In light of the legal and ethical obligations that lawyers face to protect their clients’ data, defining the exact scope of what those protective measures are can often be challenging. In some cases, statutes and regulations define that standard in terms of positive results to be achieved, such as ensuring the confidentiality, integrity, and availability of systems and information. In other cases, that standard is defined in terms of the harms to be avoided – for example, to protect systems and information against unauthorized access, use, disclosure, etc. In some cases, the standard is not defined.
Regardless of the approach, meeting this standard and achieving these objectives involves implementing appropriate physical, technical, and administrative security measures. So, where do law firms begin? Although no definitive cybersecurity regulations or standards have yet to be established, the American Bar Association has begun to develop standards for “reasonable” security.
That standard rejects requirements for specific security measurements (such as firewalls, passwords, etc.) and instead adopts a fact-specific approach to business-specific security obligations. These requirements include a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify effective implementation of the measures, and ensure that they are continually updated as the industry continues to develop.
Below are the top ten considerations that the American Bar Association recommends law offices, regardless of size, adopt and implement in order to improve their security posture:
Practical Considerations: A Top Ten List
- Identify the data you have
Identifying the data you have (including yours, your clients’, data obtained during due diligence or discovery) and understand where it is stored, how it can be accessed, and how it is used
- Evaluate the risks to the data you have
A risk assessment is the process of identifying vulnerabilities and threats to the information assets used by the business or firm and assessing the potential impact and harm that would result if the threat materializes. This forms the basis for determining what countermeasures (i.e., security controls) should be implemented to reduce risk to an acceptable level.
- Develop a written information security program
Based on the results of the risk assessment, businesses should design and implement a security program consisting of reasonable physical, technical, and administrative security measures to manage and control the risks identified during the risk assessment. The security program should be designed to provide reasonable safeguards to control the identified risks.
- Oversee third party service provider agreements
If you use third parties (e.g., providers of cloud services or outsourcing services) to store or process the data, take appropriate steps to make sure that they adequately protect the security of the data you entrust to them.
- Review and adjust the security program
On a regular basis, reevaluate the risks you face and the adequacy of your security program, and adjust the program as necessary.
- Ensure you are in compliance with regulatory frameworks
Determine which data (yours, your clients’, data obtained during due diligence or discovery) is subject to which laws and regulations (including special sector-specific regulations such as GLB or HIPAA) and be sure you handle it in accordance with any special requirements in those laws and regulations.
- Provide Training and Education
Recognize that other lawyers and staff within the firm can be a weak link and provide appropriate training and awareness-raising reminders for all lawyers and staff.
- Develop an incident response plan that covers the data you have
Plan for taking responsive steps if the business suspects or detects that a security breach has occurred; such steps include ensuring that appropriate persons within the organization are notified of the breach, that prompt action is taken in responding to the breach (e.g., stopping further information compromise and working with law enforcement), and that persons who may be injured by the breach are appropriately notified.
- Implement appropriate data security measures
Keep in mind that laws and regulations governing data security may apply to all of the data in your possession, independent of ethical obligations specifically applicable to lawyers.
- Security is a process
Remember, security is a process and is never complete, so you must always remain vigilant for new threats.
Through the implementation of the above practical considerations, lawyers can be assured that their cybersecurity posture will continue to improve, all while increasing compliance with cybersecurity regulatory guidelines.
Vivitec can assist you with interpreting these guidelines to ensure you’re meeting your ethical obligations to safeguard information while ensuring you’re implementing the practical steps necessary to protect you and your firm from cybersecurity threats.
Post provided by Vivitec.