How Clio Thinks About Security and AI for Law Firms (Full Transcript)

[00:00:10] Speaker 1: Hey y'all, it's Zach, the Legal Tech Advisor here at Lawyerist. And I'm here with Jonathan Watson, the Chief Technology Officer at Clio. And all the things that Clio is now. Jonathan, thanks for being with me. I appreciate it. Yeah, thanks for having me. I don't think everybody, and I don't know that I have a full concept of what Chief Technology Officer necessarily is, like you'll kind of give me a nuts and bolts of what a CTO does. For sure.

[00:00:38] Speaker 2: I am responsible for and to the product engineering organization, the infrastructure engineering organization, data engineering. I also run compliance and security and the IT functions inside. So if you touch customer data in any sort of form or fashion, that's in my world. And if you handle any of the internal systems inside of Clio, the IT team provides that as well.

[00:01:04] Speaker 1: So you're the one that people are saying, like, I trust you with my data in a way, like if we were to put a face to it. Yeah, but if we were to put a face to kind of that, it would be, it would be Jack, right? Because he's the one who instilled the culture from the beginning. And he's kind of all over the place, this whole Clio, like he's the CEO or something, you know, like he cares. Okay. So the thing that I, or one of the things that I've gotten out of this conference so far, and especially the keynote is this expansion of Clio's capabilities, but also expansion of like Clio's footprint in your law firm. And with that, I think I'm going to have to put a lot more information in Clio. And so talk to me about the security thoughts, I guess, around like me putting my client data into my firm data, and then all of this more and more and more data into Clio and it being safe.

[00:02:07] Speaker 2: Yeah. That's a, it's a great question. It's one that, you know, very few things that I think about on a daily basis, this is like a big one. Yeah. And it comes in a couple of forms. Like Jack laid the groundwork at Clio by building it security first. Yeah. All of the follow on devs and people inside the company built a great culture from the ground up that thinks about the sanctity of customer and client data. We have really well established programs now that we bring in outside auditors to look at our stuff. You know, we run bug bounty programs, we run auditing systems, we run external and internal pen tests. We do all of this stuff to really check our work, but it all comes down to everything we build. The first line item is security and safety of customer and client information. Do not pass a go if you cannot guarantee this. And the project has to refine that before it can really step into the next stages.

[00:03:07] Speaker 3: Okay.

[00:03:08] Speaker 2: And what that yields is a great wide variety of systems that as we consume new acquisitions or we build new products, they're either built on the same frameworks that we've been building all of our other products on, or we quickly adopt and we bring them up to the Clio standard if they happen to be below it. Which isn't always the case, but if you pick up the smaller companies, they can be less established in these areas. So, you know, you bring them up in the SOC 2 program and that sort of stuff.

[00:03:36] Speaker 1: Yeah. Talk to me about that, about there's been, you know, there are a couple of significant acquisitions that have happened recently with VLex and ShareDo. When those come into the Clio area environment, the infrastructure has to move, right? How do you go through dealing with kind of like, I think of it as like field mapping, but like getting all those things to start to work together and bringing these things into your infrastructure. For sure.

[00:04:12] Speaker 2: We have a great team that does it, run by Remy, who's a long time Clion, who's one of the original, like call it the original 20, I think, at the company. Okay. I'm still here. You can meet him if you haven't met him. Yeah. And his teams basically pick up the infrastructure and start building the plans to bring it underneath the umbrella of Clio. Okay. And they take action on that as quick as possible. On the compliance side, they evaluate and bring in all programs. And we've done a portion of this prior to any acquisition as well. We just don't enact any of it until post acquisition. Okay. And then on the security side, we have a red team and a blue team, and a blue team is defensive. So they build systems that are secure and safe and all these things. And the red teams are, they're just trying to hack it all day long. That's what they do is, hey, you just built a really cool thing. I'm going to go try to get into it. Okay. And then we bring those teams to bear immediately on any acquisition. And they basically tear apart and find exposures. And then we remediate those as fast as possible.

[00:05:13] Speaker 1: And that's kind of like what you were talking, you used the phrase pen testing earlier. And I know this isn't specifically pen testing, but it's kind of the same idea. Pen testing for anybody that doesn't know is penetrative testing. Essentially seeing if you can hack into it.

[00:05:28] Speaker 2: Can you get in behind the wall? Can you do anything?

[00:05:30] Speaker 1: It's not necessarily just physical pen testing. Can I hack into the computer? Can I call somebody and get there? We're talking about actual behavioral.

