Category: Communication Media & Internet

Lessons from the Colonial Pipeline Ransomware

Thankfully, it appears that the Colonial Pipeline ransomware attack is behind us and the panic over gas lines and hoarding can subside. But after an episode like this, it is helpful to take stock and search for what we can learn.

To start, everyone has now heard of ransomware, but to give a bit fuller background, this kind of malicious software is delivered into an information system—such as a computer or a database—and then renders all of the information inaccessible. Backups can sometimes help restore functionality unless the ransomware’s operator or programs decided to wait to activate the malicious software for long enough that it is in the backups. Once the information is rendered inaccessible, the person or group behind the malicious software demands payment in exchange for returning the information. Recently, there has even been reporting that the person or group behind a ransomware attack will begin calling the clients and consumers whose information was exposed as a pressure tactic to get the business to pay up.

Events like the shutdown of Colonial Pipelines, which generate a torrent of media attention, can create a false impression that it is only large or geopolitically sensitive businesses are at risk of these kinds of attacks. This is simply not true. In his 2020 Data Breach Report, North Carolina Attorney General Josh Stein found that there were over 1600 security breaches reported to the North Carolina Department of Justice. Compromising email constituted 40% of all security breaches reported, and ransomware constituted 22% of all security breaches reported. So there is a wide array of businesses in North Carolina that are susceptible to these issues, and small businesses are getting caught up in the mess.

For example, last year, the News and Observer reported that the Food Bank of Central & Eastern North Carolina was the victim of a widespread data breach, and just this past April, WCNC reported that a Charlotte parking app had a serious data breach exposing users’ personal information.

However, while no business can ever prevent all possibility for data breaches, there are steps that any business can take to prepare themselves, and relative to the cost of a breach, these steps have a significant return on investment. For example, making sure a business avoids compliance failures can sidestep significant cost increases in the event of a breach. Identifying an incident response team, creating an incident response plan, and testing both can give certainty and ensure that a business responds as rapidly to an incident as possible. And aligning a business’s internal practices with an established cybersecurity framework can decrease the risk that the business experiences and give strong arguments against any regulatory investigations that suggest the business was negligent.

That being said, cybersecurity and compliance expertise are critical to making sure that these plans do what they are meant to do.

© 2021 Ward and Smith, P.A.. All Rights Reserved.

ARTICLE BY Peter N. McClelland, CIPP/US of Ward and Smith, P.A.
For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

Potato, Potahto… Email, Slack

First came email.  Then came Slack, WhatsApp, Zoom, Teams, texts, and a host of social media platforms where we can communicate…in writing…and those communications are saved as electronically stored information (ESI).  “Collaboration software,” like Slack, Zoom, and Teams, is the newest eDiscovery challenge.  But the challenge lies in the preservation, capture, and review, as well as the analysis of proportionality, and not in the question of whether it is discoverable.

The United States District Court for the Central District of California recently ruled that Plaintiff’s Slack messages were both relevant and proportional to the needs of the case and ordered their production.  Benebone LLC v. Pet Qwerks, Inc., 2021 WL 831025 (2/18/21).  The main points of contention between Plaintiff and Defendant focused on the cost to extract, process, and review 30,000 Slack messages.

Although the Court described Slack as a relatively new communication tool, it was part of Plaintiff’s internal business communications and there was no real dispute that Plaintiff’s Slack messages were likely to contain relevant information.

On the topic of burden and proportionality to the needs of the case, the court held a (Zoom) hearing and determined that “requiring review and production of Slack messages by Benebone is generally comparable to requiring search and production of emails and is not unduly burdensome or disproportionate to the needs of this case.” Id. at *3.

One of the key takeaways from this case is to get an eDiscovery expert. Defendant’s expert testified that there are readily available third-party tools for collection and review of Slack and that searches of the data could be limited to certain Slack channels, users, or custodians (similar to focusing an email search on custodians and time frames).  Defendant’s estimate of cost for the project was vastly different than Plaintiff’s unsupported estimates ($22,000 compared to $110,000-$255,000).  To that end, Defendant’s expert proposed that contract attorneys could do first-level review at a rate of $40 an hour as opposed to a $400 an hour attorney rate.  Plaintiff failed to provide a declaration or testimony from an eDiscovery expert.

When facing federal litigation, your case will involve electronically stored information. Slack is considered a more dynamic form of ESI, making search, collection, and processing more difficult.  Choosing the right application programming interface (API) is important as Slack data is exported in JSON format, which is difficult to decipher and requires the right processing to get to more user-friendly data for review purposes.  Additionally, the level of subscription used impacts what can be recovered.

©2021 Strassburger McKenna Gutnick & Gefsky

ARTICLE BY Gretchen E. Moore of Strassburger McKenna Gutnick & Gefsky
For more articles on Slack and WhatsApp, visit the NLR Corporate & Business Organizations section.

Law Firms are Switching to the Cloud. Here’s Why

Cloud computing has become ubiquitous in modern society, but law firms have been slower than most in adopting the technology. Recently, however, law firms switching from on-site data management to the cloud has become the norm due to rapid advancements in cybersecurity, increasing client demand, and the appeal of improving efficiency while cutting costs.

So, what are the most common reasons why cloud computing is still so controversial among legal professionals, and what has caused the industry shift toward cloud migration?

Cloud Computing and Confidentiality

One of the driving forces that used to keep many law firms from using cloud servers is client confidentiality. When practicing law, attorney-client privilege is essential and cannot be taken lightly. Even today, concerns about confidentiality and ethics are the main reasons why cloud computing can be a contentious subject among those in the legal industry.

