What Do Lawyers And Celebrities Have In Common?
For large law firms and celebrities alike, cybersecurity compliance is now a business necessity.
Besides their good looks and fame, they’re also increasing their focus on data security. In the wake of “Celebgate,” the Sony Pictures hack, and nearly daily data breaches targeting massive corporations to individuals, law firms are finally recognizing the importance of bringing their cybersecurity policies up to speed.
During the 2014 American Bar Association (ABA) Annual Meeting, delegates overwhelmingly voted in favor of a cybersecurity policy for law firms. The policy encourages lawyers to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable (and emerging) ethical and legal obligations. The cybersecurity program should also be tailored to the nature and scope of the organization and the data and systems to be protected.
A program for cybersecurity is desperately needed in law firms. In the ABA’s 2014 Technology Survey, 13% of law firms had suffered a security breach in their IT, and another 25% could not tell if they had a breach. Close to 45% of firms had computers infected with spyware. Law firms have become easy targets for computer hackers due to lax investment in technology and IT personnel, poor understanding of security best practices, and fragmented self-regulation.
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Clients are noticing that their confidential information may not be safe with law firms. In the “2014 U.S. State of Cybercrime Survey” by PricewaterhouseCoopers, 59% of respondents said they were more concerned about cybersecurity this year than in the past. Recently, big banks have begun subjecting outside law firms to security audits before entrusting case files to them. This was after the superintendent of New York state’s Department of Financial Services sent a letter to dozens of banks requesting information on security risks relating to law firms and other third parties. Law firms working for these banks now have to invest in technology and software upgrades, document compliance procedures, and hire staff to maintain systems and train lawyers and employees on minimizing risks.
For large law firms and celebrities alike, cybersecurity compliance is now a business necessity.
Boutique law firms will also be feeling the need for cybersecurity compliance soon.
Regulations are starting to impose duties relating to the storage and processing of private information on many industries, with lawyers being caught up in these new rules. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the uses and disclosures of protected health information maintained and transmitted by covered entities. Law firms that have protected health information in their case files, due to working with a covered entity, must use “appropriate safeguards” for the protected information as a contracted business associate. If you are a lawyer handling personal injury cases, worker’s compensation claims, veteran’s affairs claims, and Social Security disability claims, the electronic medical records in your case files have become a cybersecurity vulnerability.
Sponsored
The Business Case For AI At Your Law Firm
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
Real estate law is another practice area having to adjust to new cybersecurity compliance regulations. The Consumer Finance Protection Board issued Bulletin 2012-03, requiring “supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships.” This means that mortgage lenders must now monitor their third party vendors’ compliance with federal consumer financial laws. In response to this regulation, the American Land Title Association (ALTA) created a system of best practices that it advises real estate closing lawyers and title companies to implement. The ALTA Best Practices document recommends that firms adopt and maintain a written privacy and information security program to protect non-public personal Information as required by local, state, and federal law. If you are a law firm handling housing escrow funds or a title company that does the same, you may now have a cybersecurity compliance burden if you want to work with lending banks.
In addition to industry regulations, states are beginning to enact data privacy laws. California continues to lead the nation with an expansive data breach law, protections for the personal data of K-12 students, and a new law giving minors a limited “right to be forgotten” in the online realm. For law firms that operate in California or process its residents’ personal information, keeping compliance with California’s growing body of privacy law is a necessity.
With this growing body of statutes and regulation, a lawyer’s duty of confidentiality is now extending beyond an ethical obligation enforced by bar associations. Protection of client data now has many enforcers and potential pitfalls abound.
Law firms should begin looking at their activities surrounding their data and the technology that they use to access it. Each firm should undertake a data audit to identify and close vulnerabilities and enact policies to prevent new ones from emerging.
Such policies include:
Sponsored
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Legal AI: 3 Steps Law Firms Should Take Now
- Maintaining up to date technology and software;
- Utilizing logging tools and reviewing them frequently;
- Undertake employee training on two-factor authentication, clean desk standards, and strong passwords; and
- Quarterly resets on passwords and technology authorizations.
Such policies are a necessity for law firms as more data becomes stored and passed electronically. Cybersecurity is now a requirement for legal work.
Law firms wanting to learn more about practices for protecting their email threads, client data, and “confidential” pictures are welcome to join the seminar, Cybersecurity for Law Firms, where these policies, NIST cybersecurity standards, and issues of cybersecurity insurance will be discussed.
Joshua Lenon is the Lawyer in Residence at Clio, an intuitive cloud-based legal practice management solution. An attorney admitted to the New York Bar, Joshua brings legal scholarship to the conversations happening both within Clio and with its customers. He can be reached at joshua@clio.com.
