Jonathan Hawkins: [00:00:00] Any parting advice or thoughts for, you know, law firm owners out there on how best to sort of get their heads around this and protect themselves.

Kellam T. Parks: Yeah. So I mean, again, I know I laughingly said I wanna scare you. I kind of do in the sense that I just want. Everyone needs to pay attention to this. And I say every single business needs cybersecurity planning in some level of insurance. And I’ve got clients, I’ve got a three person operation landscaping company, right? They hired me to give them some basic level advice like a data breach avoidance plan, which we work through all this stuff, get you the right insurance, make sure you’re locked down an incident response plan to make sure that you know what happen ’cause you don’t wanna build a bridge when it’s on fire.

A tech policy to make sure, a disaster recovery plan and you have the insurance, you have these plans in place. In my opinion understanding, yes, I do this for a living, but it’s something you really have to do because the odds that you’re going to have an incident, it’s going to happen. It used to say when something happens and then it said it was, if something happens now, it’s when something happens and it’s when it happens again. So you’re [00:01:00] gonna have an incident, it’s gonna happen more than once.

And the better prepared you are and the more financially secure you are with insurance. The more resilient you’re gonna be because you’re not Jones Day and you’re not gonna survive a big hit. I think the average cost of a data breach is mid six figures if it’s of any significance and if you don’t have insurance, that’ll put a solo wonder. So it’s just, you’ve got to be protected and you’ve gotta have insurance. And I’m always happy to talk about it. Again, I’ve got that free guide, which if you go through, we’ll give you some pointers to start but yeah, I’m always happy to talk about it. I just wanna make sure people are protected ’cause it’s such a big deal.

Welcome to the Founding Partner Podcast. Join your host, Jonathan Hawkins, as we explore the fascinating stories of successful law firm founders. We’ll uncover their beginnings, triumph over challenges, and practice growth. Whether you aspire to launch your own firm, have an entrepreneurial spirit, or are just curious about the legal business, you’re in the right place.

Let’s dive [00:02:00] in.

Jonathan Hawkins: Welcome to Founding Partner podcast. I’m your host, Jonathan Hawkins. Today’s episode’s gonna be a little bit different than normal. We do have a guest, but it’s not gonna be our usual interview format. This is a repeat guest. So I’m excited to have Kellam Parks back if you want to listen to his first appearance.

Gotta go back to episode 58. You can learn all about him and his background and his journey there. But today. Lemme back up. So, Kellam is a partner at Parks Zeigler and one of his practice areas and specialties is cybersecurity law. And that’s really what I wanna focus on today. There’s been some things in the news over the last couple weeks that really got me thinking and I, I wanted to bring an expert on to talk about that stuff.

So Kellam, thanks for coming back on.

Kellam T. Parks: It’s great. Well, I’m really glad that because you couldn’t find any experts. You’ve got me, so I’ll, I’ll do the best I can for you, my friend, but I’m happy to talk about it. But yeah, so I, I do, yeah, we have cybersecurity data privacy. I’m the, I started the practice about nine years ago, and so [00:03:00] I, I do my best to be able to know what I’m talking about in those areas.

Jonathan Hawkins: well, I’ll say around here, we, the expert bar is very, very low, so

Kellam T. Parks: Fantastic. Well, I will try not to make it any lower. I’ll do my best.

Jonathan Hawkins: Well, cool. So, so there there are, like I said there’s and I’ve been thinking about this lately ’cause I mean I, you know, I’m sure just as part of your practice data breaches all the time. But recently, I’d say in the last a few months. I’ve had a number of clients that have experienced it in a variety of different ways.

And so it’s just really got me thinking. And then about two weeks ago, there was a press release about Jones Day, which is one of the biggest law firms in the world. They announced that they had had a data breach and that they said, I think around 10 or so of their client’s data. Was compromised, and I believe one of their clients is President Trump.

So, maybe that’s what they’re after. I don’t know. So I, so I guess I assume you’ve seen the news.

Kellam T. Parks: I have, yeah. You know, it, it’s interesting. So I don’t know. I [00:04:00] actually did, I’d seen the news. I didn’t pay a lot of attention to it in the sense that I see these things. I see a, I, first of all, I deal with them all day long, so it’s kinda like, I don’t, I don’t want to. Anybody else’s problems. I, I’m not getting paid to pay attention to ’em, so I’m not gonna do it.

But also you know, it’s just a lot. So I looked at it in preparation for us talk. ’cause as we talked about, they haven’t really, you know, not surprisingly, they haven’t released a lot of information, right. So when somebody has. So when something happens, we call it a data incident. So it only becomes a breach when personal information or personal health information is compromised.

And then it triggers either state or federal laws. And that’s when you officially call it a breach, and that’s when they have to tell people. So if you have an incident and stuff is taken, but it’s not personal information like a social security number or not personal health information. If you’re subject to HIPAA, you don’t.

If you’re not a lawyer, you don’t have to tell anybody. If you’re a lawyer, you have to tell existing clients, and that’s an ABA ethical thing. Interestingly enough, the a, the, the legal ethics opinion from the ABA says, you don’t have to tell former clients. [00:05:00] They say your duty to their data is no longer in existence ’cause they’re not your client anymore.

Which I thought was interesting. That’s not my advice. My advice is you should tell your former clients, but from an ethical point. So they had to tell their clients and then it got out. And so like you said, it was about 10 clients is what they said. What happened was there was a hacking group called Silent Ransom, also known as Luna Moth.