In the early days of cloud-based systems, these issues were a valid reason to avoid outsourcing data storage to an off-site server. However, cybersecurity advancements have led to the cloud often being more secure than on-site servers. Small to medium sized law firms are particularly vulnerable to cyber attacks since they often don’t have the infrastructure or expertise to keep their servers secure. Even with a secure firewall, a Wi-Fi connection can leave information and files vulnerable to a data breach.

Cloud services offer end-to-end encryption, backup servers, teams of expert IT professionals, and physical safety measures, such as securely locked rooms with top-of-the-line camera systems and 24/7 monitoring. These procedures are impossible for law firms to enact at a lower cost than outsourcing.

Cloud-Based Law Practice Management Software is Efficient

The benefits of being able to integrate and automate systems is one of the greatest advantages to companies using cloud technologies. Time consuming and tedious tasks such as scheduling, billing, invoicing, file management, and the creation of legal documents are all streamlined on the cloud.

With a low barrier of entry and the ability to access their important information whenever and wherever they need it, many legal teams that were hesitant to make the switch are now migrating over to cloud-based systems, as Zoom meetings and online court hearings have become the norm.

Is the Cloud More Reliable than In-House Systems?

While it has been a long-standing belief that in-house servers are more reliable and secure than cloud systems, this is no longer the case. Cloud servers offer redundancy that is unmatched by internal servers, since the cloud is able to utilize a secondary server if the primary system should fail. This leads to less downtime and a much lower risk of losing files to equipment error, damage, or a data breach.

It is also common to forget to create local server backups, leaving law firms vulnerable to data loss. Cloud systems are able to continually sync and update, so companies don’t have to worry about being able to access files or documents.

Cloud Technology Saves Money

While efficiency is important, at the end of the day, companies are trying to improve their bottom line. Cloud technology saves law firms money by allowing them to increase efficiency while eliminating the high cost of local data storage and maintenance. Not only that, but they are able to budget better by avoiding unexpected costs, which are inevitable when dealing with aging hardware.

Another significant cost-saving feature of cloud-based law practice management software is the ability to scale. When data is kept on site, scalability is considerably more expensive (and difficult). Law firms using cloud technology are able to grow without updating or adding equipment, software, IT staff, or other expenses associated with keeping data management in-house. Being able to focus on the growth of the business and having predictable, consistent data management costs is a notable advantage when scaling.

Despite the obvious benefits, many law firms are still reluctant to take the plunge into the cloud. Some of the common reasons why include:

Unpleasant Past Experiences

Whether a law firm was an early adopter of cloud technology, or recently had a poor experience with a particular cloud service, unpleasant transitions can sour an entire legal team against the idea of cloud technology altogether. Since there have been remarkable advancements in cloud computing recently, past exposure to cloud services shouldn’t be considered representative of how most cloud servers operate.

Difficult Migrations

One of the most common complaints law firms have when attempting to switch over to cloud-based technology is a difficult migration process. It’s important for companies to check reviews and find out more about what’s required to import their data to the cloud before committing to a cloud computing service.

Security Concerns

Due to the added scrutiny and obligations regarding confidentiality that legal teams are required to abide by, security concerns persist as an important reason why some law firms remain dubious about using cloud technology. However, modern cloud computing services typically offer considerably more secure data storage options than what law firms can provide in-house.

Control and Possession of Data

Some legal professionals feel as though migrating to the cloud means giving up control over their data and important documents because it gives them peace of mind to have their servers physically nearby. This kind of thought pattern inhibits growth by limiting their ability to scale; in reality they are not giving up control or possession of their data, they are simply moving it to a safer location that is easily accessible.

© Copyright 2021 PracticePanther

ARTICLE BY PracticePanther
For more articles on the legal industry, visit the NLR Law Office Management section.

“NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect the security of millions of interconnected IoT devices. As our recent blog “New Internet of Things (IoT) Cybersecurity Law’s Far Reaching Impacts” discussed, this is the type of cybersecurity risk that all organizations should consider and factor in to their supply chain risk assessments and mitigation measures. If your organization directly uses IoT devices, or contracts with vendors who supply IoT devices or software/systems using IoT devices, whether in the healthcare, manufacturing, retail, financial services, hospitality or employment context, you should be evaluating your cybersecurity programs for protecting IoT devices.

The “NAME:WRECK” vulnerability was discovered as part of Forescout’s and JSOF’s efforts to understand underlying problems related to the Domain Name System (DNS). The DNS is responsible for routing internet traffic and as such is a critical element of infrastructure. Referred to as the “phonebook of the internet,” the DNS is a decentralized system and protocol that allows devices to access the internet using domain names (such as “google.com”). It has the potential to be exploited by malicious parties because of its open and distributed nature. Communications between devices on the Internet could not reach their intended destination without DNS.

The “NAME:WRECK” vulnerability affects software and firmware that implements the DNS, including software that uses DNS protocols that “parse” or “compress” domain names. As the researchers explain, “WRECK” gets its name because of “how the parsing of domain names can break—‘wreck’—DNS implementations[.]” An attacker leveraging this vulnerability can gain remote control of an IoT device to inject malicious code on a target and achieve Denial of Service or Remote Code Execution, thereby allowing the exfiltration of information and other attacks. As with other DNS-based vulnerabilities, the attacker may exploit “WRECK” using a man-in-the-middle attack, or other methods, as covered in our Lawline webinar “Protecting Your Domain Name System (DNS) Security To Avoid Data Loss & Insider Threat”, and our blog, “Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat.”

