April 23, 2025 • 46 mins
Ever wonder what happens when centuries-old legal practices collide with cutting-edge technology? Dean Sapp, CISO at FileVine, pulls back the curtain on the digital transformation revolutionizing law firms worldwide.
Beyond just modernizing paperwork, Dean reveals why attorneys have become prime targets for sophisticated hackers and nation-states. "Law firms are data aggregators of some of the most valuable information on the planet," he explains, detailing how insider knowledge of M&A deals, patents, and major developments makes legal data irresistible to cybercriminals. With attacks from Russia, China, and North Korea occurring daily, the stakes couldn't be higher.
The conversation takes a fascinating turn when Dean shares how purpose-built AI is dramatically reshaping legal processes. Tasks that once took legal teams 4-6 weeks now complete in a single day. Immigration paperwork that required 4-6 hours now finishes in under an hour. These aren't minor improvements—they're transformative shifts in how legal services can scale to help more people.
What sets this discussion apart is the rare glimpse into the specific security challenges of government legal agencies. With FileVine serving approximately 40 government agencies that require FedRAMP certification, Dean offers insights few security professionals ever witness. The intersection of legal compliance, national security, and political implications creates a security environment unlike any other.
Whether you're a legal professional wondering how to stay ahead of technology trends, a security expert curious about specialized industry challenges, or simply fascinated by how AI is reshaping traditional professions, this episode delivers eye-opening perspectives on the future of legal services.
Ready to discover how your organization can better protect sensitive information while dramatically improving efficiency? Join us for this revealing conversation about the technologies reshaping an entire profession.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to another episode of Cybernomics.
I'm Josh Bruning and I'm heretoday with Dean Sapuza-Sisso at
Filevine.
And so, dean, when we talkedthe last time, you described
Filevine to me and I'm going toput it in my words, and then
I'll give you a chance to put itin your words because, let's be
honest, I don't always do itjustice, but what I understand
Filevine to be is a platformthat allows lawyers, law firms I
(00:25):
don't know, legal experts,maybe you roped into that a
whole bunch but primarily lawfirms.
And I understand quite a lot oflaw firms around the world are
using Filevine to organize theprocesses that go into all the
legalese right.
So the lawyers are documenting,they're putting together files,
they're keeping all theirclients stuff straight, and
(00:47):
Filevine is just this platformthat helps them to do that and
do it securely.
So let's imagine the old dayswhen you go into the lawyer's
office and there's a huge filingcabinet that and I'm thinking
even of like a John grishamnovel right where he always
points to like the giant filecabinet, and there's all kinds
(01:10):
of stuff in there, and there'seven someone who is responsible
for organizing all thatinformation the poor uh, you
know whether it's a, a paralegalor there's some old lady again
referring to, referring to theJohn Grisham novels who is just
really good at organizing allthat stuff.
But the old days are over, thenew days are in, and law firms
(01:34):
are no longer managing thecomplexities of everything that
goes into handling their casesand their files, and so that's
when you need technology to helpmake sure they're not missing
anything.
And of course, you, being theCISO, you're responsible for the
security of that platform, ofthe technology and also staying
ahead of new technologies,including AI.
(01:56):
So that's my long-winded,imperfect way of describing
Filevine.
How would you describe Filevineway of describing?
Speaker 2 (02:05):
Filevine.
How would you describe Filevine?
I would say that, in itssimplest terms, what Salesforce
is to sales professionals,filevine is to legal
professionals.
You can run your entire firmfrom a single platform, from
intake, conflict checking,onboarding, a client, doc
(02:27):
management, matter management,contract lifecycle management.
It's a full-service suite ofproducts.
We have e-signature products.
We have at least six AIproducts that are very
feature-specific for differentcases in the legal space.
So it's really designed to bean entire ecosystem to run a law
(02:49):
firm, a legal department, evendo legal research for expert
witnesses, et cetera.
So it's the 2.0 version oflawyering in 2025.
Speaker 1 (03:03):
What is the history of Filevine?
How did it come about?
What were the founders thinking?
And you know why them.
And then we can talk about thebusiness case and the problems
that you're solving today.
Speaker 2 (03:17):
Sure.
Well, two of the founders werepartners of the law firm, so
Ryan Anderson and Nate Morris.
They were practicing attorneys.
They were running a largepersonal injury firm out of Las
Vegas called Bighorn Law, andthe nature of personal injury is
(03:39):
it's often very transactional.
It falls into a line ofbusiness or legal work.
It's called contingency law,which means the case is
contingent upon winning.
So the lawyers are taking all ofthe risk.
They might get 300 accidentswhere someone was injured, the
(04:02):
insurance isn't paying up andthe person's out of work and is
in real financial distressbecause of the injury of someone
who hit them in a hit and runor something like that.
So contingency law means youreally need to know your facts
about the case.
You need to know that if you canhelp this individual and that
(04:23):
you can recover the fees suchthat the firm doesn't lose money
, isn't going out of businessbecause they took on a large
case and they didn't havesufficient facts and then they
lost, well, the firm eats all ofthose fees, and so contingency
law means you have to reallyknow your client.
You really have to know thefacts of the case, and so, with
(04:46):
a transactional type casework,they needed to be able to handle
all of these new matters thatwere coming in, get them in the
right location, do all of theirconflict checking to make sure
that they didn't represent theother insurance party, and so
forth.
So we've been around for about10 years and expanding from the
(05:08):
PI space to corporate legaloffices around the world and
businesses that are in theFortune 50, as well as expanding
to what's called the AM100, theAM200, the top largest law
firms in the country that allneed to get efficient with what
they're doing with case andmatter management.
Speaker 1 (05:30):
How many law firms do you service today?
Speaker 2 (05:33):
You know that number is a little fluid, but it's
somewhere between 4,500 and5,000.
And it's been growing sinceI've been at Filevine.
I've been at Filevine for aboutand it's been growing since
I've been at Filevine.
I've been at Filevine for aboutfive and a quarter years and
we're constantly.
We have a channel, our closedone channel, whenever we have
(05:53):
new customers sign on board andit's like popcorn at the end of
any particular month or quarterwith the new firms that are
joining the ranks or expandingto use some of our new AI
technology or new services.
Speaker 1 (06:09):
So, generally, what is the business case for those
decision makers that areswitching to Filevine, and is
security a part of thatdecision-making criteria?
Speaker 2 (06:23):
I believe security and privacy are two of the
critical decisions that firmsconsider when they're making a
switch.
Often we find that it'susability Our product is
extremely flexible.
It's also configurationsettings.
How many ways can you make thecase go up for the respective
(06:45):
people?
Because the paralegal may needto see the document section and
make sure that they're gettingthe right documents to the
attorneys to review.
The attorneys are redliningthese documents.
They need to make sure thatthose correct red lines are sent
to opposing counsel.
So then you need to make sureopposing counsel can see the
(07:06):
documents and, if you want themto, to redline them and then
send them back or you know andbeing able to do all of that in
like a portal where the customersees what's related to them,
the attorney attorney sorry,opposing counsel or co-counsel
sees what they need to see.
It's really about making aprocess it's very paper centric
(07:31):
and slow by nature andoptimizing it.
Because if you can, if you canredline contracts in the
contract life cycle managementtool and everybody can see the
edits and then you can justagree to incorporate that new
language into the contract.
Everybody saves time, right?
So you know when firms bill bythe hour.
(07:51):
You know you would think thatthey don't really care how long
it takes, but the reality isthey want to be efficient 80,
100-hour weeks and be able to dothe same, you know, service as
many people, as many clients, asthey can with the staffing that
(08:11):
they have.
And so when firms are lookingat becoming more efficient, you
know Filebind is one of the topchoices right now in the legal
space for efficiencies fromthese technological gains.
We have unlimited storage, so itdoesn't matter how many
documents you want to store.
We don't charge extra forstorage.
We have a very robust securityprogram and, like you said, in
(08:34):
the day and age we live in withstate laws mandating security
requirements or privacyrequirements.
It's top of mind for many, manyfirms.
And, of course, requirements.
It's top of mind for many, manyfirms.
And, of course, avoiding amaterial data breach.
Many of the law firms out therethat I read reports on of them
getting breached, and it'salmost a weekly occurrence.
(08:55):
And so by separating out yourfirm's local network from a
cloud service provider whereeverything's hardened and
secured, it reduces the risk tothe firm, because we've had
several firms that said you knowwhat, if we had not moved to
Filevine, we would have been inbig trouble because we copied
all of our documents and movedthem up into the Filevine cloud
(09:18):
and then two days later, ourentire network was ransomed.
All of our local file storage,our servers, our backups was
ransomed.
All of our local file storage,our servers, our backups,
everything was encrypted.
