hist_one?ie=UTF8&filterBy=addOneStar&showViewpoints=0 Read/order with caution.
1. Re:Amazon Review (1) NOT GOOD by Anonymous Coward · 2013-05-20 08:33 · Score: 0
  
  I read the other review, and in the comment section, Ben Rothke jumps in and addresses the other reviewer's criticisms one by one. If Mr. Rothke has some connection with the book, shouldn't it be disclosed in the Slashdot review?
Also a Violation of the /. Book Review Guidelines by eldavojohn · 2013-05-20 08:43 · Score: 3

I post this having not read a single page of this book. I was interested in getting this book for my attorney wife. When looking at it on AMAZON.COM, I noticed that the post here is a copy of only ONE of TWO reviews the book has on Amazon.com. The other review is HORRIBLE. http://www.amazon.com/Locked-Down-Information-Security-Lawyers/product-reviews/1614383642/ref=cm_cr_dp_qt_hist_one?ie=UTF8&filterBy=addOneStar&showViewpoints=0 Read/order with caution.
As someone who occasionally writes reviews for Slashdot (and usually reads all of the ones posted), this is a clear violation of the book review guidelines:

First, an important one: by submitting your review to Slashdot, you represent that the review is your own work, that it is original to Slashdot, and that it is unencumbered by any existing or anticipated contractual relationship; further, you are granting Slashdot permission to publish your review, including any editing the Slashdot editorial team finds necessary and appropriate. (Major edits will involve consultation by email or other means.) If you've reviewed the book elsewhere anywhere besides a personal home page (for instance, on Amazon) please be sure that your review for Slashdot is substantially different.

(emphasis mine) There is no difference that I can see ...

--
My work here is dung.
I Guess This Is Allowed Now? by eldavojohn · 2013-05-20 08:54 · Score: 3, Informative

Sorry to respond to my own comment but for Ben Rothke it looks like he just reposts his Amazon reviews here:

Book Review: The Plateau Effect: Getting From Stuck To Success is identical to this Amazon review.

Book Review: The Death of the Internet is identical to this Amazon review.

Book Review: Everyday Cryptography is identical to this Amazon review.

Book Review: Liars and Outliers is identical to this Amazon Review.

It just keeps going ...

--
My work here is dung.
1. Re:I Guess This Is Allowed Now? by Anonymous Coward · 2013-05-20 13:50 · Score: 0
  
  It just keeps going ...
  On one of those Slashdot reviews, I remember Ben plugged his book on computer security (it was $6 at the time) so like a fool I figured, hey, you can't go too wrong with $6, right? Wrong. It was the single WORST purchase I've EVER made at amazon.com, and I give them close to a thousand each and every year. Ben's book was a like a long CNET article full of tips like "don't choose a password that hackers can guess, like 123456". In the trash it went inside of two minutes.
  I plain don't trust the guy, he fooled me once and took my money. Go away Ben!
2. Re:I Guess This Is Allowed Now? by Anonymous Coward · 2013-05-22 02:57 · Score: 0
  
  You were fooled by paying $6 for a book that itself says it is a basic intro?
  I do not get how you were ‘fooled’please explain.
Paid Reviewer Alert by guttentag · 2013-05-20 08:54 · Score: 4, Insightful

The reviewer's Web site and LinkedIn profile both state "I review and recommend books on digital security, privacy and other relevant issues and write a monthly book review on topics of information security and privacy for Security Management magazine and Slashdot."

The reviewer reviews IT books on Amazon like clockwork, almost always 7 or 8 days between reviews, which are always positive, written like marketing material and always give 4 or 5 stars:
May 20, 2013 Locked Down: Information Security for Lawyers 5 Stars
May 13, 2013 The Plateau Effect: Getting from Stuck to Success 4 Stars
May 7, 2013 Secure Coding in C and C++ (2nd Edition) (SEI Series in Software Engineering) 5 Stars
May 1, 2013 Cybersecurity: Public Sector Threats and Responses (Public Administration and Public Policy) 4 Stars
April 22, 2013 Applied Information Security: A Hands-on Approach 4 Stars
April 15, 2013 The Death of the Internet 5 Stars
April 8, 2013 Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure 4 Stars
March 28, 2013 Introduction to Computer Networks and Cybersecurity 4 Stars
March 20, 2013 Managing Risk and Information Security: Protect to Enable 4 Stars
(362 Reviews total)

There's a theme in his reviews of either saying that the book is a must-read for _____, or suggesting that the only people who won't get a lot out of the book are people who don't understand how much they need it: "For the reader who may be indifferent to their need for change, the book may not be of full value to then." And "The only negative thing about the book is the over the top title, which I think detracts from the important message that is pervasive in it."
1. Re:Paid Reviewer Alert by guttentag · 2013-05-20 09:13 · Score: 1
  
  And if you look at benrothke's page on slashdot, you'll notice that he only has one comment and many submitted book reviews. His one comment:
  
  Thank you for the comments. In my haste to get this review out, I was not as diligent in proofreading as I should have. With that, you are correct that information is their enemy. I hope my grammatical errors in the review don’t get in the way of Mr. Wrights important message. Thanks again.
  That sounds like an apology to the author for making mistakes in the review, and he bends over backwards to call the author Mr. Wright and his book an "important message." Why was he in such a hurry to get the review out? Did the publisher give him a deadline?
  