The implications of “NAME:WRECK” are significant. In their report, Forescout and JSOF identified popular software components affected by the vulnerability: FreeBSD, IPNet, NetX and Nucleus Net, which led the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert. Nucleus NET is used in over 3 billion devices including, defibrillators, ultrasound machines, avionics navigation, and MediaTek IoT chipsets and baseband processors used in smartphones and other wireless devices. The researchers found that not all devices running the above software are vulnerable; however, they conservatively estimate that over 100 million devices are at risk. The researchers noted that FreeBSD is widely used in high-performance servers in millions of IT networks. Indeed, the researchers warned, “exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and protocols that we could not yet analyze.”

The cybersecurity of IoT devices presents particular challenges because it is difficult to inventory all of the software/firmware running on the devices and to patch when vulnerabilities occur. Moreover, depending on the device, patches may need to be manually applied by the user, if the device is not centrally managed. Patching IoT devices becomes even more difficult where the IoT device, such as a medical device or industrial control system, cannot be easily taken offline due to its mission-critical nature. Among other things, the IoT Act addresses these patching difficulties and processes with respect to the acquisition and use by the federal government of IoT devices capable of connecting to the Internet.

Organizations that have devices that are susceptible to the “NAME:WRECK” vulnerability should conduct a risk assessment and take risk reduction measures, if vulnerabilities are identified, particularly if they are government contractors or subject to regulatory standards to protect sensitive information. Forescout and JSOF have identified mitigation recommendations in their report that including identifying vulnerable devices and updating the software. Recommended risk reduction measures include segmenting networks to reduce the risk of vulnerable IoT devices, implementing “a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements” and monitoring external DNS traffic.

From the perspective of any purchaser or user of IoT devices, the recent “NAME:WRECK” report highlights supply chain risk and the unavoidable reality that vulnerabilities will continue to be exploited by wrong-doers. Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g.Gramm-Leach BlileyHIPAANY SHIELD ActCalifornia Civil Code §1781.5Massachusetts data protection regulationIllinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to protect IoT devices that may affect the security of protected information. The IoT Act mandates future systemic improvements for the acquisition and use of IoT devices in information systems owned or controlled by the federal government. The IoT Act and these regulatory requirements, and the “NAME:WRECK” vulnerability highlight how in our interconnected world legal standards and technology increasingly intersect. It is therefore critical that organizations plan for the cybersecurity of their IoT devices and systems in their information security and compliance programs and take reasonable steps to ensure that IoT vulnerabilities are addressed in a timely manner consistent with risk.

[1] IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood, and can function on their own and are not only able to function when acting as a component of another device, such as a processor.” The wide range of IoT devices that connect to the Internet include security cameras and systems, geolocation trackers, smart appliances (e.g., tvs, refrigerators), fitness trackers and wearables, medical device sensors, driverless cars, industrial and home thermostats, biometric devices, manufacturing and industrial sensors, farming sensors and other smart devices.

©2021 Epstein Becker & Green, P.C. All rights reserved.

ARTICLE BY Brian G. Cesaratto and Alexander J. Franchilli of
Epstein Becker & Green, P.C.
For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

Guarding the Grid: DOE Releases 100-Day Cybersecurity Pilot Program

The February 2021 hack into Oldsmar, Florida’s water treatment system is a frightening reminder that critical infrastructure systems can be vulnerable to cyberattacks and that cyberattacks can jeopardize health and safety. In this case, the hack may have spurred government action. On Tuesday, the Biden administration announced a 100-day plan “to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control of electric utilities.”

In a coordinated effort among the Department of Energy (“DOE”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and the electricity industry, the plan lays out four areas of focus for the next 100 days: (1) enhancement of mechanisms for detection, mitigation, and forensic activities; (2) “concrete milestones” for the industry to develop “situational awareness and response capabilities in critical industrial control systems (ICS) and operational technology networks (OT)”; (3) reinforcement of overall cybersecurity in critical infrastructure information technology networks; and (4) voluntary industry participation programs “to deploy technologies to increase the visibility of threats in ICS and OT systems.”

The plan’s success likely hinges on the government’s ability to develop sustainable, cooperative relationships with the relevant industries. “Public-private partnership is paramount to the Administration’s efforts,” said National Security Council (“NSC”) Spokesperson Emily Horne in response to Tuesday’s announcement, “because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure.” It appears that similar plans are being developed for additional critical infrastructure industries, including water, the chemical sector, and natural gas.

The previous administration responded to the escalating threat of cyberattacks from foreign adversaries[1] in part with Executive Order 13920, which declared a national emergency with regard to electric grid security and gave the Secretary of Energy the authority to prohibit certain transactions involving electric equipment potentially controlled by a foreign adversary. Relying on EO 13920, the DOE issued a Prohibition Order in December 2020 barring “Critical Defense Facilities” and any supporting facilities from purchasing or installing electricity generation equipment manufactured in China (“December Prohibition Order”).

On January 20, 2021, President Biden’s DOE issued a 90-day suspension of EO 13920 and the December Prohibition Order to allow the DOE and the Office of Management and Budget to consider methods of “protect[ing] against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public.” Tuesday’s announcement from the DOE revoked the December Prohibition Order, effective immediately, but EO 13920 will remain in place until it expires on May 1, 2021.

The DOE has now opted to revoke the December Prohibition Order in an effort to “create a stable policy environment” while the DOE further develops its cybersecurity strategy for the electricity sector. However, utilities are still encouraged to “act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence” while the DOE develops further recommendations.

To assist in cybersecurity strategy development, along with the DOE’s 100-day plan announcement, the DOE issued a Request for Information (“RFI”) “focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain.” Interested parties are encouraged to submit input to the DOE by June 7, 2021 regarding the development of “a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria” as well as the “depth and breadth of a future prohibition authority.” Instructions for submitting comments can be found on the DOE’s website.