And they wanted five Bitcoinand we didn't have five Bitcoin
to give them and there was noguarantee, even if we paid them,
we would even get our documentsback.
But fortunately we made themove.
(09:39):
We went out to Costco orWalmart or Sam's Club and bought
a bunch of new laptopsEverybody wanted a new device
anyway and they were up andworking in a matter of minutes.
So it really has been abusiness saver for many of our
clients and also helping to getthem more efficient with the
(10:01):
current staff they have get themmore efficient with the current
staff they have.
Speaker 1 (10:08):
Wow, you know, dean, you speak legal very well.
At least to my layman's monkeybrain.
It sounds like you're a legalexpert and I know you're not a
lawyer, but you've been aroundall of this lawyer stuff for a
number of years.
Do you kind of feel like theyyou know they should give you an
honorary, you know, pass on theboard or you know some kind of
(10:29):
something, because you do haveto know your stuff, like what
was your background and how didthat even prepare you to do this
job?
Speaker 2 (10:37):
Thanks, great question.
Well, I will say I have beendesignated as a you know, an
expert witness in Utah.
I've been involved with severalcases and of course that takes
a lot of time and effort and thecourt is the only one that can
determine if you are an expertor not.
But my background prior toworking at Filevine has been in
(10:59):
the legal space.
I spent the greater part of adecade working at an AM100 law
firm and so building both theirIT and security practices.
This law firm had a very largeclient that was in a regulated
environment and so the regulatedindustries have the most laws
(11:20):
about cybersecurity.
So they pushed those cyberrequirements down to our firm
and then my job was to make surethat the firm was meeting all
of these requirements.
So I did that for over eightyears.
And then I also spent abouteight years with a very large
multinational, helping theirfinance and legal department,
(11:42):
amongst others, and so workingto protect the lawyers they had
attorneys in 120 countries andmaking sure that their
technology was good and secure,making sure that all of the
networking between thesedifferent offices around the
world were hardened andfirewalled and protected.
(12:02):
So I've been doing quite a bitthere.
And then I spent about threeyears building a cybersecurity
startup called Braintrace, andthen we were solely focused on
helping to protect law firms.
Because, if you think about it,law firms are data aggregators
of some of the most valuableinformation on the planet.
I mean M&A deals to play themarkets, information on the
(12:27):
planet.
I mean M&A deals to play themarkets, patents, trademarks,
copyrights all very valuableintellectual property and, of
course, lawsuits with bigbusinesses and VIPs, or real
estate deals knowing where thatnext big mall is going to go,
knowing where those interstatesare going to be built or
roadways.
You could take farmland that'sworth $15,000 an acre.
(12:49):
Well, if there's going to be10,000 acres developed for a new
mall or a new school or newexpansion, that property is
immediately worth more.
And so the bad guys, they wantto monetize anything that they
can and a lot of that insiderinformation.
(13:09):
Well, not a shocker here.
The lawyers have it becausethey're the ones writing the
contracts, the agreements, thestock purchase plans.
They're the ones that have themost insight and because of that
Russia, china, organized crimegroups they target the law firms
because the lawyers have moneyand they have data that they can
(13:32):
quickly turn into cash orBitcoin.
So, having that contextualawareness, that company
Braintrace.
We work with many, many lawfirms to help them recover from
data breaches and help themprotect themselves from these
bad actors out there.
And ultimately the company wassolid enough with enough
(13:54):
patented technology that Sophosbought the company a few years
ago.
So I've just been in this spacefor quite some time.
I also spent a year at a coupleof billion-dollar fintech
companies, each as their chiefinformation security officer,
trying to help them and helpthem get compliant with PCI and
(14:15):
other important regulations.
So I've got a lot of experiencethere.
But fortunately in my careerI've also been able to do a
considerable amount ofpenetration testing.
I've also been able to do aconsiderable amount of
penetration testing.
So basically putting my hackerhat on and trying to determine
can I get into this system, canI steal data and of course I
always did it with permission.
Getting permission in advance issuper important, but having
(14:39):
that mindset of if they tell meit's really secure, can they
back that up or are there waysfor me to get into the system?
And so the attorneys appreciatethat, because they want to have
someone acting as a bad actor,but with good intent, to see if
their defenses are actuallyfunctional or not.
(15:00):
And the sad thing is I'veprobably been involved with 40
penetration tests and we got in39 times out of the 40.
So very, very rarely arecompanies if this is their first
pen test or if this is thefirst time they're really taking
a look at it very rarely willthey keep the bad actors out.
(15:22):
And I've been involved withPentest, where the company was
worth hundreds of billions ofdollars and because of the same
thing, you know, the hackersonly have to find the one way
that hasn't been protected andthe CISOs have to think about
every way that the bad guy canget in.
(15:43):
And so it's even those, youknow, billion dollar, trillion
dollar companies.
They also get breached all thetime.
Speaker 1 (15:52):
All important things to consider when you're thinking
about protecting your law firmand your clients especially.
You know you remind me a lot ofmy friend over at Solera.
His name is Mike Levin and Mikewas just so.
He went into Solera about sixmonths ago as their CISO and
(16:13):
then a few months in the generalcounsel left.
So now he is CISO and generalcounsel because he happens to be
a lawyer.
So we just talked about thismaybe like a week ago and
there's this interestingintersection between
cybersecurity and legal you know.
So just side note, shout out toMike it sounds like you guys
(16:33):
would have a really goodconversation.
If you share a beer, share abeer or a coffee together, you
might have some things to talkabout.
So do you spend more of yourtime thinking about the
technology right, so the bitsand bytes of the platform of
Filevine or do you spend moretime thinking about the
(16:56):
attorney's office?
So are you perusing the code?
Or are you visiting various lawfirms and looking through and
looking at their filing cabinetand sort of performing a risk
assessment that way?
Where do you spend most of yourbrain energy the technology or
the firm?
Where do you spend most of yourbrain energy the technology or
the firm?
Speaker 2 (17:16):
I would say it's probably a hybrid of those two,
because, at the end of the day,the employees are the weakest
link at the firm.
It's the employee that, eventhough, if you think about
attorneys, they have to open updocuments.
They get documents from theirclients, they get documents from
(17:38):
opposing counsel, they getdocuments from the court system,
and so they're natively openingand reading content every
single day.
So, of course, anyone that youcan get to open a file may put
that firm at risk, and so it'skind of this challenge.
So I spend a lot of timethinking about how am I properly
(17:59):
protecting our people fromthemselves, from the fact that
they still use password 123, youknow from the last 35 accounts
that they've opened and so Ithink a lot about human behavior
and expediency, because, at theend of the day, attorneys do
(18:19):
want things to happen quickly.
So knowing that they want to dothings quickly means they want
to turn off two-factorauthentication.
They want to turn off any kindof filtering that prevents them
from doing research on websitesthat may or may not be good.
Right, there's a lot ofinformation out there online and
(18:42):
a lot of it's been poisoned.
A lot of the public, ais andthe large language models have
been poisoned with bad data.
We are even seeing coding toolswhere there are binaries in
these coding tools that aremalicious and they're designed
to go around the normal securityrules.
So I do spend time reviewingcode.
(19:04):
We have code scanning tools.
We have what's calledobservability tools.
They give us a high-level viewof potential risks and then I do
a lot of my own threat hunting,like I mentioned, and pen
testing to see does this controlactually stop a bad actor?
So it's kind of a 50-50 blend.
(19:27):
I worry about the people quite abit, but I also am on calls all
the time from these large firmsand their CISOs because they
want to have assurances that theFilevine platform is secure.
They want to have assurancesthat we're compliant.
So we have a robust auditingprogram where we do a SOC 2 type
(19:48):
2 every year, all five of thetrust services criteria.
We're doing four ISO auditsthis year 27001, 27701, 27018,
and 17.
So privacy, personallyidentifiable information, cloud
security, information securityso very robust audits and this
(20:12):
year we're actually going to.
We're already in the process ofworking on our FedRAMP moderate
ready status and as soon as weacquire a sponsor we'll be going
through authorization.
So we take security very, veryseriously, probably more
seriously than any of ourcompetitors, and I think that's
(20:32):
one of the big moats ordifferentiators between the file
line product stack and othertechnology out there is.
They simply haven't had thefunding or the investment
approved by their boards to getto this level of security and
because of that we're winninglarge government contracts.
Uh, foreign governments havebought our software.
(20:55):
I mean there's just a widespectrum of clientele where you
have fully functionalSalesforce-y kind of
capabilities in a legal techstack where we can completely
configure the platform.
And my team we even useFileVine to run our own
third-party vendor riskassessments and to generate
(21:19):
reports and to generatecompliance artifacts.
Speaker 1 (21:24):
And you practice what you preach.