  He's definitely copying and pasting reviews written elsewhere. Check this submission out from January 27th:
  
  "Untitled documentol{margin:0;padding:0}.c5{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c0{color:#1155cc;font-size:12pt;text-decoration:underline}.c3{color:inherit;text-decoration:inherit}.c2{text-align:justify;direction:ltr}.c4{height:11pt;direction:ltr}.c1{font-size:12pt}.c7{font-style:italic}.c8{height:11pt}.c6{direction:ltr}.title{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:36pt;font-family:"Arial";font-weight:bold;padding-bottom:6pt}.subtitle{padding-top:18pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:24pt;font-family:"Georgia";padding-bottom:4pt}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:18pt;font-family:"Arial";font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;line-height:1.15;text-align:left;color:#000000;font-size:14pt;font-family:"Arial";font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;line-height:1.15;text-align:left;color:#666666;font-size:12pt;font-family:"Arial";font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Arial";padding-bottom:2pt}h5{padding-top:11pt;line-height:1.15;text-align:left;color:#666666;font-size:10pt;font-family:"Arial";font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:10pt;font-family:"Arial";padding-bottom:2pt}
  
  In its first week, Going Clear: Scientology, Hollywood, and the Prison of Beliefwas #3 on the New York Times Best Sellers list and will likely be #1 soon. The fact that the book is in print is somewhat miraculous given the voracious appetite Scientology has for litigation.
  And this from January 21:
  
  "Untitled documentol{margin:0;padding:0}.c6{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c0{text-align:justify;direction:ltr}.c4{color:#1155cc;text-decoration:underline}.c3{color:inherit;text-decoration:inherit}.c1{font-size:12pt}.c7{font-style:italic}.c5{height:11pt}.c2{direction:ltr}.title{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:36pt;font-family:"Arial";font-weight:bold;padding-bottom:6pt}.subtitle{padding-top:18pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:24pt;font-family:"Georgia";padding-bottom:4pt}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:18pt;font-family:"Arial";font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;line-height:1.15;text-align:left;color:#000000;font-size:14pt;font-family:"Arial";font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;line-height:
2. Re:Paid Reviewer Alert by Anonymous Coward · 2013-05-21 04:02 · Score: 0
  
  So he writes reviews on slashdot then posts his content on book review sites.sounds like fair use to me.
We need better lawyers and better laws. by SniperJoe · 2013-05-20 09:07 · Score: 1

I attended an information security conference last year that had a prominent attorney speaking regarding information security. His biggest message to all of us was that he wanted to see more information security professionals consider becoming attorneys, as there was a serious shortage in experts in both security and the law. He said that his major issue is that there is a lot of bad law and bad precedent out there and he would like to see that change. I suppose this book is just a case in point of that argument. If there is a systemic issue of attorneys not being security-aware and not protecting their data and the data of their clients, how can we expect them to be able to argue before the courts and help create proper, forward-looking precedents?
1. Re:We need better lawyers and better laws. by TheBestMerlinEver · 2013-05-20 09:16 · Score: 1
  
  Good point. How many lawyers are also CISSP's? I would guess less than 1,000. How many lawyers have a cert from SANS? I would guess less than 10
2. Re:We need better lawyers and better laws. by Etherwalk · 2013-05-20 09:52 · Score: 1
  
  If there is a systemic issue of attorneys not being security-aware and not protecting their data and the data of their clients, how can we expect them to be able to argue before the courts and help create proper, forward-looking precedents?
  Many will not. Good attorneys, however, learn a great deal about a topic before they argue it, and that (ideally) includes both reviewing basic reference material and discussions with an expert or two.
3. Re:We need better lawyers and better laws. by Anonymous Coward · 2013-05-21 00:27 · Score: 0
  
  This is totally irrelevant to the wider conversation... but I'm an attorney, and passed my CISSP exam yesterday!
Not worthless by Etherwalk · 2013-05-20 09:48 · Score: 1

Those disclaimers are worthless!
No, they're just mostly worthless. Attorneys in some states have ethical duties to delete confidential material they receive by accident, or to notify the sender, or to take other actions. The disclaimers can be useful if (1) they are in a state where their obligation to destroy received material only accrues when they are told to do so, or (2) to show a judge that they didn't do what they were bound to do and they knew they should have, because (a) not only is it in the state ethics rules but (b) it actually TELLS THEM to destroy it.
For example.
Wish they'd do one for doctors by skegg · 2013-05-20 10:06 · Score: 1

My, how I've become irate over the years with medical practitioners having such lax (nay, absent) IT security policies.
I'm sick of doctors installing random software off the internet.
I'm sick of doctors connecting their computers directly to the internet, with nothing but Windows as protection.
I'm sick of doctors throwing unencrypted DVD back-up's in their trash.
The list goes on ...
It's kind of a hopeless propostion by gelfling · 2013-05-20 11:47 · Score: 1

We have to include scads of attorneys in every security incident. They grab 90% of the oxygen in the room, rattle off endless questions and NEVER EVER bring anything to the table. All they ever do is demand draft communications documents for the customer and then relentlessly and obsessively red line everything including the few fragments they themselves offered. After about 9 or 10 iterations of this the lawyers play the passive aggressive game and mumble "do whatever you want!".
Don't you love it when the 3 people leading your meeting are lawyers who, when you ask them for anything, the first thing they say is "Well I'm not technical so I can't say." BUT YOU JUST DID SAY, YOU FUCKING SHITHEAD. IN FACT ALL ANYONE HAS DONE FOR THE PAST 90 MINUTES IS LISTEN TO MICROMANAGE.
Die die die die cut all their heads off on Youtube every last one.
1. Re:It's kind of a hopeless propostion by Unixnoteunuchs · 2013-05-21 02:16 · Score: 1
  
  Tell us what you REALLY feel.