[00:05:42] Speaker 2: We don't go that far, because often the weakest link is the human. Our view is, can we build systems that even if the human is the weak link, that we can still protect the main system? And that's a big part of it. And it's something we're good at. And with a company like V-Lux coming over, what we've seen is they've thought a lot about these systems as well. So most people don't know it, but they even have functionality where your queries and stuff are encrypted in your own keys. And they've really thought about this from the ground up, because they're brought into big enterprise law firms who care about this stuff. And so they actually have, in some cases, even more restrictive data access patterns than we do at this point. And it's going to be really cool to blend all those technologies together. And just simply, we need to enable tons of innovation on data. It's an imperative at this point in time in the legal space. And we need to find a way to do that as fast as possible, while maintaining security. Not minimums, but maximums in those areas. And how do we continue to rev on that? That's a whole wide variety of everything from technology to process to people. And delivering that at the 400-plus engineering and 500-plus R&D organization at Clio is a big task.

[00:06:57] Speaker 1: Yeah. That is a big task. Well, and now, kind of like what I was hinting at earlier, now we're asking people to put even more of our data in Clio. And I think one of the things that I'm just going to go ahead and kind of say is, people have been trusting Clio with their data for a significant amount of time. And Clio has had to fight the battle of, you can trust your data in the cloud. But people are putting more in. How do you approach making people feel... I was talking to somebody on your team about y'all almost going above and beyond and making it safe for the customer, even without their help, in a sense. How do you approach almost overly helping the customer in that?

[00:07:44] Speaker 2: I asked two questions. Gavin, our application security director, is around too, if you haven't met him.

[00:07:49] Speaker 3: Okay.

[00:07:50] Speaker 2: You can spend some time with him. But I ask him this question constantly. How have we meaningfully improved the security posture in our applications in the last year? And we spend a lot of time on just like, how have we made it better today? How do we make it better than yesterday?

[00:08:05] Speaker 3: Okay.

[00:08:05] Speaker 2: And the second thing is, how do we continue to earn that trust and continue to build security? Because a lot of companies go, great, I got my accreditations. I'm socked too now. And I'm done. Yeah. And I'm done. As long as I meet that minimum standard, I'm good. But for us, we go, that would be good, but we're just going to keep pushing. Right. We're just going to keep trying to secure, and we know that the world's fluid. We know that these hackers get way more sophisticated in many ways. Especially with AI. We know that. Yeah. And we know that everyone's at risk all the time, and you're always doing your best job to figure it out. That's how many layered systems can we put in place that just help people understand that we've taken, to the extreme, the limits that we can in these various areas. So I'm quite passionate in this area. I mean, it sounds like you are. Yeah. I can talk about this for like four hours if you want to. Your listeners may not.

[00:08:58] Speaker 1: We'll go to live. Yeah. We'll make this fun.

[00:09:00] Speaker 2: Just broadcast on the internet.

[00:09:02] Speaker 1: The PR team's sweating.

[00:09:04] Speaker 2: We don't know what's happening over there.

[00:09:06] Speaker 1: People live pen testing in the background. We go down broad and specific paths all day. One of the things that I think that people are thoughtful about and interested in, obviously, is artificial intelligence. And AI is being incorporated, not just around Clio now. It's not just being bolted on. It feels like it's being incorporated into the guts of Clio, fundamentally. What are the things that you have to think about when you're bringing that fully into the system?

[00:09:36] Speaker 2: Yeah. A few things. How do you train on data? And I don't mean train in the LLM sense, but how do you figure out a document classifier, for instance, when you're not allowed to look at the document? That's an interesting problem and one that we're working on. Things like that. Whereas a lot of people will go, I just need access to the information. And we view that as attorney-client, like client confidential data. So we do a whole bunch of things around that to classify it, to summarize it, to de-identify it, and anonymize it. And we work on that. And we do that after people have accepted that they're okay having a process that way. We're very respectful of this process, almost overly so. It slows us down in some ways because we know that trust in this area is hard-earned and easily lost in every way. And we spend so much time trying to figure out the right way to do these things. And we have a group, actually, inside the team that has to approve certain things, and they challenge each other constantly for, that may be the shortest, but that's not the best. And then we work on that. And that can mean we go out a little bit in time on what we want to deliver, but we're confident that we haven't cut a corner in a way that's just not acceptable.