I mean that's pretty reassuring, right.
If you weren't using FileVineto scrutinize yourself, then
people might go, okay, whattechnology are you using to
scrutinize yourself?
And maybe we'll go with them.
Well, when you said FedRAMP, itdid make me think the
government route.
So what is the differencebetween government attorneys or
(21:48):
government?
I didn't even know there wassuch a thing.
So what is the inside storythere?
I mean, what is the differencebetween a government attorney?
I'm even trying to like wrap myhead around this, Like the
attorney general's office.
What is what?
Who are the attorneys that arein the government that need this
(22:12):
kind of technology?
Speaker 2 (22:14):
Sure, well, we'll kind of start small.
So at a city level, there arecity attorneys that have to help
defend, for example, the firedepartment.
If somebody parks in front of afire hydrant, it's the only
place to get water.
The office, the, the firemen orfirewomen might have to run
(22:37):
that hose right through the car,right, they break the two
windows, they run it through,they hook it up and and,
unfortunately, that vehiclemight be stuck there for a day
while they're dealing with allof the, you know, putting out
the fire or whatever, andsometimes they have to deal with
litigation or someone is harmed.
So there's attorneys at a citylevel and then, of course, at
(23:01):
many states, there's the stateattorney general's office, like
you mentioned, and many AGoffices are our clients because
they need to help represent thecity and the state when it comes
to litigation, when it comes toany kind of new purchases Maybe
they're trying to do deals tobring in new investment, new
(23:24):
businesses to come into thestate.
So the attorney's offices dealwith a lot of things.
One of them that they deal withis a lot of crime, right?
So tax fraud If the state AGneeds to prosecute tax crime,
the IRS published an updatedrule 1075, last year or perhaps
the year before, basically saysthat you cannot handle federal
(23:47):
taxpayer information, fti dataunless that data is stored in a
federal moderate system.
So now you have attorneygenerals, they want to prosecute
tax crime and they're beingtold by the IRS.
You can do it, but you have toprotect it at a very, very high
level.
Well, if you go to the Amazonmarketplace or if you go to the
FedRAMP marketplace, therearen't a lot of vendors that can
(24:10):
meet that standard.
Speaker 1 (24:12):
Yeah, because it's really expensive.
To get FedRAMP certified islike 50 grand minimum.
It's like, wow, just so I canget one or two government
contracts.
But if you're doing loads ofgovernment contracts it makes
sense and that's just for thefirst audit, that kind of 50,
the 100 grand.
Speaker 2 (24:29):
That's just for the very first audit and that's
assuming you already knew all ofthe things that had to happen
to be FedRAMP moderate.
So we have.
We've been selling CJIScriminal justice information
services customers with FileVinefor several years.
Many, many states around the USare using our software to help
(24:52):
their attorneys handle the cases, to handle all of this
sensitive stuff.
And if you think aboutgovernment has a lot of
attorneys across the board andnow we're working toward trying
to get federal governmentagencies that have attorneys and
lawyers and think of, like theJAG in different military groups
(25:13):
they have attorneys that haveto handle the legal matters as
well.
So across every, I think,segmentation of attorneys, the
government has a lot of them andso it's very, very popular and
so we have again clients acrossthe spectrum probably 40
(25:34):
government agencies so far andwe're working to get the trust
and the FedRAMP authorizationfor more.
Speaker 1 (25:42):
Now I see why you guys have to be so secure,
because if you're protectinggovernment agencies and
government legal law government,what is the best way to put
this?
Government law offices?
And you know it can getpolitical really quickly because
, let's say, you know, we knowwe have the red team and the
blue team.
This is the other red team andthe blue team, not the defense
(26:05):
and the offense penetrationtesters, but the Democrips and
the Rebloodlicans, as JesseVentura puts it.
If you are a bad actor and ifthis thing gets really political
really quickly, you can messwith the processes and the
information of one team over theother.
(26:26):
Right, you can get access toinformation.
That's not good.
That's not good and I'm alwaysreally cautious whenever I talk
about this kind of stuff with myguests, because in
cybersecurity you can.
Somebody's listening to thispodcast, the wrong person
listening to it might get anidea, but we have to talk about
it anyways.
But if your technology isn'tironclad, doesn't have a
(26:51):
superior standard for security,some bad actors can really get
in there and do damage to theopposing side or their opposing
party.
Call them hacktivists.
Whatever they are.
They're criminals and I can seenow why.
Even beyond protecting theinformation of the run of the
mills attorney, your friendlyneighborhood lawyer.
(27:12):
It makes more sense that youguys are holding so much data
that in some way, a bad actorcan use as a partisan weapon in
order to attack the other side.
Speaker 2 (27:25):
They certainly can try and I can tell you we see
attacks from Russia and Chinaand within the United States and
North Korea every day.
I mean, china's been the numberone attacker for years.
I mean millions and millions ofattacks a day.
So you know, they know wheredata is that's valuable.
(27:46):
They know that they go afterthe law firms.
The law firms are sort of thesoft underbelly of the US
economy when it comes to threatslike that.
And we do know that there isespionage and that there are,
you know, politically motivatedevents and things.
Our goal is stop all of them.
We don't care who it is, wedon't want anyone to get access
(28:08):
to any data.
But it's also a sharedresponsibility model, because we
could build all the securityprotocols in the world and we
certainly try to have many, manylayers of security.
But if that attorney does notallow their IT team to turn on
two-factor and they have apassword, that's simple, it will
(28:30):
be compromised.
I mean the one thing about thehackers they listen to their
moms when they were kids andthey share, so after they pop,
you know 15 million accountsfrom TJ Maxx and 30 million
accounts from Target and youknow 150 million accounts from
Experian breaches or Equifaxbreaches or whatever.
(28:53):
They put all that data on thedark web and they share it.
Now they might charge for it,but they still share the data so
that the bad guys can say wellhuh, I see Dean's got a live
email account from 2004 and itlooks like he's got a PayPal
account and he's got a Robloxaccount for his kids.
(29:17):
Let's just try the samepasswords across those accounts.
I actually think I have like170 online accounts and so I try
to have a password strategy orpassphrase strategy so that
they're different.
But a lot of people don't eventhink about it.
They'll use the same exactpassword for their personal
(29:39):
email as their work email, astheir bank account, and all the
bad guys have to do is justfigure out okay, well, we know
this is his email.
Let's just try the last 30passwords we've seen from these
data breaches.
Try the last 30 passwords we'veseen from these data breaches
(30:04):
and invariably, if there's badhabits on the part of the
attorney, they're going to getcompromised and then whatever
they can see online is free game.
We take it very seriously andwe look at things like like are
two people logging into thisaccount at the same time from
different parts of the world?
That's a hard no right are.
Are they trying to get in?
Are they password spraying?
(30:25):
Are they brute forcing?
You know?
And and then by we all have oneof the best identity services,
protecting file vine andallowing customers to connect in
with their Azure AD or theirOkta IAM tool or ping, whatever
identity platform they use, sothat they can enforce the rules
(30:47):
that they want.
Like, we enforce four factorsor five factors on our employees
, depending on a risk-basedapproach, so that there's never
one thing that can be used.
You have to have them all insequence.
You have to be coming from adevice that we've issued you.
That device has to have a validcertificate.
(31:09):
You have to have the standardusername and password.
You have to have a multi-factorauth.
You must be coming from anetwork that we've seen before.
That we expect.
I mean, there's all thesedifferent things that make it so
that a bad actor, even if theystole a device, could not use
that device to do anything.
(31:30):
dola device could not use thatdevice to do anything, and so
that's the approach that we take.
Speaker 1 (31:38):
But many attorneys are just like no, I just
password 123 is good for me.
Here we go, yeah.
Yeah, I feel like that strategyof having sort of a philosophy
or a system that is the realreplacement for a password.
Right, if you can come up with.
You know, some people sort ofcome up with like a code, almost
like a cipher, that they couldremember so that you know and
(32:00):
that is really easy to rememberand you can apply it to so many
different phrases or so manypasswords.
But it's a simple fix, a simplesolution that a lot of people
really don't think about.
I'm sure the lawyers and theattorneys aren't really thinking
about.
So, around that, what are youdoing to educate your customers?
Because a lot of times theydon't know what they don't know
(32:21):
and as much as the technologycan help support them and you
can throw all the bells andwhistles at them, all the best
code, like you said, they mightdo something stupid because of
human error or just you can'tblame them because they're not
security experts.
So what do you do and what areyou doing to educate those
buyers, to ensure that thathuman factor, that human risk is
(33:04):
under control.
Speaker 2 (33:06):
Well, we do put a considerable amount of material
together.
We do webinars like these forour customers.