And they’ve got some other names. They specifically targeted these law firms and that’s part of their MO is they target law firms. Interestingly, they didn’t. Hack them. They did social engineering, so they did phishing, you know, or somebody pretends to be somebody else and we don’t have any details. So I looked at, I tried to figure out what happened.

Nobody, they haven’t disclosed it. But this group targeted one particular attorney who apparently headed up their US Court of Appeals work for the federal circuit. Basically a lot of IP matters. They targeted this poor guy and his name was released. No comment from him. But they figured out maybe who he was, but they targeted this guy and somehow got into his stuff and I don’t know how.

And I, I have, we [00:06:00] can talk about some theories about how this works. So I don’t know how they got in, but they got in about 10 clients, they said old data. They were demanded a lot of money apparently, and there’s screenshots out there if somebody’s interested. Apparently there’s screenshots that supposedly are between Jones Day and the bad guys.

They didn’t it’s not been confirmed whether that’s accurate, but maybe where they wanted, I think 15 million. They wanted a lot of money. And apparently they offered some counter, they didn’t take it. And so then they do, what often happens is they release it on their dark web sell it probably if it was, you know, valuable.

And it’s kind of a black eye on the firm. Obviously, you know, the danger is you lose some confidence in your clients and that kind of stuff, but it happens to everybody, whether you’re Jones Day or, or solo. Unfortunately. So that’s all we know. They were also the target. They weren’t a target.

They were affected by a breach back in 2021. So there’s a third party file transfer company called Acceleron. And they were actually hacked as I understand it. And Jones day information, as well as some others were affected about a hundred [00:07:00] gigabytes. That wasn’t Jones day’s fault because it was a third party, but it happens too.

So it just happens, man. It’s

tough.

Jonathan Hawkins: it’s, it’s scary times. I mean, you know, Jones Day, one of the biggest firms you would imagine, they have spent a ton of money really protecting as best they can. And, and if it can happen to them, you know, how, how are the small guys like me gonna protect myself? It’s, It is scary stuff. I mean, like I said, I, I’ve known some other folks who’ve gone through this recently and there was one that, you know, had the ransom issue. There’s the sort of the business interruption issue where, you know, you might lose, you can’t, you can’t work on clients if you’re, if you bill by the hour and you can’t work on clients for weeks, you’re gonna lose money. And so how, how do these breaches or incidents usually happen in your experience?

Kellam T. Parks: Yeah, so there’s really, there’s really two main ways, right? One way is you’re actually hacked. And so I do I would [00:08:00] say it’s not a large part of my practice that this happens, but it does happen. So I’m I’m counsel there. There’s a, a company in Virginia that’s a self-insurance pool and they, they insure a lot of Virginia governments and I’m their backup counsel when there’s, their main council has conflicts.

I’ve been working for them for a number of years now, and so I’ve had a couple of governmental clients where somebody, they were actually hacked. Somebody came in, founder vulnerability, it was a criminal organization. Sometimes maybe even a state actor where they come in and they literally, you know. Do the hacking type thing, get in through a vulnerability and get into the system and steal data or encrypt data otherwise, or sit and wait and do something and they’re inside the system.

That’s actually more rare and it, and the good news about being small like us, right, is that a lot of times we’re not gonna be hacked. They’re not gonna target us. Jones A was targeted, again, it wasn’t a hacking as I understand it was really just social engineering, but we as smaller fish. We’re not gonna take that kind of attention.

What normally happens for us, and actually it looks like maybe in this case for Jones Day, even though it was targeted, is [00:09:00] much of the social engineering or phishing, right? And these are the emails you’re getting saying, oh, click here for it to get your file. Or the one that I always laugh about is a text or email saying from, from, usually it’s from a partner to an associate or an owner to an employee that says, Hey, are you in this morning?

And they say, yes. And it says, Hey, can you buy me these gift cards? Like, I don’t know anybody who hasn’t gotten it. We got one today. One of my attorneys said, Hey, your email is in quarantine for some reason, I am in the office today. And I said, show me a screenshot. And I said, yeah, yeah. You know, that was from Gmail.

It wasn’t to my actual email address. Right? But then what what happens is you click a link, right? And a lot of times you click the link. And then sometimes it’s malware that’s installed on your computer. Sometimes it’s just they get access. So it says, Hey I’m your IT company. I need access to this thing or whatever.

Even if you have multifactor authentication, if somebody lets you in, if an employee clicks yes, then they get in and, and a lot of those attacks, they don’t come in and steal data. They don’t encrypt data. What they do is they just sit and wait. And so they’ll lurk and then they’ll see an opportunity then to pretend [00:10:00] to be a CFO directing payment somewhere.

Or a client demanding their money be transferred somewhere. Sometimes they do. A lot of times they’ll, they’ll co-opt a it’s a business, it’s an email compromise. Well, they’ll co-opt your email account. They’ll put on rules so you no longer get any incoming messages. They go to trash. So you don’t even know something’s wrong.

They get your contact and then they use your email to propagate to other people to try to get bigger fish. And that happens quite frequently as well. So it can happen a number of ways. Right. And, the key is be prepared. And I’m happy to sort of talk some high level stuff not be too technical on how to do that, but you wanna have the right planning, you want to have, you definitely wanna have the right insurance, which we could talk about that too because it’s, it’s not a one size fits all like it is with general liability or auto insurance for cyber really.

And then make sure you have the right help. Make sure you have the right IT company that knows what they’re talking about when it comes to cyber, which unfortunately isn’t. As many as you would hope. There’s a lot of really good IT companies, but they don’t have the cyber chops. But there’s, it’s not a hundred percent.

