1984 alumna Karen Painter Randall has established herself as a nationally recognized authority in cybersecurity. She is the founder and chair of the Cybersecurity and Data Privacy practice group at Connell Foley LLP in New Jersey, serves on the ABA’s Cybersecurity Legal Task Force, chairs the New Jersey State Bar Association’s Cybersecurity Legal Task Force and is the vice chair of USLAW Network’s Cybersecurity and Data Privacy Group. She will oversee the University of South Carolina School of Law Cybersecurity Legal Task Force, an initiative that will focus on education, collaboration and information-sharing with key partners across disciplines including academic institutions, law enforcement, federal and local agencies, and commercial entities to better inform the legal profession and public on cyber risk and mitigation strategies.
You earned your bachelor's, master's and law degrees from the University of South Carolina. Do you have Southern roots?
My family is originally from St. Louis, Missouri, but I’ve had 12 family members graduate from Carolina so that’s close enough. I am so proud to see Carolina’s academic reputation grow, making it an educational destination for students well beyond our borders.
How did you get interested in cybersecurity issues?
The world of cybercrime and cybersecurity is a rapidly evolving landscape. More than 10 years ago, I saw cybersecurity as an unlimited growth area and critical to the fabric of modern enterprise including transportation, electricity, financial institutions, health care and the legal profession.
What do you see as the biggest cybersecurity threat law firms face today?
Law firms are ripe targets for computer hackers because they are repositories of sensitive client information. Although there are many ways a data breach can occur, a ransomware attack is devastating because the malware encrypts files and makes them inaccessible until a ransom is paid in cryptocurrency. The collateral costs can include destruction of data, downtime, lost productivity, response costs and reputational harm. This type of attack put global law firm Mossack Fonsecar out of business.
What’s the single most important thing lawyers can do to protect themselves from a cyberattack?
They can no longer relegate cybersecurity to the IT department. Law firms need to take a holistic approach, developing risk assessments, policies and procedures, response plans and teams. Conducting regular security training for all staff is crucial. Hackers have figured out it’s easier to target people than sophisticated security systems, so instead of trying to break into a business's database, they try to trick an employee into giving them access. About 90 percent of cyber breaches stem from human error or behavior. The “people factor” is an often-overlooked, critical element in building a solid defense.
What changes have you witnessed in cyberattacks since you started, and where do you think it might go next?
Cybersecurity has become the wild, wild west of the internet. Cybercriminals are using innovative approaches to monetize information from the comfort of their homes and steal the new 21st-century oil: PII, PHI, IP and financial information. A perfect example is the increase in wire fraud through email attacks involving real estate transactions, where parties are tricked into wiring money directly into a scammer’s account.
Going forward, I believe we will see an increase in the use of cybersecurity analytics and AI to counteract cybercrime. AI may actually help foresee attacks and provide proactive measures against them.
How did the idea for a cybersecurity legal task force at South Carolina law come about?
To the credit of the law school, it recognized the need to move to the forefront of cybersecurity research and education. Creating the task force with faculty members and industry leaders from across disciplines will guide the law school and focus on collaborating with other academic institutions, educating students, members of state bar associations and the public on cyber risk.
The first Cybersecurity Institute is scheduled for April 4, 2019. Who should come and what can they expect to learn?
Insurance carriers and brokers, eRisk Hub licensors, CIOs, CFOs, CPOs, CISOs, IT professionals, in-house counsel, practicing attorneys and industry leaders should attend. Participants will hear from a diverse range of highly experienced government and law enforcement officials, cybersecurity attorneys, security forensic experts, and public relations and insurance professionals about the evolving threat landscape, as well as best practices, mitigation strategies, cyber liability insurance coverage and pitfalls, AI, cloud management, third party vendor management, GDPR, and more.
What opportunities does the task force offer law students?
In addition to educational opportunities for students through webinars and the institute, the task force will work with students to create a cyber bulletin distributed statewide and, ultimately, nationwide. For students interested in a career in cybersecurity, members of the task force will provide guidance on internships, scholarships and full-time positions. We also are exploring the creation of a cybersecurity certificate program for students and attorneys.