We also talk about, you know,email that goes out to our
clients with best practices.
We remind them aboutCybersecurity Month coming up
and other things to try and helpeducate.
We also have produced a largenumber of classes online called
(33:29):
Filevine University, where wetalk about the different things.
Here's how you should log in tothe platform.
You know, here are ways toproperly protect documents you
send out, because you canpassword protect documents you
send through Filevine.
You can time bomb them.
You can have a share link thatonly goes to employees.
(33:51):
I mean, there are a lot ofdifferent controls that are in
place, and then we even dothings like tell people look, we
are scanning your files withthree different scan engines for
malware technologies.
(34:12):
We don't rely on a single thing, a single control, because in
in a security world, no singlecontrol is foolproof and that's
super important to have theselayers of defenses yeah, it's
the underrated solution, whichis just educational information.
Speaker 1 (34:28):
I love that you guys have a file vine University,
because you can get ahead of alot of risks just by getting in
front of people and you knowshowing them how it's done.
All right, in the time that wehave left, I want to cover AI.
Right, ai is really big.
Everybody's talking about AI,ai, ai.
Okay, all right, we get it,it's important.
But how is Filevineimplementing AI and what are
(34:50):
your plans for the future?
Speaker 2 (34:52):
Yeah, well, to underscore what you said, not
only is AI important, ai iscritically important when you're
comparing documents and text,because AI is very, very good at
looking at text.
And then the way an AI modeltypically works is you'll take
text and you'll convert it intothese vectors.
(35:13):
These vectors go into databasesand then the databases are able
to use the LLMs to determineaccuracy and to create new
documents.
So if you have 30 years of, say, demand letters at your firm
and you have a folder of demandletters for State Farm and you
(35:34):
have a folder for demand lettersfor Allstate or whoever Farmers
Insurance, whoever it might be,and then you can sub-break out
okay, those demand letters forState Farm, I need the ones from
Florida and I need them fromthis particular circuit court.
So now you can basically saylike for like, we have 12 cases
(35:57):
involving this insurance companywhere their client was at fault
for this type of an accident,and here was the demand letter
that actually closed the deal.
Well, that would take a legalresearch team quite a bit of
time.
It's not uncommon for that tobe a four to six week exercise
(36:19):
and you might have an attorney,a couple of paralegals, a legal
researcher, and then you have tomake sure that they have access
to all of the different filefolders or cabinets or whatever.
However, you're storing it.
So we tell people, digitizeeverything you have ingested in
(36:40):
the FileVine and then let the AIin FileVine tell you what are
the awards that have beengranted.
What are the awards that havebeen granted?
You can ask it prompts or youcould just say here's 1,500
demand letters that apply tothis case.
Write me a new one, and the AIthat's been trained on private
(37:14):
data, not trained on thecustomer data is able to then go
through all of theirinformation, synthesize a new
demand letter and then we have alegal researcher, a demand
letter expert, that works atFilevine and then they do the
final review before it goes backto the firm.
So we're seeing it go from afour to six week period to a one
day or nextday service.
You can get that demand letterback.
So tremendous scale reduction,tremendous efficiency gains.
(37:39):
And that's similar, for we havean immigration product.
Typically, it would take fourto six hours to fill out an
immigration packet by anattorney, because it might be in
a hundred languages, it mighthave a hundred different types
of national IDs or passports.
So by using AI that'sspecifically tailored to
(38:01):
immigration.
We can get that.
We actually asked one of ourlargest immigration firms.
They can get that process downto under an hour per packet
immigration firms.
They can get that process downto under an hour per packet.
So again, now they can servicefour or five times as many
clients just by leveraging it.
And the great thing about the AIis it doesn't get tired.
It doesn't say no, I don't wantto go look at 10,000 pages of
(38:25):
case data.
The AI will do it.
It will look at it and then youcan say tell me the 10 most
important things about this caseor tell me what are the due
dates coming up.
What's our current strategy ona particular case?
The AI can become contextuallyaware and can then generate a
(38:48):
remarkable accurate, 90 pluspercent accurate product.
Most people are not 90 percentaccurate, let's be honest.
Particularly when it's laborintensive, when you're having to
read and synthesize a largeamount of written information in
a short time period, ai is verygood for that.
Speaker 1 (39:16):
How are your clients reacting to that AI shift?
Are they skeptical, are theyworried or do they completely
embrace it?
Speaker 2 (39:25):
I think they're always skeptical until they see
it work and they see the quality.
Speaker 1 (39:31):
And they know how it improves their revenue Exactly.
Speaker 2 (39:35):
Exactly Because public AI has a tendency to
cause hallucinations.
Public AI is largely creativeand less analytical.
We train all of our AI or tune,I should say, all of our AI
models to zero creativity and asmuch analytical comparison as
(39:56):
they can, and some of these AImodels are better than others.
So we use like four differentAIs with enterprise contracts.
So if we use the AI, the AI isnever going to keep their
information.
It's never going to put it intothe public domain.
It's immediately designed towrite the response back into
(40:21):
FileVine and then delete it frommemory so that there's no
customer data that ever leaves atrusted, secured environment
Excellent.
So that's one of the few thingsthat very few companies are
doing that and that's going tobe critical for the attorneys to
have a high confidence thattheir data, their client's data,
(40:42):
is not going to ever be exposed.
Speaker 1 (40:45):
How do you personally feel about AI?
Are you worried about anything?
Is there anything about AI thatkeeps you up at night?
Speaker 2 (40:52):
Well, I do worry, but I also feel for the legal space
.
It's going to make the biggestleaps and bounds to improve
legal services so that peoplewho are underserved today can
get the care, the legal carethat they need, and it should
drive the costs of certainthings down, like the cost to
(41:13):
get a goodwill right.
A cost to get certaindocumentation that's fairly
standard should drive that downconsiderably and it will allow
the attorneys and paralegals tofocus on work that needs more
experience and thought andprecedence that, frankly, only
(41:35):
humans can do really, reallywell right now that the AI
cannot.
But in the next 10 years it'llbe another discussion entirely.
I do believe you have to haveguardrails because we know there
have been cases where AI hasbeen bullying children.
It has said horrible thingsthat they should probably go
(41:59):
kill themselves.
So anytime AI, the AI wasannoyed because you know, in a
couple of cases, kids wereasking it questions and it
copped an attitude and startedattitude and started really
going off the rails.
So we have to be aware thatpublic AIs get poisoned.
(42:33):
And training and promptengineering and all the things
that we do.
We have data scientists, promptengineers, data warehouse
experts, modeling experts.
If you don't have those teams,then you're using it in a very
risky way.
But we put a tremendous amountof thought and we've been
working on it for about twoyears last question.
Speaker 1 (42:55):
So now that file vine basically has steroids injected
into it, that's basically theai.
The ai beefs it up right andit's doing all these marvelous
things and much better thanhumans can should is this going
to erase anyone's job?
I'm thinking specifically theparalegals.
(43:16):
What is something like Filevinethat is so powerful, that
delivers so much efficiency,doesn't get tired, doesn't sleep
, doesn't ask questions unlessit's been poisoned?
It's not messing with your kids.
Ask questions unless it's beenpoisoned.
You know it doesn't.
It's not messing with your kids.
What is that going to do tothose employees who it's their
(43:41):
bread and butter every day toget up and do a lot?
Speaker 2 (43:42):
of that manual labor.
I would say there's probably anintersection in the future
where that becomes more relevant.
I think today those paralegalscan leverage the technology to
do more work Right.
So it would allow their firmstoday to take on a greater
workload.
And because you still needqualified, skilled people that
(44:08):
can can take data out of contextor in context and fact check it
.
Sometimes the AI will do itsbest and it still isn't quite
there.
I would say speed and quantityare the AI's benefit.
Quality sometimes still takes astep back and that's where we
(44:29):
actually have to work with theclient to make sure that the
data science model is good fortheir particular use case, if
they're using it for somethingnew, because we have very
purpose-built AIs and if it'soutside of that purpose, you
still need really capable people.
So I would say it is going tobe a risk.
(44:49):
I don't know that it's a riskas much today, but this is
another reason why paralegals Iwould strongly encourage them
get tech savvy, do as much asyou can to upskill yourself,
because learning how to use thetechnology now you have a real
(45:10):
force multiplier, somebody who'sknowledgeable and skilled, that
can also use the technologybetter.
They're going to betterthemselves and better their
clients and ultimately help morepeople.
I think a lot of lawyers simplywant to help people through the
worst times in their lives andbe paid fairly to do so lives
and be paid fairly to do so.
Speaker 1 (45:30):
Dean Sapp says so at Filevine.
Thanks so much for being withus today and being so gracious
with your time.
And if people want to findFilevine and learn more about
you, follow you.
