Fox Rothschild’s Chief Privacy Officer: We See Hackers Every Day

This week, Fox Rothschild named partner Mark McCreary as its Chief Privacy Officer, a position found at few, if any, other law firms.

McCreary, who is based in Philadelphia and advises companies on privacy-related issues, said he’ll be setting the firm’s cybersecurity policies in his new position.

The position will likely consume 20 percent of his time, he estimated. Fox Rothschild does not have a single chief security officer, but instead has a committee that oversees security.

“Their big concern is the technical aspects not the policy,” McCreary explained. “We tell them what to do with the data. So, for instance, if we tell them we want to store emails for 90 days, they’ll figure out the most proficient way to do that. I’m the guy that comes up with what the policy should be, or who collaborates with the IT department, and looks at the policy they come up with to make sure they comply with the law and that it makes sense.”

Below is an edited transcript of his conversation.

Big Law Business: What are some of your plans for this role?

McCreary: We’re going to become ISO certified sometime next year. The 27001 ISO certification is the certification for law firms. It tests the security and policies of law firms. In our process, they came in and told us, hey you’re actually in pretty good shape, but we have suggestions for you.

Big Law Business: What kinds of stories have you heard about law firms being hacked?

McCreary: The stuff where you have law firms get hacked, like by Chinese hackers, people don’t talk about it. The FBI’s investigating or something’s happening. The biggest problem is internally people hacking. That would keep me up at night. The idea that employees would have access to information that they shouldn’t have and use it to their benefit. That happens. Then you have an internal hack.

There’s also certainly more and more people trying to get in and we see it on our servers on a daily basis. People pinging and not quite doing denial of service attacks but looking for ways to get in. The one thing you’ll never hear me say is that no matter what you do you’re hack proof.

To me, it’s encyrption. You try and encrypt all the data that you can. It’s really all about the encryption for me.

Big Law Business: The ABA’s recent technology survey found that only around 40 percent of the largest law firms are encrypting data. What’s your firm’s policy?

McCreary: We have every computer and every laptop encrypted. Each restart requires the really annoying password that nobody knows, that you have to got look up. On the mobile devices, we use a third party wrapper ... that allows us to remotely wipe and if somebody leaves their phone at the restaurant, we can deal with the situation. But on any device, as soon as you turn the screen off, you can’t check your phone again without entering the password again. We annoy people with that but those policies are chief privacy officer policies.