So you have to absolutely be vigilant. [00:11:00] You gotta train your people. Your people are your weakest link, not because they’re bad employees or stupid or lazy. We’re just human. And that’s why social engineering works so well. And it sounds like for Jones Day, it sounds like that’s what happened. Again, I don’t know ’cause they didn’t disclose it, but it sounds like they targeted this guy and somehow got him to click something or accept something or do something.

Maybe and, and got in. So it, it, it is scary for sure. A hundred percent.

Jonathan Hawkins: And so that’s the thing. So like you said, the people of the weak link and you can train, you can tell ’em over and over. But it’s all, they get you when you’re sort of sleepy. You’re busy or you’re multitasking and you just, they get you. And so, you know, what are some ways, I mean, lemme back up too.

So, you know, usually you click a link and then maybe they ask for more information is the clicking of the link enough or does it usually require more information to them?

Kellam T. Parks: No, it can just be clicking the link. So if you click a link and you don’t have the right software installed, you don’t have the right protections installed. That can, first [00:12:00] of all, it can take you somewhere where you start to, and this is a lot of times you see where these foreign based people such as China or India, they target older people and they go, oh, you know, you owe Microsoft a bill click here. Give us your or bank transfer. Give us your login information so we can give you your refund, or you won the lottery, or whatever it is. In a business setting, a lot of times you’ll click a link and it’s a file transfer saying, Hey. You know, download this file here.

And it may be that a lot of times what happens, and we had this situation at my law firm about eight years ago. Luckily it didn’t, we caught it in time. But before we have all the protections we have now I was just getting into cyber and we hadn’t beefed up our protections to do all the stuff I’m gonna tell you need to do. But what had happened is another attorney in another law firm had gotten compromised.

The bad guys watched and saw what was going on. They saw that attorney and one of my attorneys was working on a project together and that my attorney was waiting on a file from the compromised attorney, and so an email came from the compromised attorney’s email. It was a [00:13:00] real email from the attorney because bad guy got their account sent a link to my attorney going, Hey, click here for the file. Which he was expecting, but it wasn’t the real link and click the link, which then led to somewhere that looked like it was, I think Dropbox at the time. It wasn’t, and it installed a program that led had access to the email. Which again, we caught it before we were compromised or had a real breach, but that a lot of times happens.

So a lot of times it’s, and you won’t know that something’s installed, right? So it just, it’s on the background. Sometimes it does lead somewhere else where you’re actually inputting information. And the key is because your people are your weakest link, what you wanna do is you want to, you do want to train them.

So training, I can’t tell you how important that is, and if you tell them what’s happening and you give them ongoing training, it raises awareness. They don’t get fooled as often, but like you said, even people that should be no mattered sometimes fall. So you wanna have the systems in place to where it catches it.

So what does that mean? Alright. Having a firewall and virus [00:14:00] and malware protection isn’t, isn’t enough. That, that’s basic level stuff. And by the way, unfortunately I deal with a lot of businesses and unfortunately a lot of solo turned in smaller firms that don’t have even the basics, which surprises me, but they don’t.

But what you also wanna have is you wanna have other things. So you should have multifactor authentication or two factor authentication installed on every possible thing you can have, right? That should not be a, maybe, that should be a requirement on every single thing. And most things have it available these days.

So Microsoft, Google, whatever. You also wanna have something called EDR, endpoint Detection Response. Right? And what this is, is that software like Sentinel One is the one we use. There’s lots of them out there. It gets installed on the devices and it’s machine learning that is monitoring the behavior of your machine real time.

And it’s looking for anything weird. Weird programs running. It’s looking for weird downloads in the middle of the night, or data or access that is unusual. It’s looking across just all these data points to say, Hey, something weird’s happening, and it, and then it alerts, it stops, right? So what happens is if you click a link, [00:15:00] then the EDR should a lot of times catch it.

We pair that with also what we call a, a soc a, a security operation center. So we have a 24 7 manned operation center that we pay for that. The EDR clicks if it happens at two o’clock in the morning on a Friday, which no one’s working. I want my attorneys to work, but that they’re not working at 2:00 AM on Friday for some reason.

But at two in the morning, something happens. And that then alerts the soc and the SOC can turn off the internet or can do something real time until my IT cybersecurity company can get to it on Monday. So if you have those three, and then the fourth thing, which is I find a lot of companies don’t do, is what we call conditional use policy.

So a conditional access policy, right? So a conditional access policy is you’re, you’re putting some sort of condition on how you can access data. It may be. You have to do it like only IP addresses from the United States can access, which we have by the way, which isn’t that great ’cause you can use A VPN and pretend to be from anywhere.

But one of the things that we do, which we found very effective, is the only way that you can access our data. So our SharePoint data, our [00:16:00] Microsoft data, that kind of stuff is if you’re, if you’re accessing it from a device, phone, tablet, computer that we own or manage. So even if you somehow bypass my, you get my password, and even if somehow you bypass our.

Multifactor authentication. If we’re not accessing it from a computer that we own or manage, you cannot access our data. So that’s one step that goes beyond. So even if, so, if a bad guy somehow gets into it and they’re trying to access it from not one of my computers. They can’t get it. And that one step along with everything else that we’re doing really ensures that it’s gonna minimize not a hundred percent, but minimize.

And we haven’t had, you know, we haven’t had a data breach in, in eight years or over eight years because it’s now, we’ve had lots of incidences. We’ve had lots of attempts, we’ve had lots of weird things happen. We’ve had a couple of MFAs that shouldn’t have been clicked that were clicked because people weren’t paying attention.