Where can they go to follow you?
Speaker 2 (45:43):
So they can go to Filevinecom to learn more about
the company.
We have a security section, sofilevinecom slash security.
You can see more of my contentthere, as well as on LinkedIn
and some of the other socialmedia platforms.
Speaker 1 (46:00):
Awesome.
Thank you for listening to thisepisode of Cybernomics.
If you want to find me, you canfind me on LinkedIn.
I'm most active on LinkedIn, sojust search for Josh Bruning
B-R-U-Y-N-I-N-G.
If you want to learn more aboutBruning Media and what we do,
check us out at bruningcom.
B-r-u-y-n-i-n-gcom.
Thanks for listening to thisepisode of Cybernomics.
(46:21):
Bye.
Speaker 2 (46:23):
Thank you.
Welcome to another episode of Cybernomics.
I'm Josh Bruning and I'm heretoday with Dean Sapuza-Sisso at
Filevine.
And so, dean, when we talkedthe last time, you described
Filevine to me and I'm going toput it in my words, and then
I'll give you a chance to put itin your words because, let's be
honest, I don't always do itjustice, but what I understand
Filevine to be is a platformthat allows lawyers, law firms I
(00:25):
don't know, legal experts,maybe you roped into that a
whole bunch but primarily lawfirms.
And I understand quite a lot oflaw firms around the world are
using Filevine to organize theprocesses that go into all the
legalese right.
So the lawyers are documenting,they're putting together files,
they're keeping all theirclients stuff straight, and
(00:47):
Filevine is just this platformthat helps them to do that and
do it securely.
So let's imagine the old dayswhen you go into the lawyer's
office and there's a huge filingcabinet that and I'm thinking
even of like a John grishamnovel right where he always
points to like the giant filecabinet, and there's all kinds
(01:10):
of stuff in there, and there'seven someone who is responsible
for organizing all thatinformation the poor uh, you
know whether it's a, a paralegalor there's some old lady again
referring to, referring to theJohn Grisham novels who is just
really good at organizing allthat stuff.
But the old days are over, thenew days are in, and law firms
(01:34):
are no longer managing thecomplexities of everything that
goes into handling their casesand their files, and so that's
when you need technology to helpmake sure they're not missing
anything.
And of course, you, being theCISO, you're responsible for the
security of that platform, ofthe technology and also staying
ahead of new technologies,including AI.
(01:56):
So that's my long-winded,imperfect way of describing
Filevine.
How would you describe Filevineway of describing?
Speaker 2 (02:05):
Filevine.
How would you describe Filevine?
I would say that, in itssimplest terms, what Salesforce
is to sales professionals,filevine is to legal
professionals.
You can run your entire firmfrom a single platform, from
intake, conflict checking,onboarding, a client, doc
(02:27):
management, matter management,contract lifecycle management.
It's a full-service suite ofproducts.
We have e-signature products.
We have at least six AIproducts that are very
feature-specific for differentcases in the legal space.
So it's really designed to bean entire ecosystem to run a law
(02:49):
firm, a legal department, evendo legal research for expert
witnesses, et cetera.
So it's the 2.0 version oflawyering in 2025.
Speaker 1 (03:03):
What is the history of Filevine?
How did it come about?
What were the founders thinking?
And you know why them.
And then we can talk about thebusiness case and the problems
that you're solving today.
Speaker 2 (03:17):
Sure.
Well, two of the founders werepartners of the law firm, so
Ryan Anderson and Nate Morris.
They were practicing attorneys.
They were running a largepersonal injury firm out of Las
Vegas called Bighorn Law, andthe nature of personal injury is
(03:39):
it's often very transactional.
It falls into a line ofbusiness or legal work.
It's called contingency law,which means the case is
contingent upon winning.
So the lawyers are taking all ofthe risk.
They might get 300 accidentswhere someone was injured, the
(04:02):
insurance isn't paying up andthe person's out of work and is
in real financial distressbecause of the injury of someone
who hit them in a hit and runor something like that.
So contingency law means youreally need to know your facts
about the case.
You need to know that if you canhelp this individual and that
(04:23):
you can recover the fees suchthat the firm doesn't lose money
, isn't going out of businessbecause they took on a large
case and they didn't havesufficient facts and then they
lost, well, the firm eats all ofthose fees, and so contingency
law means you have to reallyknow your client.
You really have to know thefacts of the case, and so, with
(04:46):
a transactional type casework,they needed to be able to handle
all of these new matters thatwere coming in, get them in the
right location, do all of theirconflict checking to make sure
that they didn't represent theother insurance party, and so
forth.
So we've been around for about10 years and expanding from the
(05:08):
PI space to corporate legaloffices around the world and
businesses that are in theFortune 50, as well as expanding
to what's called the AM100, theAM200, the top largest law
firms in the country that allneed to get efficient with what
they're doing with case andmatter management.
Speaker 1 (05:30):
How many law firms do you service today?
Speaker 2 (05:33):
You know that number is a little fluid, but it's
somewhere between 4,500 and5,000.
And it's been growing sinceI've been at Filevine.
I've been at Filevine for aboutand it's been growing since
I've been at Filevine.
I've been at Filevine for aboutfive and a quarter years and
we're constantly.
We have a channel, our closedone channel, whenever we have
(05:53):
new customers sign on board andit's like popcorn at the end of
any particular month or quarterwith the new firms that are
joining the ranks or expandingto use some of our new AI
technology or new services.
Speaker 1 (06:09):
So, generally, what is the business case for those
decision makers that areswitching to Filevine, and is
security a part of thatdecision-making criteria?
Speaker 2 (06:23):
I believe security and privacy are two of the
critical decisions that firmsconsider when they're making a
switch.
Often we find that it'susability Our product is
extremely flexible.
It's also configurationsettings.
How many ways can you make thecase go up for the respective
(06:45):
people?
Because the paralegal may needto see the document section and
make sure that they're gettingthe right documents to the
attorneys to review.
The attorneys are redliningthese documents.
They need to make sure thatthose correct red lines are sent
to opposing counsel.
So then you need to make sureopposing counsel can see the
(07:06):
documents and, if you want themto, to redline them and then
send them back or you know andbeing able to do all of that in
like a portal where the customersees what's related to them,
the attorney attorney sorry,opposing counsel or co-counsel
sees what they need to see.
It's really about making aprocess it's very paper centric
(07:31):
and slow by nature andoptimizing it.
Because if you can, if you canredline contracts in the
contract life cycle managementtool and everybody can see the
edits and then you can justagree to incorporate that new
language into the contract.
Everybody saves time, right?
So you know when firms bill bythe hour.
(07:51):
You know you would think thatthey don't really care how long
it takes, but the reality isthey want to be efficient 80,
100-hour weeks and be able to dothe same, you know, service as
many people, as many clients, asthey can with the staffing that
(08:11):
they have.
And so when firms are lookingat becoming more efficient, you
know Filebind is one of the topchoices right now in the legal
space for efficiencies fromthese technological gains.
We have unlimited storage, so itdoesn't matter how many
documents you want to store.
We don't charge extra forstorage.
We have a very robust securityprogram and, like you said, in
(08:34):
the day and age we live in withstate laws mandating security
requirements or privacyrequirements.
It's top of mind for many, manyfirms.
And, of course, requirements.
It's top of mind for many, manyfirms.
And, of course, avoiding amaterial data breach.
Many of the law firms out therethat I read reports on of them
getting breached, and it'salmost a weekly occurrence.
(08:55):
And so by separating out yourfirm's local network from a
cloud service provider whereeverything's hardened and
secured, it reduces the risk tothe firm, because we've had
several firms that said you knowwhat, if we had not moved to
Filevine, we would have been inbig trouble because we copied
all of our documents and movedthem up into the Filevine cloud
(09:18):
and then two days later, ourentire network was ransomed.
All of our local file storage,our servers, our backups was
ransomed.
All of our local file storage,our servers, our backups,
everything was encrypted.
And they wanted five Bitcoinand we didn't have five Bitcoin
to give them and there was noguarantee, even if we paid them,
we would even get our documentsback.
But fortunately we made themove.
(09:39):
We went out to Costco orWalmart or Sam's Club and bought
a bunch of new laptopsEverybody wanted a new device
anyway and they were up andworking in a matter of minutes.
So it really has been abusiness saver for many of our
clients and also helping to getthem more efficient with the
(10:01):
current staff they have get themmore efficient with the current
staff they have.
Speaker 1 (10:08):
Wow, you know, dean, you speak legal very well.
At least to my layman's monkeybrain.
It sounds like you're a legalexpert and I know you're not a
lawyer, but you've been aroundall of this lawyer stuff for a
number of years.