The DOE is still hammering out many details of the 100-day plan, and some details may never be released to the public – expansions of DOE’s Cyber Testing for Resilient Industrial Control Systems program, for example, will be classified to avoid oversharing with foreign intelligence. While the DOE works to develop its 100-day plan, utilities should evaluate cybersecurity infrastructure within their own systems. For example, utilities could make renewed efforts to take inventory of software and hardware used across any systems touching critical infrastructure, and ensure that all technology is secure and up to date. If defense, detection, and prevention systems do not meet the DOE’s suggested standards, a utility could consider implementing additional measures or strengthening current systems now.

Additionally, a utility could consider whether and how its organization might participate in an information-sharing program. Any thoughts regarding guardrails and disclosure limitations for such a program could be submitted as comments to the RFI. Also, a utility could consider how its current approach to communicating with internal and external stakeholders about cyber issues might impact participation in information sharing.

[1] The new 100-day plan comes not only in the wake of the Oldsmar water system hack but also just days after the administration announced sanctions against Russia for its role in the Solar Winds hack.

© 2021 Bracewell LLP

ARTICLE BY Philip J. Bezanson,  Claire E. Cahoon, Catherine P. McCarthy and Joshua C. Zive of  Bracewell LLP
For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

How to Develop a Content Marketing Strategy for a Law Firm

There are many avenues through which law firms can attract clients, but it’s no secret that the internet is one of the most powerful lead generation tools to date.

Law firms of all sizes use the internet to market their services, follow up with clients, and publish thought-provoking content.

With the help of the internet, law firms can now market themselves across a variety of channels. This is where content marketing comes in to assist firms in creating the right content for the right audience at the right time.

How can you use content marketing to grow your law firm? Read on for tips on how to create an effective, client-attracting content plan.

Why Content Marketing Matters for Law Firms

Content marketing is a type of law firm internet marketing strategy that involves creating and distributing informative, audience-focused content online with the goal of attracting website visitors and, hopefully, new clients. It can take on a variety of forms and serve a variety of objectives, but the main purpose is to help law firms draw in new clients online.

In fact, studies show that 65% of law firms spend the majority of their marketing dollars online, which indicates that today’s law firms see the value in and are taking advantage of online marketing.

A content marketing strategy can assist law firms in reaching more customers through valuable, relevant, and engaging content.

10 Steps to Creating a Law Firm Content Strategy

Legal content gets a bad rap for being “boring”, but it doesn’t have to be.

In fact, your clients are searching for information and this puts you in a great position to create content that helps them navigate the legal process with ease.

Below, we’ve outlined 10 steps to uncovering smart content ideas, distributing your content, and using content to attract new clients.

1. Identify Your Main Objective

Content can serve a variety of purposes – from attracting website visitors to increasing engagement on social media to growing your email list.

Before creating content, you should consider what your primary objective is so you’re prepared to create content that helps you accomplish this goal. Different types of content work to generate different results, so it’s worth identifying your main objective(s) from the very beginning.

With your content, are you trying to:

  • Attract website visitors?

  • Grow your email list?

  • Increase social media engagement?

  • Increase your law firm’s authority online?

  • Run a PR campaign?

  • Improve your search engine optimization (SEO)?

  • Turn visitors into leads?

  • Attract backlinks?

These are just a few of the many objectives you may have for your content. Consider these before creating your content marketing strategy so you’re sure to create the right kind of content to achieve your goals.

2. Research Keywords for SEO

If one of your objectives is to improve your law firm’s SEO, then you will want to research searchable keywords to use in your content.

This involves identifying keywords your target audience is searching for to find law firms like yours, or otherwise find information about the type of legal services you offer.

To do this, you can use keyword research tools like SEMRush.com or Ahrefs.com to find keywords to you on your web pages or in your blog posts.

Here’s how to do keyword research for your blog articles:

  1. Use keyword research tools to search for any terms you can think of that might describe the services you offer or some questions your target audience may have.

  2. Look at the search volume and competition score of these keywords to see if they are worth targeting on your site. The sweet spot is keywords that have high traffic volume but low competition.

  3. Use the “Related Keywords” function to find relevant keywords you might not have thought of during your original search.

  4. Make a list of the keywords you think make the most sense for your site and write out some potential blog post titles that relate to these keywords. For example, “how to file for divorce” could become “How to File for Divorce – X Steps” or “How to File for Divorce – Avoid Stress & Animosity”.

  5. Use your target keyword (for each post) throughout your content, paying special attention to your post’s title tag, meta description, and H1 and H2 headings.

3. Spy on Your Competitors’ Content

Sometimes you’ll find yourself a bit stumped on what content topics to tackle on your website. This is when it’s a good idea to scope out your competitors’ content strategies to see what keywords they are targeting and what content they’re posting on social media.

You can use the same keyword research tools as above (SEMRush and Ahrefs) to search for your competitors’ domain names and see what keywords they are ranking for. This can be a great way to find keywords you should be targeting on your own site.

Not all content needs to serve an SEO purpose, however. If you see your competitors posting thought-provoking content on their blogs or social media channels, this can give you some ideas for content you can create to increase engagement, improve your firm’s authority, and even attract clients to your website.

4. Ask Your Audience

The legal niche is highly competitive, which often makes it difficult to come up with content ideas that haven’t been tackled before. It’s a smart idea to ask your audience what topics they’re interested in and what questions they have about the services you offer and the legal process in general.

You can do this by posting a question like “What questions do you have about X?” on social media, by sending out an anonymous survey, or by sending out a campaign to your email subscribers. Then you can turn these questions/topics into blog posts and/or create a Frequently Asked Questions page on your website.