But the conditional use with all this other stuff stopped them from accessing their stuff.

Jonathan Hawkins: Wow, that’s a lot. So,

Kellam T. Parks: lot. I try to keep it high level, but I know

Jonathan Hawkins: [00:17:00] but no, that’s, that’s, that’s great. So, I mean, sort of the, you know, the phishing, the social engineering, the thing you mentioned a minute ago, it was a real email from a real attorney and your attorney was expecting the attachment. I mean, you, there’s just. I don’t see how you can, that’s not a, so I mean, how do you prevent that?

I’m not sure you can.

Kellam T. Parks: Well, the only way I would say the only criticism I have of, of that particular incident is had the at, had my attorney hovered over the link. You would see that it’s not Dropbox. So, by the way, you can spoof a link too. So if you have a sophisticated criminal, it’s not really hard to spoof the link, but all you had to do is, and I I will tell you now, but would you expect them to hover over a link that you’re expecting an email from?

I do. Why? Because I’m paranoid and this is what I do for a living, but I don’t, I don’t hold that. But so much against now where, where I do have issues is when I, you know, my employees are, otherwise they get some email. We had one the other day, there was an email came to us, supposedly from me about to pay a bill [00:18:00] and it looked, if you look in the chain of the email, it did have my actual email address and everything else.

It looked real. But then the last email that was sent to my person had my email address at outlook.com or something, and it wasn’t my email address. And I said, well, it’s right there in the CC line. But that’s part of what you have to train new people to do is take a second look at everything. And by the way, we changed our standard operating procedure.

We caught that. It didn’t become an issue, but we, the new standard operating procedure is because that person had emailed to me something instead of calling me and I said, Hey, don’t email, because if somebody is actually in our system, they would’ve seen you email me and then who knows what would’ve happened.

Call me next time. If, if you have some question, just pick up the phone and just say, Hey, did you send this to me?

Jonathan Hawkins: Yeah, we did that a while back at my firm. I said I am never gonna send you anything. Via email asking for this, this, this, this, and that and the other. You know, if I need that, I’m either gonna pick up the phone or walk down the hall. We use Teams chat. Maybe I’ll go through there.

Uh, but that that could probably get hacked too.

Or [00:19:00] but you know, you are not gonna get an email from me asking for certain information. You’re just not

Kellam T. Parks: sure. No, I think that’s great and that’s why you should have planned. Yeah, for sure. That’s part of the planning. And that’s about how, and I prefer, actually, I prefer that more than the incident response. So I do incident response where if you’ve been breached or, or there’s an incident, I get hired to come in and hire the forensics company and work with them, and they do the required notices and do data mining and all that sort of stuff.

I don’t enjoy that as much because my hair’s on fire and it’s, it’s hard and it’s a lot of work. It’s lucrative. But it’s, it’s hard work and, and unfortunately it takes a lot of my personal time, and as you well know, I like to run the firm more than, than doing the, the, the, at 26 years into it. I prefer running the thing instead of doing the thing.

But about half of what I do now, and I hope it’s larger in the future, is planning. And I work with companies and law firms across the nation. Because the planning is really consulting, I don’t have to. To be a lawyer really to do. It helps, but I don’t, I don’t practice law in other jurisdictions that I’m not licensed in, but I do planning, and that’s part of it is I do the tech policy for companies where I come in and I go, okay, here’s what [00:20:00] you should do.

Here’s how you communicate. You need to put this in your handbook. Have everyone sign off on it, and that’s part of the standard operating procedures. Hey, these are the things we don’t email about. Here’s how we’re handling it. Here’s how you can use the tech. Here’s the things, here’s our policies. Again, to keep everybody on the same page and make sure that you’re as least locked down as you can be. It’s important.

Real quick, if you haven’t gotten a copy yet, please check out my book, the Law Firm Lifecycle. It’s written for law firm owners and those who plan to be owners. In the book, I discuss various issues that come up as a law firm progresses through the stages of its growth from just before starting a firm to when it comes to an end.

The law firm lifecycle is available on Amazon. Now, back to the show.

Jonathan Hawkins: All right, so I wanna go through some of that before we, I wanna circle back on the, the multi-level protections you talked about. So the EDR and the SOC and conditional access, is that something that you would expect your IT company to do all that for you? I mean, who does that for you?

Kellam T. Parks: Sure. Yeah, a hundred percent. So, so part of part of what I advise, so, so your initial question was how, how do, [00:21:00] how are we possibly, if Jones Day can’t, can’t protect themselves, how am I supposed to protect myself? And the answer is, get good help. So you need to hire a competent it, a competent IT vendor who has cybersecurity information.

And so, and it may not be. So I, I, again, I’ve, I’ve seen a lot of these small and solo firms that their nephew Bob or their niece Jane, is their IT person and, and maybe they’re qualified, maybe they’re not. And one step up is they have this IT company they’ve used for 20 years and they’re really good at setting up computers and changing passwords.

But you need a lot more than that, right? You need somebody that understands the cybersecurity space. The good news is you don’t have to have a large company that’s gonna charge you a bazillion dollars that you can’t afford because a lot of the smart IT vendors are now partnering with larger companies like Arctic Wolf is a national company that’s a big player in this space for cybersecurity.

And what they do is they license their expertise and tools to these smaller MSPs, these IT vendors, and say, Hey, you’re setting up their computers. If you’re handling their printer tickets, you’re handling [00:22:00] their, you know, their, their day-to-day IT operations, but you don’t know, I, you know, you, you don’t have the tools or the knowledge to do cyber.