Do you kind of feel like theyyou know they should give you an
honorary, you know, pass on theboard or you know some kind of
(10:29):
something, because you do haveto know your stuff, like what
was your background and how didthat even prepare you to do this
job?
Speaker 2 (10:37):
Thanks, great question.
Well, I will say I have beendesignated as a you know, an
expert witness in Utah.
I've been involved with severalcases and of course that takes
a lot of time and effort and thecourt is the only one that can
determine if you are an expertor not.
But my background prior toworking at Filevine has been in
(10:59):
the legal space.
I spent the greater part of adecade working at an AM100 law
firm and so building both theirIT and security practices.
This law firm had a very largeclient that was in a regulated
environment and so the regulatedindustries have the most laws
(11:20):
about cybersecurity.
So they pushed those cyberrequirements down to our firm
and then my job was to make surethat the firm was meeting all
of these requirements.
So I did that for over eightyears.
And then I also spent abouteight years with a very large
multinational, helping theirfinance and legal department,
(11:42):
amongst others, and so workingto protect the lawyers they had
attorneys in 120 countries andmaking sure that their
technology was good and secure,making sure that all of the
networking between thesedifferent offices around the
world were hardened andfirewalled and protected.
(12:02):
So I've been doing quite a bitthere.
And then I spent about threeyears building a cybersecurity
startup called Braintrace, andthen we were solely focused on
helping to protect law firms.
Because, if you think about it,law firms are data aggregators
of some of the most valuableinformation on the planet.
I mean M&A deals to play themarkets, information on the
(12:27):
planet.
I mean M&A deals to play themarkets, patents, trademarks,
copyrights all very valuableintellectual property and, of
course, lawsuits with bigbusinesses and VIPs, or real
estate deals knowing where thatnext big mall is going to go,
knowing where those interstatesare going to be built or
roadways.
You could take farmland that'sworth $15,000 an acre.
(12:49):
Well, if there's going to be10,000 acres developed for a new
mall or a new school or newexpansion, that property is
immediately worth more.
And so the bad guys, they wantto monetize anything that they
can and a lot of that insiderinformation.
(13:09):
Well, not a shocker here.
The lawyers have it becausethey're the ones writing the
contracts, the agreements, thestock purchase plans.
They're the ones that have themost insight and because of that
Russia, china, organized crimegroups they target the law firms
because the lawyers have moneyand they have data that they can
(13:32):
quickly turn into cash orBitcoin.
So, having that contextualawareness, that company
Braintrace.
We work with many, many lawfirms to help them recover from
data breaches and help themprotect themselves from these
bad actors out there.
And ultimately the company wassolid enough with enough
(13:54):
patented technology that Sophosbought the company a few years
ago.
So I've just been in this spacefor quite some time.
I also spent a year at a coupleof billion-dollar fintech
companies, each as their chiefinformation security officer,
trying to help them and helpthem get compliant with PCI and
(14:15):
other important regulations.
So I've got a lot of experiencethere.
But fortunately in my careerI've also been able to do a
considerable amount ofpenetration testing.
I've also been able to do aconsiderable amount of
penetration testing.
So basically putting my hackerhat on and trying to determine
can I get into this system, canI steal data and of course I
always did it with permission.
Getting permission in advance issuper important, but having
(14:39):
that mindset of if they tell meit's really secure, can they
back that up or are there waysfor me to get into the system?
And so the attorneys appreciatethat, because they want to have
someone acting as a bad actor,but with good intent, to see if
their defenses are actuallyfunctional or not.
(15:00):
And the sad thing is I'veprobably been involved with 40
penetration tests and we got in39 times out of the 40.
So very, very rarely arecompanies if this is their first
pen test or if this is thefirst time they're really taking
a look at it very rarely willthey keep the bad actors out.
(15:22):
And I've been involved withPentest, where the company was
worth hundreds of billions ofdollars and because of the same
thing, you know, the hackersonly have to find the one way
that hasn't been protected andthe CISOs have to think about
every way that the bad guy canget in.
(15:43):
And so it's even those, youknow, billion dollar, trillion
dollar companies.
They also get breached all thetime.
Speaker 1 (15:52):
All important things to consider when you're thinking
about protecting your law firmand your clients especially.
You know you remind me a lot ofmy friend over at Solera.
His name is Mike Levin and Mikewas just so.
He went into Solera about sixmonths ago as their CISO and
(16:13):
then a few months in the generalcounsel left.
So now he is CISO and generalcounsel because he happens to be
a lawyer.
So we just talked about thismaybe like a week ago and
there's this interestingintersection between
cybersecurity and legal you know.
So just side note, shout out toMike it sounds like you guys
(16:33):
would have a really goodconversation.
If you share a beer, share abeer or a coffee together, you
might have some things to talkabout.
So do you spend more of yourtime thinking about the
technology right, so the bitsand bytes of the platform of
Filevine or do you spend moretime thinking about the
(16:56):
attorney's office?
So are you perusing the code?
Or are you visiting various lawfirms and looking through and
looking at their filing cabinetand sort of performing a risk
assessment that way?
Where do you spend most of yourbrain energy the technology or
the firm?
Where do you spend most of yourbrain energy the technology or
the firm?
Speaker 2 (17:16):
I would say it's probably a hybrid of those two,
because, at the end of the day,the employees are the weakest
link at the firm.
It's the employee that, eventhough, if you think about
attorneys, they have to open updocuments.
They get documents from theirclients, they get documents from
(17:38):
opposing counsel, they getdocuments from the court system,
and so they're natively openingand reading content every
single day.
So, of course, anyone that youcan get to open a file may put
that firm at risk, and so it'skind of this challenge.
So I spend a lot of timethinking about how am I properly
(17:59):
protecting our people fromthemselves, from the fact that
they still use password 123, youknow from the last 35 accounts
that they've opened and so Ithink a lot about human behavior
and expediency, because, at theend of the day, attorneys do
(18:19):
want things to happen quickly.
So knowing that they want to dothings quickly means they want
to turn off two-factorauthentication.
They want to turn off any kindof filtering that prevents them
from doing research on websitesthat may or may not be good.
Right, there's a lot ofinformation out there online and
(18:42):
a lot of it's been poisoned.
A lot of the public, ais andthe large language models have
been poisoned with bad data.
We are even seeing coding toolswhere there are binaries in
these coding tools that aremalicious and they're designed
to go around the normal securityrules.
So I do spend time reviewingcode.
(19:04):
We have code scanning tools.
We have what's calledobservability tools.
They give us a high-level viewof potential risks and then I do
a lot of my own threat hunting,like I mentioned, and pen
testing to see does this controlactually stop a bad actor?
So it's kind of a 50-50 blend.
(19:27):
I worry about the people quite abit, but I also am on calls all
the time from these large firmsand their CISOs because they
want to have assurances that theFilevine platform is secure.
They want to have assurancesthat we're compliant.
So we have a robust auditingprogram where we do a SOC 2 type
(19:48):
2 every year, all five of thetrust services criteria.
We're doing four ISO auditsthis year 27001, 27701, 27018,
and 17.
So privacy, personallyidentifiable information, cloud
security, information securityso very robust audits and this
(20:12):
year we're actually going to.
We're already in the process ofworking on our FedRAMP moderate
ready status and as soon as weacquire a sponsor we'll be going
through authorization.
So we take security very, veryseriously, probably more
seriously than any of ourcompetitors, and I think that's
(20:32):
one of the big moats ordifferentiators between the file
line product stack and othertechnology out there is.
They simply haven't had thefunding or the investment
approved by their boards to getto this level of security and
because of that we're winninglarge government contracts.
Uh, foreign governments havebought our software.
(20:55):
I mean there's just a widespectrum of clientele where you
have fully functionalSalesforce-y kind of
capabilities in a legal techstack where we can completely
configure the platform.
And my team we even useFileVine to run our own
third-party vendor riskassessments and to generate
(21:19):
reports and to generatecompliance artifacts.
Speaker 1 (21:24):
And you practice what you preach.
I mean that's pretty reassuring, right.
If you weren't using FileVineto scrutinize yourself, then
people might go, okay, whattechnology are you using to
scrutinize yourself?
And maybe we'll go with them.
Well, when you said FedRAMP, itdid make me think the
government route.
So what is the differencebetween government attorneys or
(21:48):
government?
I didn't even know there wassuch a thing.
So what is the inside storythere?
I mean, what is the differencebetween a government attorney?
I'm even trying to like wrap myhead around this, Like the
attorney general's office.
What is what?
Who are the attorneys that arein the government that need this
(22:12):
kind of technology?
Speaker 2 (22:14):
Sure, well, we'll kind of start small.
So at a city level, there arecity attorneys that have to help
defend, for example, the firedepartment.