[00:10:49] Speaker 1: Let's talk about that idea of training within Clio. Because initially, when you've got Duo, so way back a long time ago when it was just Duo, four days ago, it's really, you have one type of data, one type of LLM sort of concept. And now we have that sort of concept of like, let me look at my documents, let me go into draft and things like that. And then we also have Vincent over here. And we want to train differently. We want to access client documents differently. And then, potentially, we're okay with putting client information into the other one, we're not. How do we think about that? How do we keep those things separate? How do we approach that? Yeah, for sure.

[00:11:44] Speaker 2: I think that the first thing to know is, we're going to get to a place where you can put client information and things that are Vincent accessible, like that's the goal, right? Is that they all act as one system.

[00:11:53] Speaker 1: I guess that makes sense. If you're going to protect it, you're going to protect it.

[00:11:58] Speaker 2: And we know that the best workflows are the ones that can blend research with what's going on in a client's file. And weaving all of that together, including communications and everything else, or at least, I say we know, but we're pretty sure, let's put it that way. It's what the legal transport says. Yes. The engineer in me has to qualify it in some sort of way. But I think a couple of things to just know. We're just trying to deliver a solution that works for your firm. We're not trying to look for the broad, like take your firm's data and use that to power other firms and all that stuff. We're very clear that in our terms, we're very clear in our approach and our strategy. We want to maximize your firm.

[00:12:44] Speaker 1: I want to hang on that for a second, if you don't mind, because I was talking to somebody earlier about that. And I think that's an important thing to note. I was talking to an attorney about that earlier, I was talking to Tucker about that earlier, about that siloing your own data. We're saying that my files in draft, my files in Clio documents are not going to be used to assist a different attorney in their drafting.

[00:13:12] Speaker 2: Correct.

[00:13:12] Speaker 1: Right.

[00:13:13] Speaker 2: Unless you explicitly know that that is happening. Okay. Yeah. And we have no features that would do that, but that's the commitment is you're going to know it if we do it. We're not going to do it. Not happening right now. Not happening right now.

[00:13:25] Speaker 1: And not a plan to. Not a plan to. Yeah.

[00:13:27] Speaker 2: And we would talk people through it. We would have a good value driver. That would be the right thing to do at a right point in time. Yeah. Because, you know, there's this idea that out there, it's like, if I could train on all legal data, I could solve so many problems.

[00:13:39] Speaker 1: I can envision a scenario where I would opt into that, where you say like, okay, if I opt into it with my documents, then I also get access to that with other people's documents. I can envision that scenario where it's a reasonable thing, but we're not there. And that's certainly not the crocodile closest to the boat.

[00:13:56] Speaker 2: That's not the thing we're working on. Not the next thing by any means. And there's so many other systems of action that we need to do. These automations, these doing jobs for you that require none of that. Yeah. And we think that those are more valuable for law firms right now than do we coalesce to the same lowest common denominator of writing a brief.

[00:14:21] Speaker 1: That is a hurtful, not hurtful to me, but that is a hurtful way to look at that, like where it's like, if we're putting in, we say garbage in, garbage out. Lawyers can make garbage too. And I personally, that's interesting to look at. I personally think that other lawyers' documents are garbage. And so if we are going to bring that in, I can also envision a scenario where I'm like, no, I don't want anything trained on there.

[00:14:53] Speaker 2: Yeah, that's that's that's yeah, we want things trained in public information. We want to do that, which is what Benson and Deluxe give us. Yeah. Is that is this huge corpus of data that what's precedent? Yeah. What what's out there? What has been decided? What has been revoked? Like what is the negative precedent here is actually very important as well. Yeah. And bringing that into your capabilities, help you enact your craft even better than before.

[00:15:20] Speaker 1: Yeah. OK, so I'm getting a little bit. Your whole job isn't security, and so let's get into a little bit of the exciting AI aspect of this, because I know that that's a significant part of what you have to deal with in Clio as well. What is something that you're that you've got your eyes towards that you're thinking that you're excited about in that realm as it relates to kind of the Clio? I've been calling it the Clio environment lately because it feels much more like an environment than just we're not talking about Clio managed, Clio growing. We're talking.

[00:15:57] Speaker 2: Yeah, it's a platform that we've been building.

[00:15:59] Speaker 1: Right.

[00:15:59] Speaker 2: And we laid a ton of that groundwork with Duo. I know there's this whole thing of like, you know, Duo gone or not, like Duo exists everywhere. Yeah. A lot of it's the groundwork for what we took to the next level and then reworked and added on to build, manage AI, then some improvements, grow AI, draft AI, all these things. I mean, what's next for us? The two things that I'll future cast, because John will need to future cast the rest of them in some sort of way. Communications is a big angle, like we know that that's a really important part to doing better legal work. Yeah. Just what's going on in between you and your client or prospect and then documents, everything documents.