Come license our product. We will help, you know, we will run their soc, we will run their EDR, we will do this and that, and so you can do that as a third party. We actually have a company they’re outta Suffolk, Virginia, which is nearby where I live in, in Virginia Beach. Norfolk area. They’re national though.

They work national and they work with, actually, I’ve put ’em in touch with a couple of law firms across the nation, but they, not only do they do it work, so they set up a computer, they do all the remote. Cus you know, the IT tickets and that kinda stuff. But they have the cybersecurity knowledge and I’ve used them for incidences as well.

So we paid them to do that. So they have set up the EDRs, they’re managing the soc, they’re doing this, they’re doing that, they’re making sure we have our, our computers are already the, the conditional access, which is, is a piece of software, but it does cost money. So we have, just give you an idea, we have 36 people.

We have three offices in, in two states. We have five remote workers that are outside the United States, [00:23:00] and between all of our devices and everything and their help and everything else, I think it costs us about 13,000 a month. But that’s all our IT work, that’s all. I mean, again, that’s a lot of money, but we have 36 people that, that’s all the license.

It’s all our Microsoft licenses. It’s ev all the security for our system. It’s, it’s, they’re handling our IT work five days a week. It’s quarterly planning. It’s coming to our offices four times a year. So we get a lot. It’s not cheap, but it’s something, as a mid seven figure firm, it’s, it’s a no brainer for me to pay that.

It’s not something you can chance out on, which unfortunately a lot of law firms just do. They just don’t either. They don’t know about it. I think a lot of times they just don’t wanna pay for it.

Jonathan Hawkins: So, okay, so question about the IT vendor. It sounds like, you know, every, and people across the country listening to this, you know, they’re thinking, well, who, who can I get locally or do, or do I, you know, are the options available that, that you don’t have to be local. It sounds like the company you just mentioned does stuff all over the country.

And if they did have questions, I assume they could reach out to you [00:24:00] and you might be able to help them out in terms of.

Vendors to

Kellam T. Parks: Yeah. Yeah. absolutely. So couple things there. One is the company that, that, and I don’t have an interest in ’em, and a, but they’re great. It’s layer nine is the company we use, but they don’t wanna deal with anybody you know, their ideal people or professions like us, which is great, but they also want a certain number of people to where it makes sense, right?

So if I have a true solo, or I’ve got a, a shop that’s got like five people, they’re not a good fit. With layer nine, it’s gonna be too expensive and, and too time consuming. So I’ve got other vendors that I use. What I will say is this is if. If anybody does have questions, I’m always available. I’ve put together a guide, a, a cybersecurity guide for law firms that the first half of the guide specifically talks about this.

It says, Hey. These are the, these are how you hire a good IT vendor that has cybersecurity information. These are the questions you should ask them to make sure that they’re qualified. I’ve tried to keep it pretty high level because a lot of, most lawyers aren’t tech people and I understand that. I can sympathize with that.

But these are, these are the kinds of things you need to, to verify. And then actually the second part of that guide [00:25:00] is, here’s high level. How you protect yourself. And kind of what I went through is, hey, you have a conditional access policy, you’ve got a managed soc, you’ve got this kind of software. and I’ve given that sort of as a breakdown.

And so if, if anybody wants that guide, they can get it off my website which is, and we can put it in the show notes later, but it’s pzlaw.com/cybersecurity-guide. So if you go to that website and just click that it’s a landing page, just gimme your name and email and I’ll send it and you can download the guide.

But yeah, and they can also just email me. I’m always happy to talk about this stuff. Because it’s important. I mean, it’s not just business for me, it’s, it’s absolutely, it’s almost a mission for me to try to educate people because having a breach, even an incident that’s not a breach is very disruptive, as you said.

And as a lawyer, you theoretically could lose your license if you’re not confidentially, you know, protecting your client client confidential data. So it’s a big deal.

Jonathan Hawkins: Let’s talk about that a little bit. What are some of the, the thing, and I don’t wanna scare everybody to death, but maybe we should be scared. I don’t mind scaring them. Right. I want to Right.

Kellam T. Parks: I want, I want [00:26:00] ’em to things? You know, what are the things somebody just says, I don’t worry about it, I’ll just deal with it. If it happens, tell me. You know, I, I know personally some of the things I’ve seen, not, not that have happened to me, but that have happened to others that I know, but

Jonathan Hawkins: What are some of the things that typically you would expect to happen if one of these ransom or data breach attacks happen?

Kellam T. Parks: Sure. So, let’s talk about best day scenario. If you’re compromised in any way, your best day is they’ve gotten into your system somehow, and you caught it fairly early. Maybe they just got into your email. You hire and you have to do an investigation that’s part of your duties and every, by the way. And it’s very difficult, but every state has their own cybersecurity law and there is no, the only federal laws apply only in certain circumstances.

So if you’re in finance, there’s a law. If you’re in health, there’s a law. If you’re military, there’s a law or a contractor, but otherwise, it’s state by state. Which is difficult for somebody that deals with people in all 50 states, but you look to your state and [00:27:00] almost everyone says you have to take reasonable steps. So what do you have to do? You have to investigate, right? So you gotta hire some forensics firm to come in and figure out what’s happened, assuming they can actually tell what happened ’cause a lot of my clients don’t have the high enough level of Microsoft, or they don’t have the right auditing capabilities or their it. I have one right now. The IT guy didn’t click a button.