If somebody parks in front of afire hydrant, it's the only
place to get water.
The office, the, the firemen orfirewomen might have to run
(22:37):
that hose right through the car,right, they break the two
windows, they run it through,they hook it up and and,
unfortunately, that vehiclemight be stuck there for a day
while they're dealing with allof the, you know, putting out
the fire or whatever, andsometimes they have to deal with
litigation or someone is harmed.
So there's attorneys at a citylevel and then, of course, at
(23:01):
many states, there's the stateattorney general's office, like
you mentioned, and many AGoffices are our clients because
they need to help represent thecity and the state when it comes
to litigation, when it comes toany kind of new purchases Maybe
they're trying to do deals tobring in new investment, new
(23:24):
businesses to come into thestate.
So the attorney's offices dealwith a lot of things.
One of them that they deal withis a lot of crime, right?
So tax fraud If the state AGneeds to prosecute tax crime,
the IRS published an updatedrule 1075, last year or perhaps
the year before, basically saysthat you cannot handle federal
(23:47):
taxpayer information, fti dataunless that data is stored in a
federal moderate system.
So now you have attorneygenerals, they want to prosecute
tax crime and they're beingtold by the IRS.
You can do it, but you have toprotect it at a very, very high
level.
Well, if you go to the Amazonmarketplace or if you go to the
FedRAMP marketplace, therearen't a lot of vendors that can
(24:10):
meet that standard.
Speaker 1 (24:12):
Yeah, because it's really expensive.
To get FedRAMP certified islike 50 grand minimum.
It's like, wow, just so I canget one or two government
contracts.
But if you're doing loads ofgovernment contracts it makes
sense and that's just for thefirst audit, that kind of 50,
the 100 grand.
Speaker 2 (24:29):
That's just for the very first audit and that's
assuming you already knew all ofthe things that had to happen
to be FedRAMP moderate.
So we have.
We've been selling CJIScriminal justice information
services customers with FileVinefor several years.
Many, many states around the USare using our software to help
(24:52):
their attorneys handle the cases, to handle all of this
sensitive stuff.
And if you think aboutgovernment has a lot of
attorneys across the board andnow we're working toward trying
to get federal governmentagencies that have attorneys and
lawyers and think of, like theJAG in different military groups
(25:13):
they have attorneys that haveto handle the legal matters as
well.
So across every, I think,segmentation of attorneys, the
government has a lot of them andso it's very, very popular and
so we have again clients acrossthe spectrum probably 40
(25:34):
government agencies so far andwe're working to get the trust
and the FedRAMP authorizationfor more.
Speaker 1 (25:42):
Now I see why you guys have to be so secure,
because if you're protectinggovernment agencies and
government legal law government,what is the best way to put
this?
Government law offices?
And you know it can getpolitical really quickly because
, let's say, you know, we knowwe have the red team and the
blue team.
This is the other red team andthe blue team, not the defense
(26:05):
and the offense penetrationtesters, but the Democrips and
the Rebloodlicans, as JesseVentura puts it.
If you are a bad actor and ifthis thing gets really political
really quickly, you can messwith the processes and the
information of one team over theother.
(26:26):
Right, you can get access toinformation.
That's not good.
That's not good and I'm alwaysreally cautious whenever I talk
about this kind of stuff with myguests, because in
cybersecurity you can.
Somebody's listening to thispodcast, the wrong person
listening to it might get anidea, but we have to talk about
it anyways.
But if your technology isn'tironclad, doesn't have a
(26:51):
superior standard for security,some bad actors can really get
in there and do damage to theopposing side or their opposing
party.
Call them hacktivists.
Whatever they are.
They're criminals and I can seenow why.
Even beyond protecting theinformation of the run of the
mills attorney, your friendlyneighborhood lawyer.
(27:12):
It makes more sense that youguys are holding so much data
that in some way, a bad actorcan use as a partisan weapon in
order to attack the other side.
Speaker 2 (27:25):
They certainly can try and I can tell you we see
attacks from Russia and Chinaand within the United States and
North Korea every day.
I mean, china's been the numberone attacker for years.
I mean millions and millions ofattacks a day.
So you know, they know wheredata is that's valuable.
(27:46):
They know that they go afterthe law firms.
The law firms are sort of thesoft underbelly of the US
economy when it comes to threatslike that.
And we do know that there isespionage and that there are,
you know, politically motivatedevents and things.
Our goal is stop all of them.
We don't care who it is, wedon't want anyone to get access
(28:08):
to any data.
But it's also a sharedresponsibility model, because we
could build all the securityprotocols in the world and we
certainly try to have many, manylayers of security.
But if that attorney does notallow their IT team to turn on
two-factor and they have apassword, that's simple, it will
(28:30):
be compromised.
I mean the one thing about thehackers they listen to their
moms when they were kids andthey share, so after they pop,
you know 15 million accountsfrom TJ Maxx and 30 million
accounts from Target and youknow 150 million accounts from
Experian breaches or Equifaxbreaches or whatever.
(28:53):
They put all that data on thedark web and they share it.
Now they might charge for it,but they still share the data so
that the bad guys can say wellhuh, I see Dean's got a live
email account from 2004 and itlooks like he's got a PayPal
account and he's got a Robloxaccount for his kids.
(29:17):
Let's just try the samepasswords across those accounts.
I actually think I have like170 online accounts and so I try
to have a password strategy orpassphrase strategy so that
they're different.
But a lot of people don't eventhink about it.
They'll use the same exactpassword for their personal
(29:39):
email as their work email, astheir bank account, and all the
bad guys have to do is justfigure out okay, well, we know
this is his email.
Let's just try the last 30passwords we've seen from these
data breaches.
Try the last 30 passwords we'veseen from these data breaches
(30:04):
and invariably, if there's badhabits on the part of the
attorney, they're going to getcompromised and then whatever
they can see online is free game.
We take it very seriously andwe look at things like like are
two people logging into thisaccount at the same time from
different parts of the world?
That's a hard no right are.
Are they trying to get in?
Are they password spraying?
(30:25):
Are they brute forcing?
You know?
And and then by we all have oneof the best identity services,
protecting file vine andallowing customers to connect in
with their Azure AD or theirOkta IAM tool or ping, whatever
identity platform they use, sothat they can enforce the rules
(30:47):
that they want.
Like, we enforce four factorsor five factors on our employees
, depending on a risk-basedapproach, so that there's never
one thing that can be used.
You have to have them all insequence.
You have to be coming from adevice that we've issued you.
That device has to have a validcertificate.
(31:09):
You have to have the standardusername and password.
You have to have a multi-factorauth.
You must be coming from anetwork that we've seen before.
That we expect.
I mean, there's all thesedifferent things that make it so
that a bad actor, even if theystole a device, could not use
that device to do anything.
(31:30):
dola device could not use thatdevice to do anything, and so
that's the approach that we take.
Speaker 1 (31:38):
But many attorneys are just like no, I just
password 123 is good for me.
Here we go, yeah.
Yeah, I feel like that strategyof having sort of a philosophy
or a system that is the realreplacement for a password.
Right, if you can come up with.
You know, some people sort ofcome up with like a code, almost
like a cipher, that they couldremember so that you know and
(32:00):
that is really easy to rememberand you can apply it to so many
different phrases or so manypasswords.
But it's a simple fix, a simplesolution that a lot of people
really don't think about.
I'm sure the lawyers and theattorneys aren't really thinking
about.
So, around that, what are youdoing to educate your customers?
Because a lot of times theydon't know what they don't know
(32:21):
and as much as the technologycan help support them and you
can throw all the bells andwhistles at them, all the best
code, like you said, they mightdo something stupid because of
human error or just you can'tblame them because they're not
security experts.
So what do you do and what areyou doing to educate those
buyers, to ensure that thathuman factor, that human risk is
(33:04):
under control.
Speaker 2 (33:06):
Well, we do put a considerable amount of material
together.
We do webinars like these forour customers.
We also talk about, you know,email that goes out to our
clients with best practices.
We remind them aboutCybersecurity Month coming up
and other things to try and helpeducate.
We also have produced a largenumber of classes online called
(33:29):
Filevine University, where wetalk about the different things.
Here's how you should log in tothe platform.
You know, here are ways toproperly protect documents you
send out, because you canpassword protect documents you
send through Filevine.
You can time bomb them.
You can have a share link thatonly goes to employees.
(33:51):
I mean, there are a lot ofdifferent controls that are in
place, and then we even dothings like tell people look, we
are scanning your files withthree different scan engines for
malware technologies.
(34:12):
We don't rely on a single thing, a single control, because in
in a security world, no singlecontrol is foolproof and that's
super important to have theselayers of defenses yeah, it's
the underrated solution, whichis just educational information.