[00:16:39] Speaker 1: Yeah, documents is the one that excites me, but communications is the one that scares me, because I think you and I have talked before about there's one thing to have something confidential here. It's another thing to make sure to to be able to ensure to your clients who are the users of Clio that you're also not going to break attorney privilege. You know, and when we talk about communications specifically, so I know the answer to this, but I want to make sure that we're saying, how do we make sure that the interaction with artificial intelligence in Clio writ large or in Clio in a communications platform is not breaking that privilege, it's not bringing a third party into the into the scenario? Yeah.

[00:17:25] Speaker 2: I think there's kind of a couple of ways to think about this one. I think technology is going to continue to advance so we get more comfortable with the technology as it's being implemented. It's just like the first time we did VoIP recording, everybody was nervous about it, but it was a lot easier to tap into an analog line than it is to tap into a digital one. So, you know, back in my day, you used to whistle into a modem and hack things. Right, right. Now you've got to do a whole lot more than that.

[00:17:49] Speaker 1: Was that still how it was in in the movie Hackers? Yeah. Yeah, it was still them going into the, yeah.

[00:17:57] Speaker 2: So there's a little bit of that, like we're going to still build on these systems as companies that are offering these systems, you know, that it's important to solve this problem, to bring technology to the end. When I look at communications, like we already handle auto transcription that runs through systems and services, often cloud-based systems, in fact, almost always. Very few people are running their own. Yeah. Or it runs through a human, a mechanical Turk that's listening to it and writing it down. So like, yeah, interestingly enough, I think the industry is actually already OK with this. Yeah. They just don't know it. Yeah. In a lot of ways. And bringing AI into it actually should make it more secure because you are now getting to the point where you're removing the humans, you're having better understanding of what's going on. Right. Your accuracy should shoot through the roof over time, which then means you get something a little bit more useful. And court systems are wide scale adopting digital recording systems. Yeah. And a live transcription and the ability to call into courtrooms across the country and listen in. If you're an attorney in Illinois, you can call into the Illinois-like systems and get access to it. Yeah. So it's just that I think it's one of those ones that we become more comfortable with as as time progresses and the technology gets better and we use it more. Because if you objectively look at what we do today, it's not that much different. And so while the jump feels really big, it's just a little curve. You're just stepping up the curve. It's the next thing.

[00:19:26] Speaker 1: OK. All right. Off topic ish curveball. OK. All right. And if you're just like, no. Quantum computing is. Potentially pretty close.

[00:19:46] Speaker 3: Yeah.

[00:19:46] Speaker 1: Like we have it. It's just not necessarily something that can be done at scale. You know, when quantum computing becomes something that is available, we're going to have security issues. What are we thinking about with that in the place? Honestly, what happened is my mind went to can you stop making me have to do two factor authentication? And then I was like, wait, I'm going to have to stop doing two factor authentication soon. Anyway, we're going to have to do like whatever the hell that we have to do. So what are we thinking about? Like, I think this is like a really, really out there, but a sideline sort of thing. What are we thinking about in the world of quantum computing?

[00:20:27] Speaker 2: Yeah, I don't love the future cast in these kinds of ways. That's fair. That's fair. We stay really close to it. We learn a lot about it. We spend a lot of time if we see a system that needs to change, we start massaging it that way or build it that direction. And by then, it's more than likely that we'll see a bunch of new technologies come to bear that help protect in these various ways. And everyone should just be looking for a partner who can build that technology wall the fastest. And if you want to talk about any impetus to get off of on-prem, there's one. You don't even have to think about where do I access it from. It's hey, what if we cross this like Rubicon and we're in the quantum computing land and I can't pull the Internet plug. What am I going to do? Would I rather be with a vendor or would I rather be sitting here wondering what's going on?

[00:21:22] Speaker 1: Yeah. Trying to figure out if my nephew can get out here and fix this thing. Exactly. Yeah. That's a that's a really good point. First thing, I really like your first answer really of like, I mean, we're all in this together. And when this when this becomes a thing, we really need to be at a place that is going to be on top, that is going to be thinking about it, that is going to be, you know, catching the news with that, but then also able to implement these things that are coming in. Yeah, I and I don't know what the second thing was. We'll implement it then. Yeah. Yes. Get off on-prem. Thank you. Let's get off on-prem. The other thing, though, yeah, is that. And we've got bigger, we've got latent problems that have that have been sitting there with with attorneys for a long time already, like Zach asking this quantum computing question when we're still using fax machines. Yeah. Or not turning on MFA. Yeah.