And so they were unable to go back more than seven days to figure out what happened. Okay, well, because they can’t tell what happened now we have to assume the bad guys got into everything. So now I have hundreds of gigabytes of data that I have to send out to what’s called data mining. So you send it out to a company to figure out is there any personal information or health information in this data just to figure out if there’s been a breach or not, right?

This is not whether or not there is a breach yet. So now you have to, you have a disrupt. You have to protect the system. You’ve gotta make sure that your system’s secure. Now you gotta do the investigation. Then if there’s a breach, now you have to notify the people in a certain way. You have to usually notify the attorney general in your state a certain way. God forbid it’s [00:28:00] HIPAA ’cause then you gotta report it to HHS and you can get find out of existence. That’s your best day. Your worst day there is this big breach and oh, by the way, they’ve encrypted your data and that’s when you find out. I had a client about 10 years ago, that’s when they found out their backups didn’t work.

They never tested their backups. So somebody got into their system, encrypted their data. They said, ah, don’t worry about it. We back up every day. No, they hadn’t backed up in six months. So they didn’t have any choice but to pay the ransom because they didn’t have any backups. So then you have to maybe pay the ransom if you can afford it and, or it, it, they’ll even give it back to you.

Sometimes you pay the ransom and they give it back to you, but then they publish it or sell it anyway. And they could steal your money. So I had a client, another horror exam. I’m sure I’m scaring the, the bejesus side of your. Your audience, but I think it’s important to know the bad parts that can happen, why it’s important to plan.

But I had a client that somebody got into their system and they just sat there and this particular client was in a like a construction type industry. And they had one client that owed them about a hundred thousand dollars and they had, [00:29:00] they were buying a piece of equipment from out of state for like a hundred thousand dollars.

The bad guys saw this happening and said, okay, now’s the time. They pretended to be the sales company and said, Hey, pay us for this equipment over here. Then they pretended to be the company and sent to their client and said, oh yeah, pay your bill here. hundred thousand out the door, a hundred thousand supposed to come in, went somewhere else.

And that’s only when they figured it out. So they lost $200,000 and had to secure everything. So these are the horror stories that can happen. And the last part is, is a lawyer. You have a duty under every state’s, I’m sure. Certainly the ABA, and I’m sure every state has the same similar. A requirement to take reasonable steps to protect your client data.

And if you don’t take those reasonable steps, which I don’t know what that means, some states like Virginia, where I’m mainly where I’m personally licensed, and we’re also in North Carolina, but Virginia, we actually have listed out in, in three comments 19, 20, and 21 to the rule says, Hey, this is what we mean by reasonable, which is nice.

It was back in 2016, we admitted that other states don’t, but [00:30:00] basically you have to take a certain amount of reasonable steps and if you don’t. Not only can you have all these headaches and business problems, but theoretically you could be censored, right? Maybe lose your license. So that’s why you gotta protect yourself and then get the right insurance.

Insurance is critical because it’s gonna cost a lot of money, and you talked about business interruption. A good in a good insurance policy will pay for that interruption.

Jonathan Hawkins: So, yeah, let’s, let’s, let’s talk about insurance. We’ll talk about insurance and then there’s one, one other big topic I wanna talk about. So, what do we do about insurance? You know, I’ve talked to you about this offline. You know, everybody’s selling insurance, but not all the insurance is the same. So how, how should people go about thinking about buying the right insurance that has really the, the, the right protection and coverage for them?

Kellam T. Parks: Sure. Yeah, so that’s sort of difficult in that we’re, we’re used to general liability insurance or malpractice insurance, or auto insurance, or fire insurance, whatever. Those policies have been around forever and so. Typically it’s like, Hey, I just, I just wanna know how much I wanna spend, and you want to get a good [00:31:00] insurance company that will, you know, not mess around and will pay the claim fine.

But you kinda know what you’re getting. It’s like, oh, I know I want this kind of coverage and this how much I want, and the terms and the, and it’s usually state regulated and they’re gonna be fine. Cybersecurity is not there yet. So cybersecurity is new enough that really, the definitions and the exclusions can vary pretty wildly between policies.

And there are a lot of companies that don’t, aren’t. Awesome. Like they don’t handle claims very well. I’ve got a client right now that had a policy they called me. There was an incident. He put them on notice. He didn’t get a response. Day two, I’m hired, I call them, and by the way, his insurance policy said, you have, we have to give you permission to hire somebody not on our list.

And I don’t sit on insurance panels, so they usually let. Do it at, at whatever rate, they’ll, they’ll authorize, but I have to get permission. So I’m, I’m calling them day three, day four, day five, day six. I’m emailing, I’m calling. I’m like, guys, this is a data incident. Like, normally these guys get back to you in 24 hours.

What is going on? And I think it was day seven when we finally got a [00:32:00] response from somebody. I’ve since advised that client to change insurances but they did authorize me to do it, and they’re gonna pay for the claim and that’s fine, but. You, you wanna make sure that you, again, you have, you know what you’re getting and how do you do that, right?

Because maybe even, you know how to read an insurance policy. Odds are you’re not a cybersecurity expert. So, even if you know how to read a contract, an insurance contract you may not know what the terms are. So. What I advise is getting a good agent that knows cybersecurity. So I have several cybersecurity agents that I work with across the country where I say, Hey, you know, they specialize in this so they know these are the types of policies you need.

This is how much coverage I think you should have. And these are the companies. So there’s three main cybersecurity companies I like there. There’s other good ones. I’m not saying these are the only three, but the three that I prefer. Or collation, that’s who we use and that’s who I know a lot of larger firms as well use.

