Secure your equipment. On a more traditional technical level, make sure you have centralized malware protection, advanced threat detection and remediation software (SentinelOne is an industry leader on this front), and two-factor authentication wherever possible. For those with stricter requirements, also consider hardware encryption and remote wipe solutions.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Heinan Landa, Founder and CEO of Optimal Networks, Inc., a globally ranked IT services firm, the creator of Law Firm Anywhere, a virtual desktop solution that helps attorneys work seamlessly and securely from anywhere, and author of The Modern Law Firm: How to Thrive in an Era of Rapid Technological Change. After earning his B.S. and M.S. in Electrical Engineering and Computer Science from Johns Hopkins University, Heinan went on to receive his MBA from The Wharton School of Business. Featured in Legal Management, Legal Times, Chief Executive, Inc. Magazine, Forbes, CIO, and with regular appearances on ABC7, CBS9, and FOX5 TV, Heinan is a trusted leader in the legal, technology, and business spaces.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My parents and I immigrated to the U.S. from Israel when I was two and a half years old. We settled down in Wheaton, Maryland, and outside of my college and business school days I’ve lived in the DC Metro area ever since. My parents owned a successful instrumentation company, and their stories around the dinner table are what inspired to me to become a business owner myself. So after I earned my undergraduate degrees in Computer Science and Electrical Engineering (my mother insisted I have some practical skills as a Plan B!), I went on to get my MBA from Wharton. And it was during that program that I developed the business plan for Optimal Networks!
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Back to when I was 15 I was lucky enough to secure an internship with NASA. The scientists there — as you might expect — loved their data, and had some early mini computers and a plotter that would print out graphs for them. The problem was… the graphs printed out in about 2-inch by 2-inch squares that you could barely read. I heard them lamenting these tiny charts, grabbed the manual for their equipment, and managed to get full-page, legible graphs printed for them. They were so happy, and I was thrilled to have inspired such a positive reaction from them. That was the first time I really grasped the kind of impact you can make by helping people use technology better. And, well, here I am decades later, still helping people with their technology — just on a slightly different scale now!
Can you share the most interesting story that happened to you since you began your career?
In the early years of Optimal, we had a bad stretch of turnover. The success of the company hinged on the work of our engineers, and we were really struggling to get them to stay with us. I made two big moves that that point. First, I separated from my business partner and went back to running the company by myself. Second, I came to grips with how pivotal culture is to the overall success of a company — especially for those of us in the business of service. Happy people make for happy clients, and happy clients make for happy people. It seems obvious, but culture is one of those things you have to be thoughtful, intentional, and steadfast about if you want it to work. We articulated the Core Values that drive our behavior, we revamped our entire hiring process to vet for integrity and service-orientation as much as technical competence. Fast forward and we have over a dozen awards for culture and ethics, and a combined 240 years of company tenure across our team.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are, of course, many many people who I am incredibly grateful for. Key among them is my current business partner and Optimal’s Chief Operating Officer, David Campbell. He was part of the team during that period of turnover and transition — and reckoning, if you will! — and not only did he help me find my voice in my own company, but he helped reshape who we are and what we stand for as an organization. Plus he makes work more fun for all of us! One of the most-viewed videos we’ve ever made is of his reaction to finding out one of our engineers was a talented unicyclist — he immediately dropped down onto the ground, splayed out, and had the engineer jump the unicycle over his chest. (It was, thankfully, a successful jump!) I don’t think our folks will ever stop sharing that story.
Are you working on any exciting new projects now? How do you think that will help people?
The biggest project I’m working on right now is launch of new law firm specific cloud and IT service called Law Firm Anywhere. I’m so excited about this service because it will give lawyers and law firms a real step up into the world of seamless mobility in their technology, which has historically not been a strong suit or a priority for them. It actually anticipates their return from fully remote work to a post-COVID mix of working from home and the office to make sure they have the same frictionless work experience from either (and any) location.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s so important to make sure you find purpose and joy in what you’re doing. Everyone has a different type of work that motivates them. Personally, I love planning and being a part of experiences that make people happier than they were coming in. That spans everything from making those NASA scientists’ eyes light up when I showed them full-size graphs, to hosting elaborate themed Open House events for clients and partners with llamas in our office parking lot. The key I think is to identify which parts of your job truly energize you. Which wear you out? How can you adjust your priorities or your focus to do more of the former, and less of the latter?