5. Establish a Content Schedule

When it comes to content marketing, quality comes first but consistency makes the difference. Your law firm’s content marketing strategy is made more effective when you are publishing, posting, and marketing your content on a regular basis.

In the beginning, you may want to start slow so you can keep up with a regular posting schedule. Even if you’re only posting two times per month, this is better than skipping months at a time. Later on, you might consider hiring help (like a blog writer) to create more content on a consistent basis.

Project management tools like Asana and Monday.com can help you stay on schedule, organize your content details, and ensure that you’re distributing your content across multiple channels.

6. Write with “EAT” in Mind

EAT (Expertise, Authority, and Trust) is a concept in SEO that applies to creating content that’s written with users and search engines in mind. It’s used to guide brands in creating content that provides value to readers and includes relevant, accurate information users can trust.

By contrast, many brands simply write with Google in mind – chocking their content full of keywords and hoping for the best. Instead, you should focus first on providing content that helps your audience learn, accomplish their goals, and find the best law firm for their needs.

SEO powerhouse Moz published an in-depth guide on how to write for EAT so you can create content that both Google and users want.

7. Create a Content Distribution Plan

You’ve planned your topics, written your content, and have hit “publish”… now what?

After creating your content, you’ll want to have a plan for distributing your content across platforms to get as many eyes on it as possible. This can be done manually or through the use of content distribution tools like Buffer or Hootsuite.

Here are a few places you can share your content to generate more traffic, engagement, and views:

  • Facebook posts

  • Facebook Ads

  • Instagram posts or stories

  • Email list/newsletter

  • Repurpose as YouTube video

  • Twitter

  • LinkedIn

  • Google Ads

  • Pinterest

  • Reddit

  • SMS (text message marketing)

  • Blog

  • Messenger bots

  • HARO (Help a Reporter Out)

  • Google My Business posts

  • Guest posting on third-party sites

  • Medium.com

  • Quora

  • Bing Ads

8. Focus on Lead Generation

If one of your objectives is to generate more leads for your law firm, then you will want to give your readers various opportunities to contact you (i.e. “convert”).

When publishing and sharing your content, consider what action(s) you want users to take. Do you want them to download an ebook? Give you a call? Fill out a form? Whatever it is, make this clear so you can generate as many leads as possible.

Here are a few ways to generate leads from your content:

  1. Include contact forms on the service pages of your website.

  2. Add downloadables like ebooks and infographics to your blog posts so users have to provide their email addresses.

  3. Include calls-to-action on your social media posts to encourage followers to contact you.

  4. Add your phone number to your web pages to make it easy for prospects to reach you.

  5. Promote your email newsletters to collect more email addresses.

  6. Create “lead magnet” content users would be interested in. Make is so they have to provide their contact information before downloading this content.

9. Follow Up with Prospects

What use is a lead if you don’t follow up with them? Unfortunately, this is a mistake a lot of law firms make (as shown in Hennessey Digital’s law firm intake study) and it can really cost them potential clients. Don’t forget to follow up with your leads!

When you collect information from prospects (whether it’s via email, social media, your contact forms, or by phone), you should record this information and outline a process for follow-up. This can involve having an automated email campaign or having someone on your team following up with the prospect directly.

Customer Relationship Management (CRM) tools can help you keep your lead information organized, check follow-up status, send client documents, and much more. Use these to ensure that you’re following up with every lead and aren’t missing out on new client opportunities.

10. Create Linkable Assets

A linkable asset is a type of content that works to attract backlinks to your website. Links from high-quality sites can improve your own site’s SEO, increasing your rankings and drawing in new website visitors.

There are many types of linkable assets you can create. These range from ebooks to guest articles to interviews to webinars and beyond. We’ve provided 8 ways to attract backlinks so you can improve your website’s SEO and generate even more traffic.

The great news is that your content can serve many purposes at once. For instance, you can publish an SEO-friendly blog post that generates traffic, attracts backlinks, drums up engagement on social media, AND converts readers into clients. The more you can “kill two birds with one stone” with your content, the better!

Law Firm Content Marketing Made Simple

By now you see that content marketing for your law firm doesn’t have to be a difficult task. With the right planning, tools, schedule, and writing know-how, you can create amazing content that moves your law firm forward.

Create content that gets your audience buzzing and itching to work with you. The more content you create, the more your skills will improve and the better you’ll be at using content to turn passive visitors into new clients.

Copyright 2021 © Hennessey Digital
For more articles on the legal industry, visit the NLR Law Office Management section

In-Person Client Meetings and COVID-19

A fellow attorney just circulated a poll to his friends asking, “Are you starting to meet with your clients in person?” If you are restarting in-person meetings with your clients, consider whether you are in a jurisdiction that mandates contact tracing and whether that conflicts with your duty to maintain a client’s confidential information confidential.

Every jurisdiction has adopted some form of ABA Model Rule 1.6, Confidentiality of Information. It provides in part that:

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

The mere fact that a person has consulted an attorney can be in itself confidential information. One obvious example is a famous celebrity visiting a divorce attorney.

The problematic situation arises if you learn that the client has COVID after an in-person meeting. Alternatively, what if you learn after the meeting that you have COVID? In jurisdictions that require contact tracing disclosure, or even for public policy and health considerations, you may need to disclose your client’s identity to contact tracing authorities. As an attorney, you should take a moment to learn the contact tracing and public health reporting laws in your jurisdiction. For example, right now, I understand that there is a tracing program in Massachusetts, but disclosure is voluntary, not legally required. This may change.