Speaker 1 (34:28):
I love that you guys have a file vine University,
because you can get ahead of alot of risks just by getting in
front of people and you knowshowing them how it's done.
All right, in the time that wehave left, I want to cover AI.
Right, ai is really big.
Everybody's talking about AI,ai, ai.
Okay, all right, we get it,it's important.
But how is Filevineimplementing AI and what are
(34:50):
your plans for the future?
Speaker 2 (34:52):
Yeah, well, to underscore what you said, not
only is AI important, ai iscritically important when you're
comparing documents and text,because AI is very, very good at
looking at text.
And then the way an AI modeltypically works is you'll take
text and you'll convert it intothese vectors.
(35:13):
These vectors go into databasesand then the databases are able
to use the LLMs to determineaccuracy and to create new
documents.
So if you have 30 years of, say, demand letters at your firm
and you have a folder of demandletters for State Farm and you
(35:34):
have a folder for demand lettersfor Allstate or whoever Farmers
Insurance, whoever it might be,and then you can sub-break out
okay, those demand letters forState Farm, I need the ones from
Florida and I need them fromthis particular circuit court.
So now you can basically saylike for like, we have 12 cases
(35:57):
involving this insurance companywhere their client was at fault
for this type of an accident,and here was the demand letter
that actually closed the deal.
Well, that would take a legalresearch team quite a bit of
time.
It's not uncommon for that tobe a four to six week exercise
(36:19):
and you might have an attorney,a couple of paralegals, a legal
researcher, and then you have tomake sure that they have access
to all of the different filefolders or cabinets or whatever.
However, you're storing it.
So we tell people, digitizeeverything you have ingested in
(36:40):
the FileVine and then let the AIin FileVine tell you what are
the awards that have beengranted.
What are the awards that havebeen granted?
You can ask it prompts or youcould just say here's 1,500
demand letters that apply tothis case.
Write me a new one, and the AIthat's been trained on private
(37:14):
data, not trained on thecustomer data is able to then go
through all of theirinformation, synthesize a new
demand letter and then we have alegal researcher, a demand
letter expert, that works atFilevine and then they do the
final review before it goes backto the firm.
So we're seeing it go from afour to six week period to a one
day or nextday service.
You can get that demand letterback.
So tremendous scale reduction,tremendous efficiency gains.
(37:39):
And that's similar, for we havean immigration product.
Typically, it would take fourto six hours to fill out an
immigration packet by anattorney, because it might be in
a hundred languages, it mighthave a hundred different types
of national IDs or passports.
So by using AI that'sspecifically tailored to
(38:01):
immigration.
We can get that.
We actually asked one of ourlargest immigration firms.
They can get that process downto under an hour per packet
immigration firms.
They can get that process downto under an hour per packet.
So again, now they can servicefour or five times as many
clients just by leveraging it.
And the great thing about the AIis it doesn't get tired.
It doesn't say no, I don't wantto go look at 10,000 pages of
(38:25):
case data.
The AI will do it.
It will look at it and then youcan say tell me the 10 most
important things about this caseor tell me what are the due
dates coming up.
What's our current strategy ona particular case?
The AI can become contextuallyaware and can then generate a
(38:48):
remarkable accurate, 90 pluspercent accurate product.
Most people are not 90 percentaccurate, let's be honest.
Particularly when it's laborintensive, when you're having to
read and synthesize a largeamount of written information in
a short time period, ai is verygood for that.
Speaker 1 (39:16):
How are your clients reacting to that AI shift?
Are they skeptical, are theyworried or do they completely
embrace it?
Speaker 2 (39:25):
I think they're always skeptical until they see
it work and they see the quality.
Speaker 1 (39:31):
And they know how it improves their revenue Exactly.
Speaker 2 (39:35):
Exactly Because public AI has a tendency to
cause hallucinations.
Public AI is largely creativeand less analytical.
We train all of our AI or tune,I should say, all of our AI
models to zero creativity and asmuch analytical comparison as
(39:56):
they can, and some of these AImodels are better than others.
So we use like four differentAIs with enterprise contracts.
So if we use the AI, the AI isnever going to keep their
information.
It's never going to put it intothe public domain.
It's immediately designed towrite the response back into
(40:21):
FileVine and then delete it frommemory so that there's no
customer data that ever leaves atrusted, secured environment
Excellent.
So that's one of the few thingsthat very few companies are
doing that and that's going tobe critical for the attorneys to
have a high confidence thattheir data, their client's data,
(40:42):
is not going to ever be exposed.
Speaker 1 (40:45):
How do you personally feel about AI?
Are you worried about anything?
Is there anything about AI thatkeeps you up at night?
Speaker 2 (40:52):
Well, I do worry, but I also feel for the legal space
.
It's going to make the biggestleaps and bounds to improve
legal services so that peoplewho are underserved today can
get the care, the legal carethat they need, and it should
drive the costs of certainthings down, like the cost to
(41:13):
get a goodwill right.
A cost to get certaindocumentation that's fairly
standard should drive that downconsiderably and it will allow
the attorneys and paralegals tofocus on work that needs more
experience and thought andprecedence that, frankly, only
(41:35):
humans can do really, reallywell right now that the AI
cannot.
But in the next 10 years it'llbe another discussion entirely.
I do believe you have to haveguardrails because we know there
have been cases where AI hasbeen bullying children.
It has said horrible thingsthat they should probably go
(41:59):
kill themselves.
So anytime AI, the AI wasannoyed because you know, in a
couple of cases, kids wereasking it questions and it
copped an attitude and startedattitude and started really
going off the rails.
So we have to be aware thatpublic AIs get poisoned.
(42:33):
And training and promptengineering and all the things
that we do.
We have data scientists, promptengineers, data warehouse
experts, modeling experts.
If you don't have those teams,then you're using it in a very
risky way.
But we put a tremendous amountof thought and we've been
working on it for about twoyears last question.
Speaker 1 (42:55):
So now that file vine basically has steroids injected
into it, that's basically theai.
The ai beefs it up right andit's doing all these marvelous
things and much better thanhumans can should is this going
to erase anyone's job?
I'm thinking specifically theparalegals.
(43:16):
What is something like Filevinethat is so powerful, that
delivers so much efficiency,doesn't get tired, doesn't sleep
, doesn't ask questions unlessit's been poisoned?
It's not messing with your kids.
Ask questions unless it's beenpoisoned.
You know it doesn't.
It's not messing with your kids.
What is that going to do tothose employees who it's their
(43:41):
bread and butter every day toget up and do a lot?
Speaker 2 (43:42):
of that manual labor.
I would say there's probably anintersection in the future
where that becomes more relevant.
I think today those paralegalscan leverage the technology to
do more work Right.
So it would allow their firmstoday to take on a greater
workload.
And because you still needqualified, skilled people that
(44:08):
can can take data out of contextor in context and fact check it
.
Sometimes the AI will do itsbest and it still isn't quite
there.
I would say speed and quantityare the AI's benefit.
Quality sometimes still takes astep back and that's where we
(44:29):
actually have to work with theclient to make sure that the
data science model is good fortheir particular use case, if
they're using it for somethingnew, because we have very
purpose-built AIs and if it'soutside of that purpose, you
still need really capable people.
So I would say it is going tobe a risk.
(44:49):
I don't know that it's a riskas much today, but this is
another reason why paralegals Iwould strongly encourage them
get tech savvy, do as much asyou can to upskill yourself,
because learning how to use thetechnology now you have a real
(45:10):
force multiplier, somebody who'sknowledgeable and skilled, that
can also use the technologybetter.
They're going to betterthemselves and better their
clients and ultimately help morepeople.
I think a lot of lawyers simplywant to help people through the
worst times in their lives andbe paid fairly to do so lives
and be paid fairly to do so.
Speaker 1 (45:30):
Dean Sapp says so at Filevine.
Thanks so much for being withus today and being so gracious
with your time.
And if people want to findFilevine and learn more about
you, follow you.
Where can they go to follow you?
Speaker 2 (45:43):
So they can go to Filevinecom to learn more about
the company.
We have a security section, sofilevinecom slash security.
You can see more of my contentthere, as well as on LinkedIn
and some of the other socialmedia platforms.
Speaker 1 (46:00):
Awesome.
Thank you for listening to thisepisode of Cybernomics.
If you want to find me, you canfind me on LinkedIn.
I'm most active on LinkedIn, sojust search for Josh Bruning
B-R-U-Y-N-I-N-G.
If you want to learn more aboutBruning Media and what we do,
check us out at bruningcom.
B-r-u-y-n-i-n-gcom.
Thanks for listening to thisepisode of Cybernomics.
(46:21):
Bye.
Speaker 2 (46:23):
Thank you.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.