I really like them at Bay. And then CFC. So these three companies are the three that I really like. Their cybersecurity, I like their [00:33:00] language. Their exclusions are reasonable. The way they handle claims are good. They know what they’re doing. And collation is actually pretty proactive. They’re gonna say, Hey, here’s some training, here’s some tools, which makes sense, right?

They. The more they can protect you and the more that you, you won’t get caught, the less they have to pay. So they’re actually proactive, which I really like. So those are just three, but mainly get a good agent and your business agent may not be that agent, even if they’re great because they just may not have the cybersecurity expertise.

Jonathan Hawkins: And so that’s helpful. So, you know, you wanna set up your protections hopefully, and train and all these, hopefully you don’t get breached, but if you do, then you wanna have a good insurance policy in place. So this all been

Kellam T. Parks: yeah, lemme just get two, two other things too. ’cause a lot of people ask me, well, what are we looking at? Like, how expensive it is. It’s not that expensive. So we have, so our million dollar policy is about 3,300 a year, and we have a million dollars in coverage, I think with a $10,000 retention.

So at most I’m gonna pay, I’m gonna pay $10,000 out of pocket. They will cover to million dollars, which will cover [00:34:00] everything from the forensics to the lawyer because even though I do it, I’m, if we ever got breached, I’m not handling it. Like I don’t have time for that. So I, I’ll coordinate it, but the lawyer, all the notices, the forensics business interruption.

And the way our policy reads is they will hire an accountant to come in and figure out what our loss is, which I like, because then I don’t, I mean, I still may fight with them, but at least they’re gonna do the initial work and pay for it. But yeah. So a 3,300 for a million and, and you’re more likely to have an in a cyber incident than you are for your place to burn down.

Jonathan Hawkins: Yeah, that’s not bad. thing. No, it’s not better at all. It’s.

Okay, so last topic. This is one, this is, we’re going back to the news here. This is, I came across it in the last few days. I don’t know how, how long it’s been out there, but anthropic, so the, the maker of Claude, they, they’ve had this new, I don’t know if it’s a new model, whatever it is, something called Mythos.

And so I’m reading about it all over Twitter, that they started to test this thing out and. It started finding on its own, I think all these vulnerabilities in basically every software everywhere that we all [00:35:00] use. And they said it’s so powerful and it scared ’em so much that they said, we’re not gonna release it.

And instead they brought together all these heads of various software companies and they’ve created what they call project glass wing. So what have you heard about mythos and is it all hype?

Kellam T. Parks: Yeah.

Jonathan Hawkins: on?

Kellam T. Parks: So from whatever, and as you know, right? I do not that I program AI, right? But I’m into AI. We use AI, I teach other lawyers how to use AI. So I’m pretty familiar with this space, both from a cybersecurity angle and an AI angle. The TLDR of this is, it’s a little hypey. It’s also not, so it’s, I think it’s the middle ground, right?

Which is good ’cause that’s sort of where it usually is, but yeah. So basically it’s a frontier model they came up with, was very strong at code reasoning and vulnerability discovery. The goal was defensive, so what they wanna do is because the time between, finding a vulnerability and patching their vulnerability is getting so quick.

So the bad guys are using tools. They find their vulnerability faster than it can be patched and Anthropic said, [00:36:00] Hey, maybe we can use these AI models. Maybe we can come up with something that’s able to identify these vulnerabilities before the bad guys do. Which is a great goal where people started to freak out a little bit because it’s so good at what it does that they said, Hey, if the bad guys get this, right? Because it’s not public yet. But a lot of these become public source. If it gets out there, the bad guys now, idiot bad guys with a can at oppressive, a button can do what Elite Hackers used to be able to do in a week. They can do with oppressive a button in an instant, and it’s gonna be unable for anybody that doesn’t have Jones Day level money to be able to respond effectively.

And so people were like, whoa, whoa. And so Anthropic said, you know what? That’s. Probably right. So they said, we’re not gonna release this. They created this project last Wing where they brought in AWS, Microsoft Apple, and they said, okay, we’re gonna give you. You guys are now in this playground, right? It’s a private playground.

You guys mess with this. You guys figure it out. You see what we can do with it. And there’s been mixed views. So some experts are [00:37:00] saying it’s overhyped and saying, look, actually, some of these older models could do this too. It’s, it’s not that it’s not exponentially better at it. Some are saying, Hey, it’s the real deal.

Like, no, this is really it. This is game changing, which I think is honestly that, I think that’s the opinion on most AI people go, like one of ’em, Claude Cowork. Or Claude. Yeah. Was it cowork or just the code? But Claude just came out with a word add on and some people are going, oh, it’s super over hyped.

It’s nothing else. And then other experts, I really like, oh no, this is a really big deal. I don’t know, somewhere in the middle maybe. But in any event, I think it’s important though that it highlights the danger of AI is that anything that AI can do for good, it can do for bad, which is why it’s such a big deal for nation states.

You know, maybe as American government, you know, we don’t always make the best decisions a lot of the time, I would hope that we’re not, you know, trying to overthrow the world necessarily. But, you know, I’m not, we won’t get into that, but, but you know, there are like, you know, China or [00:38:00] Russia or North Korea, you know, they very well may have very nefarious means to do these things.

And if they have these models and they’re using it for war. What’s gonna happen? Right? And that was sort of anthropic stand on their AI model. They said, look, it’s not necessarily that we’re anti. Protection or, or government. As I understand, their argument is, our AI is not ready for prime time, for fully automatic drone warfare, so we’re not gonna do it.