The easy answer to this dilemma is to discuss the issue before meeting a client in person. Model Rule 1.6 permits the disclosure of otherwise confidential client information with informed consent, so you should inform the client about contact tracing so the client can decide whether to meet in person or remotely.

The hard answer arises if you have not had this conversation. Absent informed consent from a client to disclose their identity to contract tracers, Model Rule 1.6 does permit – but does not require – disclosure to comply with a statutory requirement for contact tracing:

(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary: . . . (6) to comply with other law or a court order . . .

While the ethical rules may permit you to comply with a statutory requirement to disclose your client’s identity in a COVID tracing situation, such a unilateral decision to make disclosure may not be good for your attorney-client business relationship.

In conclusion, you should seriously consider discussing the possibility of contact tracing disclosure obligations before meeting with a client in-person.

© 2021 SHERIN AND LODGEN LLP

ARTICLE BY Edward S. Cheng of Sherin and Lodgen LLP
For more articles on the legal industry, visit the NLR Law Office Management section.

Facebook Defeats Shareholder Suit Challenging Alleged Failures In Its Diversity and Inclusion Practices

In Ocegueda v. Zuckerberg, No. 20-CV-04444, 2021 WL 1056611 (N.D. Cal. Mar. 19, 2021), the United States District Court for the Northern District of California became the first court to rule on a motion to dismiss claims alleging deficiencies in a company’s compliance with policies intended to promote diversity.  The plaintiff, a common stockholder of Facebook, Inc. (“Facebook” or the “Company”), alleged claims for breach of fiduciary duty and further alleged defendants made false and misleading statements in the Company’s Proxy Statement in violation of Section 14(a) of the Securities Exchange Act of 1934.  The plaintiff alleged that Facebook’s public statements promoting values of diversity and inclusion were at odds with the Company’s alleged practices regarding (i) the hiring and promotion of diverse candidates to senior leadership positions; (ii) purported discriminatory advertising practices; and (iii) alleged hate speech on the Facebook platform.  Facebook defeated all of these claims at the motion to dismiss stage largely due to the fact that the complaint did not reflect Facebook’s actual practices of promoting diversity and inclusion—including at the highest levels of the Company.  The Ocegueda decision is noteworthy because it provides officers and directors a first glimpse at how a court may approach shareholder claims seeking to hold a corporate board liable for the alleged failed diversity initiatives of a public corporation.

A series of lawsuits in 2018 accusing Facebook of discriminatory advertising served as the genesis for the plaintiff’s claims.  In May 2020, Facebook came under public criticism for its refusal to censor a social media post from a prominent politician disparaging the Black Lives Matter movement.  Within weeks, more than 100 advertisers (including companies listed on the S&P 500 index) announced a boycott of Facebook and pulled their advertising from the platform.  By the end of June, Facebook’s stock dropped 8.3%.  Beyond these controversies, the shareholder plaintiff also grounded her claims on the purported lack of diversity on Facebook’s board and among its senior executives.  According to the plaintiff, these practices belied statements in Facebook’s 2019 and 2020 Proxy Statements concerning the Company’s “commit[ment] to a policy of inclusiveness and to pursuing diversity in terms of background and perspective” and statement that “[d]iversity and inclusion are core to everything we do at Facebook.”

Despite the incendiary allegations, the district court grounded its order granting defendants’ motion to dismiss on timeworn principles applicable to shareholder claims and claims for fraud under Section 14(a).  First, plaintiff failed to make a shareholder demand on the board and failed to plead particularized facts sufficient to show a majority of the directors were capable of exercising their independent business judgment to evaluate the plaintiffs’ claims.  The district court supported this finding, holding that: (i) the Company took ample action to combat the allegedly discriminatory advertising practices and the alleged proliferation of hate speech on the platform; and (ii) plaintiff’s allegations concerning the lack of diversity on Facebook’s board and among its senior executives were contradicted by the actual composition of Facebook’s board and senior executives, as the district court recognized:  “two of nine directors are Black, a third Black director stepped down in March 2020 to join Berkshire Hathaway, four of nine directors are women, one is openly gay, and, since its adoption of its diversity policy in 2018, a majority of new nominees have been Black or women.”  Second, the statements in Facebook’s 2019 and 2020 Proxy Statements could not substantiate a claim under Section 14(a) because they consisted of non-actionable, aspirational “puffery.”  Third, the Company’s Certificate of Incorporation provided that the Court of Chancery of the State of Delaware was the “exclusive jurisdiction” for derivative claims and claims of breach of fiduciary duty against Facebook’s officers and directors.  Thus, the district court dismissed the derivative breach of fiduciary duty claims on the independent grounds of forum non conveniens.

The decision in Ocegueda is interesting because it shows there is no fundamental hurdle to derivative claims arising for purported corporate harm caused by a company’s non-compliance with diversity and inclusion initiatives.  Facebook successfully defeated the derivative claims based, in large part, on the basic principle that courts will not impose derivative liability on corporate directors for an alleged “failure of oversight” over corporate affairs unless a shareholder can allege specific facts showing that a majority of the Company’s directors were aware of serious “red flags” and consciously disregarded them.  Looking to the future, California recently signed into law AB 979 (Cal. Corp. Code § 301.4), which requires publicly traded companies located in California to, by the end of 2021, set aside a certain minimum number of director positions for persons from underrepresented communities.  Given the high profile nature of this new law, it remains to be seen whether a corporate board that fails to comply with AB 973 may face an increased risk of derivative liability.  Until then, there is truly no time like the present for corporations to take a critical eye to their own diversity practices.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.

ARTICLE BY Alejandro E. Moreno and Chelsea Staskiewicz of Sheppard, Mullin, Richter & Hampton LLP
For more articles on Facebook, visit the NLR Corporate & Business Organizations section.