[00:22:28] Speaker 2: Or, you know, having the same password as your email, as your Clio account, not using a password manager. All these things just build a little little wall of defense against anything down the line that could be a breakthrough in technology.

[00:22:43] Speaker 3: Yeah.

[00:22:43] Speaker 2: And I think more folks should look at that. These are just little walls. They're not even inconvenient anymore. Right. They are trying to make them as convenient as possible.

[00:22:52] Speaker 1: So I actually I was thinking about this earlier when I was when I was talking to Pamela, I would like to do just a very quick, like simple things that you can do to protect yourself, like password managers from Clio's CTO. OK. You know, like so what what are some things that people need to be that that your regular Jamie attorney needs to be doing in their practice to to like first wall of defense, protect themselves?

[00:23:22] Speaker 2: I mean, to me, it starts in a couple. There's a few layers here. Number one, use a password manager. Don't use the same password for any site.

[00:23:28] Speaker 1: So a password manager like let's let's one one password is a great one.

[00:23:34] Speaker 2: Yeah. They have a great history of being very responsible. It is very easy to set up and use and they continue to make it.

[00:23:40] Speaker 1: But now all of my passwords are in one place.

[00:23:43] Speaker 2: What if I get hacked? Hard to hack at this point in time, but basically I've not been hacked. Yeah. They would have to get your master password and make that a good one. And then you just need to remember one. Don't write it down. Don't put it on a post-it note. Don't do these other things like truly memorize it.

[00:24:01] Speaker 3: Yeah.

[00:24:01] Speaker 2: And put that somewhere. And if you're worried about but what if something happens to me and my family needs it, do what I do. I have a shared vault with my wife where it includes my password and there and she's got her password on top of this. It's like you need access to these things. So that way, if anything happens, you can get in. I like that a lot. The second one, enable multi-factor authentication everywhere, whether that is, you know, obviously banking. Banking is probably the one people are most used to. You know, does it your email? Does it do it on your email?

[00:24:38] Speaker 1: All of these sorts of do it on your email.

[00:24:41] Speaker 2: The number one avenue that we see to hacking an account is through an email account. And it's like I got their passwords on the dark web because it leaks from some other company that released it. I use the same password and then they use that to log into their email. And once you have an email, you have the keys to the key. Oh, because I can because I can read some passwords all day long. So your email is actually the most important thing.

[00:25:05] Speaker 1: So you got you got most factor authentication and we say multi-factor authentication because two-factor authentication is text message or something else. Multi-factor, you could have a dongle to, you know, or you could have something on your phone that gives you a code.

[00:25:18] Speaker 2: Your face ID that works in it, you know, take a picture of the passcode, like all of these different things just require another step that you may not.

[00:25:25] Speaker 1: And and again, it is a usually something you know and something you have. And so like you can you can something, you know, password, something you have your phone.

[00:25:36] Speaker 2: Yeah, correct.

[00:25:37] Speaker 1: Yeah.

[00:25:38] Speaker 2: And then the third one in this one will sound like I'm just pushing the company line. Don't account share like account sharing is the other big avenue because you don't know where it came from when it happened.

[00:25:50] Speaker 3: Yeah.

[00:25:50] Speaker 2: And if you split the accounts, then it's much easier to control when something happens. And think about this, if you're a if you're the primary user of a Clio account and you shared that with somebody in the firm and somebody wipes out a ton of data, all you have is what the primary user had. You didn't have the user that actually got hacked. And it's a lot easier to repair when you know who did what and where. We can know where the I think we're invalidating auditing systems. We're invalidating the responsibility to provide a secure environment for our clients if we don't do that. Yeah, I actually think it's a much bigger issue than people, you know, are giving it credibility like you're responsible for knowing who accessed that data. If you're sharing accounts, you don't know.

[00:26:32] Speaker 1: Yeah, that's a really good point. I like that. I like that. OK, Pamela told me that we got to wrap up. So yeah, we'll we'll kind of leave on that one because, yeah, I already got you with the like, what are the what are the tips from the CTO? Yeah, just share with everybody what your password is. What's your master password? It's password one. Yeah, I mean, it's the general one.

[00:27:02] Speaker 2: Everybody's got it.

[00:27:04] Speaker 1: I like it. Jonathan, I appreciate you being with me. Thank you. It's always a pleasure to talk to you. And I'm I've got 15,000 other things that I could ask you. But we go down one path. We find a path and we go down. So thank you. I appreciate it.

[00:27:20] Speaker 2: Thanks so much.