And the US government said, well, okay, now you’re a danger and we’re not gonna do any business with you. And they’re litigating that fine. But that’s sort of the thing is, look, if if AI can do good, it can also do bad. And, and we just have to be really careful about what it’s doing. And I think philanthropic made the right call here to say, okay, let’s take a step back and not just open Pandora’s box to the extent we can.

Keep it closed for as long as we can keep it closed. So I, I think it was a good, good decision.

Jonathan Hawkins: Yeah, it’s interesting. I I, one thing again. Who knows if it’s hype or not, but it, I, I read that the US government had an emergency meeting, I think it was [00:39:00] the treasury, the Fed, and a bunch of the big bank CEOs. And apparently that kind of meeting has not happened since the great financial crisis. So everybody’s like, just the fact that they had the meeting

Kellam T. Parks: Yeah,

Jonathan Hawkins: a lot.

Kellam T. Parks: absolutely. I mean, it, look, it’s, it’s. What ai, what we see AI can do, AI can do a lot more, right? It’s sort of like darpa. So the military arm of the technology, you know, for the government, darpa, they’re doing amazing things with technology that we don’t even know about, right? Everything is about five to 10 years more than what we even potentially know as consumers.

And you have to believe that that’s where AI is behind closed doors as well, which is pretty astonishing if you just know what AI can do today, like what you and I can do on clogged cowork is pretty radical. And that’s just publicly released now. So, but yeah, no, I think it’s smart. We gotta. It’s really interesting.

I, because I’m a computer geek and a nerd of course I’ve really sort of done a deep dive on this and there was a really long paper somebody had written this is probably a year [00:40:00] ago, and basically had this long dissertation about AI and the future of humanity and all this sort of stuff. And one of the things that the guy was talking about though was we really should have treated these AI algorithms like the Manhattan Project, and instead we’ve treated them like a Silicon Valley.

You know, tech app. And the problem is now that it’s out there, you can’t bring it back. And it iterates so fast that, you know, Skynet you know, it made me think, which I always joke that I teach about AI all the time so that maybe they’ll make me a paperclip last, you know, I’m like, Hey, no, I’m, I’m good.

I was telling everybody you should use you, right? So don’t eat me loud, you know, don’t eat me first.

Jonathan Hawkins: Well, well, well, next time you come on the show, my AI will reach out to yours and they’ll just do the show and we won’t even have to be there.

Kellam T. Parks: Well, this is an AI avatar you didn’t even know, but I’m just saying. Right. That’s funny. That’s funny.

Jonathan Hawkins: Well, Kellam this has been actually very illuminating for me. Before we wrap up. Any parting advice or thoughts for, you know, law firm owners out there on how best to sort of get their heads around this and protect themselves.[00:41:00]

Kellam T. Parks: Yeah. So I mean, again, I know I laughingly said I wanna scare you. I kind of do in the sense that I just want. Everyone needs to pay attention to this. And I say every single business needs cybersecurity planning in some level of insurance. And I’ve got clients, I’ve got a three person operation landscaping company, right? They hired me to give them some basic level advice like a data breach avoidance plan, which we work through all this stuff, get you the right insurance, make sure you’re locked down an incident response plan to make sure that you know what happen ’cause you don’t wanna build a bridge when it’s on fire.

A tech policy to make sure, a disaster recovery plan and you have the insurance, you have these plans in place. In my opinion understanding, yes, I do this for a living, but it’s something you really have to do because the odds that you’re going to have an incident, it’s going to happen. It used to say when something happens and then it said it was, if something happens now, it’s when something happens and it’s when it happens again. So you’re gonna have an incident, it’s gonna happen more than once.

And the better prepared you are and the more financially secure you are with insurance. The [00:42:00] more resilient you’re gonna be because you’re not Jones Day and you’re not gonna survive a big hit. I think the average cost of a data breach is mid six figures if it’s of any significance and if you don’t have insurance, that’ll put a solo wonder. So it’s just, you’ve got to be protected and you’ve gotta have insurance. And I’m always happy to talk about it. Again, I’ve got that free guide, which if you go through, we’ll give you some pointers to start but yeah, I’m always happy to talk about it. I just wanna make sure people are protected ’cause it’s such a big deal.

Jonathan Hawkins: And again, so the best way to, to get in touch with you if somebody wants to reach out and discuss planning or whatever deeper.

Kellam T. Parks: Sure. Yeah. So if you just go to my website, pzlaw.com you can just find me there and, and the guide’s on there at pzlaw.com/cybersecurity-guide, but just pzlaw.com. My email address is kParks@pzlaw.com. You can find me on LinkedIn. My name, my first name’s Weird Kellam, K-E-L-L-A-M. So if you Google me, hopefully find me so.

Jonathan Hawkins: And if you send Kellam an email that says, click this link he’s gonna delete it and.

Kellam T. Parks: Yes. I have Are you in this morning? I have some gift cards. Right. I will not respond to those. We’re good.[00:43:00]

Jonathan Hawkins: Exactly. We’ll Kellam again, thanks for coming on man. It’s, it’s good to catch up.

Kellam T. Parks: It’s always good to see you. Thanks so much for having me.

OutroUpdatedWebsite-1: Thanks for listening to this episode of the founding partner podcast. Be sure to subscribe on Apple podcasts, Spotify, or wherever you get your podcasts to stay up to date on the latest episodes. You can also connect with Jonathan on LinkedIn and check out the show notes. With links to resources mentioned throughout our discussion by visiting www.lawfirmgc.com. We’ll see you next time for more origin stories and insights from successful law firm founders.