Supreme Court “Unfriends” Ninth Circuit Decision Applying TCPA to Facebook

In a unanimous decision, the Supreme Court held that Facebook’s “login notification” text messages (sent to users when an attempt is made to access their Facebook account from an unknown device or browser) did not constitute an “automatic telephone dialing system” within the meaning of the federal Telephone Consumer Protection Act (“TCPA”).  In so holding, the Court narrowly construed the statute’s prohibition on automatic telephone dialing systems as applying only to devices that send calls and texts to randomly generated or sequential numbers.  Facebook, Inc. v. Duguid, No. 19-511, slip op. (Apr. 1, 2021).

The TCPA aims to prevent abusive telemarketing practices by restricting communications made through “automatic telephone dialing systems.”  The statute defines autodialers as equipment with the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers.  Plaintiff alleged Facebook violated the TCPA’s prohibition on autodialers by sending him login notification text messages using equipment that maintained a database of stored phone numbers. Plaintiff alleged Facebook’s system sent automated text messages to the stored numbers each time the associated account was accessed by an unrecognized device or browser.  Facebook moved to dismiss, arguing it did not use an autodialer as defined by the statute because it did not text numbers that were randomly or sequentially generated.  The Ninth Circuit was unpersuaded by Facebook’s reading of the statute, holding that an autodialer need only have the capacity to “store numbers to be called” and “to dial such numbers automatically” to fall within the ambit of the TCPA.

At the heart of the dispute was a question of statutory interpretation: whether the clause “using a random or sequential number generator” (in the phrase “store or produce telephone numbers to be called, using a random or sequential number generator”) modified both “store” and “produce,” or whether it applied only to the closest verb, “produce.”  Applying the series-qualifier canon of interpretation, which instructs that a modifier at the end of a series applies to the entire series, the Court decided the “random or sequential number generator” clause modified both “store” and “produce.”  The Court noted that applying this canon also reflects the most natural reading of the sentence: in a series of nouns or verbs, a modifier at the end of the list normally applies to the entire series.  The Court gave the example of the statement “students must not complete or check any homework to be turned in for a grade, using online homework-help websites.” The Court observed it would be “strange” to read that statement as prohibiting students from completing homework altogether, with or without online support, which would be the outcome if the final modifier did not apply to all the verbs in the series.

Moreover, the Court noted that the statutory context confirmed the autodialer prohibition was intended to apply only to equipment using a random or sequential number generator.  Congress was motivated to enact the TCPA in order to prevent telemarketing robocalls from dialing emergency lines and tying up sequentially numbered lines at a single entity.  Technology like Facebook’s simply did not pose that risk.  The Court noted plaintiff’s interpretation of “autodialer” would, “capture virtually all modern cell phones . . . .  The TCPA’s liability provisions, then, could affect ordinary cell phone owners in the course of commonplace usage, such as speed dialing or sending automated text message responses.”

The Court thus held that a necessary feature of an autodialer under the TCPA is the capacity to use a random or sequential number generator to either store or produce phone numbers to be called.  This decision is expected to considerably decrease the number of class actions that have been brought under the statute.  Watch this space for further developments.

© 2020 Proskauer Rose LLP.

ARTICLE BY Lawrence I Weinstein and
Anisha Shenai-Khatkhate of Proskauer Rose LLP
For more articles on the TCPA, visit the NLR Communications, Media & Internet section

Paid Search Adverting for Law Firms: Part 6 Good2bSocial Academy

The eight modules of Good2bSocial’s Digital Academy provide legal marketers with critical components of an effective digital marketing program adapted for the unique needs of the professional services industry. Good2bSocial’s Digital Academy fills the need for legal marketers to demonstrate that they have a baseline of digital marketing concepts, and also provides law firm CMOs an objective way to assess team members’ or potential hires’ legal marketing knowledge. Last week, we covered Good2bSocial’s Digital Academy’s course on search engine optimization (SEO) strategy for law firms, providing the components of an effective SEO strategy for lawyers, stressing steady and exponential website visitor growth over time which increases both search visibility and law firm credibility.

Module 6 helps legal marketers learn effective ad bidding strategies and outlines best practices to create effective advertisements on Google Ads and other platforms. Good2bSocial’s program helps legal marketers navigate the Google Ads interface through real-life examples, providing actionable tactics to improve click-through rate, lower advertising spend and maximize performance.

Per Kevin Vermeulen Good2bSocial’s COO:

Google Ads and Bing Ads are a highly effective way to deliver quality traffic and leads to your law firm’s website.  But there needs to be thorough keyword targeting so Google displays your ads only to those searching for your legal services. Google’s global audience and the audience data they provide is unrivaled in the industry and it is critical to know how to properly set up new campaigns and how to optimize existing ad campaigns to assure that your law firm receives the maximum return on investment (ROI).

Pay Per Click Basics for Law Firms: An Overview.

As the name indicates, with pay-per-click  (PPC) advertising, your firm only pays when someone clicks on your ad. PPC ads strategies include purchasing ads on search engine results pages, social media advertising as discussed in Good2bSocial’s Academy Module 4 and purchasing ads on partnering websites.  Guidance is given on how to compete with others who want the same key words you are targeting in an auction to determine who wins the ad spot. Ad spot bidding is impacted by the key word’s relevance, the query made by the person doing the search, and your law firm’s landing page.

Get Your Law Firm’s Message at the Top and Most Viewed Parts of Search Pages.

Pay-per-click advertising on search engine results pages places your firm’s message in a prominent spot right at the top, bottom or side of the search page. PPC ads that appear at the top of the search page are more likely to be clicked on than the top-ranking search result.