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Your requirements will depend on your industry. Many in the healthcare industry, for example, are subject to HIPAA requirements. For those in the financial industry or in the business of taking credit card information, you’re subject to PCI compliance. Law firms, depending on their practice areas, may not have specific compliance requirements, but they do have ethical, contractual, and legal obligations to keep confidential client data, well, confidential. Some industries aren’t regulated at all, and their requirements have little to do with legality and everything to do with reputation and honoring the trust that your clients place in you. It’s important to distinguish, however, that when it comes to reporting a breach that has occurred, each state has specific requirements regarding notification.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
For law firms, state bars set minimum requirements for retaining client data; the general rule — Rule 1.15(a) specifically — in the legal industry is five years, but some states require longer. Overall, best practice is to purge customer information as soon as you are sure you no longer need it. This is for two reasons: (1) there will be less data to be accessed in the event of a successful security breach, and (2) if your business becomes involved in a lawsuit, you won’t be required to produce your client data if you have a good faith operating procedure for deleting it.
In the face of this changing landscape, how has your data retention policy evolved over the years?
We used to keep everything forever! The main limiting factor was not any policy or best practice, but storage costs; you kept as much as you could afford to. That practice quickly went by the wayside as hard drives became more and more inexpensive, to the point where taking the time to cull your data actually cost your business more than the storage.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
As far as policies go, one very helpful thing to do, especially in the legal industry, is to classify your data. This means taking stock of your data and breaking it into three or four categories based on how public or private that data needs to be. In many cases, law firms will split their data into four categories: public, client, business, and personal. From there, build out custom security protocol for each category. You want as few people as possible accessing your data — what we call a “pessimistic” approach to permissions — and backup and retention policies that conform with any regulations or requirements.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Our clients were most affected by changes to eDiscovery legislation. Today, if the court wants to go after you for data related to a case, they have free reign to go after data on servers, laptops, cell phones, email accounts, backup records, anything. At that point, retaining data “just in case” became quite risky, and the new best practice was to delete any non-essential data in an effort to protect ourselves from liability.
When it comes to future concerns, I am less worried about legislation and more worried about the threat of cyberattacks. Since the pandemic, attacks have quadrupled in number. And the frequency was already mind-boggling! It’s become clear that scammers and hackers have become one of the biggest threats to our data. In response, the overwhelming trend is to (1) educate your team on common scams, and (2) take your data and put it in a cloud environment with more security than you can afford on your own. That way, the fight is waged on more even ground.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Yes, especially in the legal industry. Law firms have traditionally used document management systems to manage their data, and these tools have continue to mature in their ability to sort, filter, and archive data, and keep you aligned with whatever retention policies you have defined. Some of the industry leaders here are NetDocuments and iManage, both of which have cloud versions which is especially necessary in our current remote work environment.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
No. What you want to pay attention to in the aftermath of a breach is how the organization responds. We’re at the point where you can categorize businesses into two groups: those who have been hacked, and those who will be. It is not realistic to expect otherwise. But you can see which companies are worthy of your trust and your business by how they respond, how they notify those affected, and what action they take to bolster their security going forward.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Embrace the cloud. Historically there has been some anxiety surrounding handing your data over to cloud providers. This is misguided. Business-oriented providers like Microsoft and NetDocuments have way more resources to put into their security than we do as individual organizations. We should be taking advantage of that.
- Classify your data. As I mentioned above, different data requires different levels of protection. Classifying your data is the best way to make sure you are only giving data access to the people who absolutely need it, and otherwise locking it away.
- Policy is king. Policy is always a crucial element to enforcing security measures, but this step is especially key to those businesses subject to compliance requirements. Dig into what obligations you have to fulfill, set your policy accordingly, and write it out.
- Train your people. Humans are always the weakest link when it comes to security. Your team must be made properly aware of the policies surrounding your data, and they also must be trained on how to avoid common social engineering scams. Phishing is the leading cause of data breaches, and it all comes down to employee education.
- Secure your equipment. On a more traditional technical level, make sure you have centralized malware protection, advanced threat detection and remediation software (SentinelOne is an industry leader on this front), and two-factor authentication wherever possible. For those with stricter requirements, also consider hardware encryption and remote wipe solutions.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. (Think, simple, fast, effective and something everyone can do!)
Every day, for just a few minutes, get up and dance. It will bring some much-needed balance and perspective.
How can our readers further follow your work online?
- For more of my musings: https://www.linkedin.com/in/hlanda/
- For more on Optimal Networks: https://optimalnetworks.com/
- For my book: https://www.modernlawfirmbook.com/
- For more on Law Firm Anywhere: https://www.lawfirmanywhere.com/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!