Author: Andrew Christensen, Deputy Director of the Law Library, Washington and Lee University School of Law Library
In our digital age where libraries increasingly rely on third-party platforms, maintaining strong data security and privacy practices is both a fundamental and collaborative effort. This was a central message of the 2025 AALL CRIV Vendor Roundtable: Shared Responsibility—Navigating Security and Privacy in Library Technology. The virtual session on June 23 brought together security leaders from four major legal information vendors—Bloomberg Law, LexisNexis, Thomson Reuters, and Wolters Kluwer—to unpack the evolving risks libraries face and how institutions and vendors can work together to address them.
One of the most urgent topics was supply chain risk. Panelist Jennifer Swann, chief information security officer for Bloomberg Industry Group, reminded attendees that even with secure internal systems, vendors can still be exposed via third-party services—a lesson made infamous by the Target HVAC breach. To counteract this, institutions must go beyond checklists, developing comprehensive vendor vetting and risk assessment protocols that include policy reviews, testing history, and employee security training.
John Payton of Wolters Kluwer added that even with strong infrastructure, vulnerabilities and incident response remain daily concerns. As head of global security operations, he emphasized the importance of managing both technical vulnerabilities and human factors, reinforcing that quick detection and response are critical components of any defense strategy.
Human error remains a persistent concern, amplified by the rise of generative AI. Voice cloning, deepfakes, and hyper-targeted phishing campaigns were identified as growing threats. Senior directors Simon Weierman of LexisNexis and Jason Horowitz of Thomson Reuters emphasized the value of cybersecurity awareness training, urging libraries and vendors alike to prioritize education and simulated threat scenarios to help staff recognize and respond to sophisticated attacks.
The conversation also turned toward AI-related vulnerabilities, which are fast becoming the new frontier in cybersecurity. Both closed models like ChatGPT and open-source AI tools pose serious risks—from data privacy leaks to prompt injection attacks. The panel urged organizations to create strong data loss prevention (DLP) policies, tag and classify sensitive data, and adopt red-teaming practices to test AI behavior for unintended outcomes. Importantly, emerging tools now exist to help secure AI prompts and outputs before they create reputational or legal headaches.
In closing, the webinar made clear that tackling data security and privacy is not just an IT issue—it is a cultural one. By investing in both technical defenses and collaborative practices, libraries and vendors can create resilient systems that protect user trust and institutional integrity. As libraries continue to evolve in a digital-first world, so too must our approaches to safeguarding the tools and data that power them.
A recording of the CRIV Vendor Roundtable is available on the AALL eLEARNING platform, free to all AALL members.
Leave a Reply