Other Types of PPC Ads that Provide Value for Law Firms

Vendors like Google Display Network and Microsoft Advertising, previously known as Bing Ads, display ads on partnering websites such as the National Law Review. Google Display Network includes more than 2 million partnering websites and the ability to reach more than 90 percent of those online. The Bing Ad Network audience includes 60 million desktop searchers not reached on Google.  There are many networks out there and other niche options for law firms. For example, Quora, where people come to ask questions and to read and share answers, is particularly suited to reach customers at the point they are evaluating and researching a product or service. Good2bSocial’s Academy PPC module provides a great deal of analysis of the various pay-per-click options for law firms in addition to explaining remarketing or retargeting campaigns that show your PPC ads to those who have visited your website in the past.

Critical Points to Consider for Google Ads Campaigns Setup and Maintenance include:

How to Choose and Manage your Law Firm’s Advertising Keywords?

When using pay-per-click advertising, you have the freedom to customize your keywords, allowing for extra targeting focusing your spend on keywords that are more likely to indicate an urgent need for a lawyer. Additionally, your firm wants to make sure your keywords are unique so that you don’t end up competing with yourself.

The checklists in Good2bSocial’s Academy PPC module provide useful information on:

  • How to organize similar keywords into groups helping you keep things organized and streamlining your targeting efforts.
  • How to silo lower performing keywords into a campaign to determine if they should be dropped or can be improved.
  • How to prune underperforming keywords and how to improve the lower performing keywords through adding negative keywords to your lists.
  • How to look for new keywords and phrases.
  • How to do split testing.
  • And how to tweak landing pages and ad copy for optimal performance for high performing keywords.

What are Best Practices for Law Firm Ad Campaign Set Up and how to Avoid Costly Missteps?

Because of the high cost of PPC advertising for attorneys, law firms should research to ensure your firm chooses highly targeted keywords that will deliver an impressive ROI. Key words in the legal field are highly competitive. According to Good2BSocial, the average click costs $54.86 for keywords related to legal services and lawyers.

Good2bSocial’s Academy Provides Useful PPC Organization and Execution Advice Including:

  • How to consolidate PPC campaigns by performance.
  • Why your firm should check landing pages and URLs and making sure the landing page works as intended.
  • How to download your ads and look at them in Excel or Word to organize them and assure simple things like the spelling is correct, as misspellings can have a negative effect on click through rates (CTR).
  • How to include your keywords in your law firm’s ad copy and your landing pages’ URL and setting page paths.
  • And how to make the most of your clicks by enhancing your ads with things like ad extensions and going into detail on how Sitelinks, Review, and Call extensions can be useful for law firms.

How to Set Budgets and Choose Location and Language Targeting for your Law Firm’s Ad Campaigns.

According to Good2bSocial, certain geographic locations and more specialized key words may require higher suggested PPC bids, with some firms setting a monthly budget for PPC ads of $30,000 or more. If a law firm is going to enter into and thrive in the PPC marketplace, Good2bSocial’s checklists, real life examples and detailed explanations provide an invaluable roadmap, including:

  • How to define your CPC bids to ensure you don’t bid too high on cost per click amd how attorneys can use Google’s keyword planner to get an idea of the PPC range your firm should be aiming for.
  • How to set your PPC budget.
  • How to set location and language targets.  Not all legal consumers in the U.S. are browsing in English, so setting proper language targeting and then assuring that prospects are taken to a landing page in the language they are using to browse.
  • How to choose ad rotation and delivery method.
  • How to set “Search Network Only.”  Google will set your campaigns to search with display by default. And because display ads show up on websites other than Google search engine result pages, inadvertently including display ads outside of search results can cost your firm significantly more money.
  • How to set ad scheduling. If you want to schedule ads so they only show while your office is open and how to set target devices if you’re running a campaign specifically designed for mobile/ desktop/ or tablet only.
  • How to exclude your own IP address(es) to avoid skewing your tracking results and how to use  Google’s ad preview tool to check to see where or how your ads are showing up.
  • And how to set up conversion tracking. To monitor your ads and selected campaign attributes to assure they met your law firm’s PPC campaign goals.

Key Takeaways for Law Firms Paid Search Advertising

Per Vermeulen:

Google ads and other PPC outlets are highly effective for the law firm market at producing rapid lead generation results.  But it’s not as simple as “setting and forgetting” a law firm’s PPC campaigns.  However, while the extensive configurability of the Google platform, in particular, makes it extremely powerful, it also makes it easy to forget a step somewhere and cause problems with your firm’s campaigns.  To prevent wasting time and money, checklists, forethought, monitoring and routine recalibration checks are needed when launching and evaluating existing PPC advertising campaigns.

To Read Part 1 Good2bSocial Digital Academy for Law Firms — Inbound Marketing and Client Journey Mapping, click here.

To read Part 2 Good2bSocial Digital Academy — Content Marketing Strategy for Law Firms, click here.

To read Part 3 Good2bSocial Digital Academy — Developing a Successful Social Media Strategy for Law Firms, click here

To read Part 4 Good2bSocial Digital Academy — Paid Social Media Advertising Campaigns for Law Firms, click here

To read Part 5 Good2bSocial Digital Academy — Search Engine Optimization for Law Firms, click here.

Stay tuned for more details on the topics and key takeaways included in the other modules of the Good2bSocial Academy.

Copyright ©2020 National Law Forum, LLC
ARTICLE BY Jennifer Schaller of The National Law Review / The National Law Forum LLC
For more articles on legal marketing, visit the NLR Law Office Management section.