As high-profile breaches continue to increase and flood the news every week, so does attention to the growing concern of protecting all types of data. Hackers have discovered that one of the easiest routes to a corporation’s data is through third parties.
In fact, law firms and accounting firms were labeled a “treasure trove” last year by countless articles and blogs, and the name has apparently stuck. As a result, clients and corporations have started placing an ever-growing list of demands on the firms that have their data to prove it is and will be secure. No longer is it commercially acceptable to tell your clients that their data is safe because your IT department claims it is. This applies to all sizes of firms. It’s the value of the clients’ data — and not attorney count — that drives the need for higher levels of security and attestation.
This produces a challenge that the U.S. legal community continues to struggle with, and rightly so. It’s not just about being secure anymore; it’s all about being secure in a demonstrable way. The inherent challenge becomes the definition and acceptability of what are commercially “reasonable” efforts for a law firm to protect data? This conundrum has spawned the demand for sound cybersecurity plans and policies and proven attestation strategies to defend and justify controls and practices for law firms. What becomes even more troubling is that firms need to prove their security measures to their clients, to auditors and regulators, insurance companies, law enforcement, and, potentially, to the public. Legislation and industry associations are chiming in, but they have not established a definitive baseline for what is “reasonable” in terms of controls or proof to protect data. Opinions vary greatly when comments are made about taking steps in the right direction with recent legislation such as the Cybersecurity Act of 2015, Cybersecurity Enhancement Act of 2014, National Cybersecurity Protection Act of 2014, and upcoming decision around the Cyber Intelligence Sharing and Protection Act and Data Security and Breach Notification Acts of 2015.
With all of the attention on this matter, there is still a common misconception that small firms or firms without healthcare or financial service-centric practices do not have a true need to develop a plan or attestation strategy. The fact is, although this is not a finite issue and not all firms require the same levels of attestation, no firm is too small to overlook or adequately address cybersecurity through “reasonable” efforts. Although there will be on average more requirements for evidentiary proof of security and demands placed on medium-sized and large law firms, firms of all sizes should address the issue proactively. Again, the size of the firm becomes somewhat irrelevant as it is based on their client base, practice areas, and the industries that they serve.
What should you do to prepare for your next attack and/or the next client’s request for proof of protection? Advice that I would give to a law firm who is struggling with this mounting challenge or to define “reasonable” effort for their firm would start with a few easy steps:
1. Talk to your clients and understand their regulatory requirements and their expectations of your firm.
2. Establish a baseline through vulnerability assessments and penetration testing in order to prioritize your plans.
3. Either get certified or at least map to an industry-accepted cybersecurity frameworks such as ISO 27001/02, NIST, PCI, etc.
4. Make sure that the practices and policies in place are manageable and “reasonable” in your clients’ eyes.
5. Deploy centralized managed endpoint security and institute automated patch management.
6. Encrypt your data.
7. Educate employees on their roles in security and the most prevalent threats.
8. Partition and limit data to only those who need access to it.
9. Ensure that you have a data backup system in place and periodically test your backups.
10. Have a plan in place before you need it.
Cybersecurity and attestation present a growing issue that has neither a definitive fix nor a resolution in sight. One of the key themes is not to try to win this war all on your own. If you need help, get help. There are a lot of experts, such as All Covered, the IT Services division of Konica Minolta, that understand your clients’ requirements and can help you with an in-depth understanding of true best practices.
Your goal should be to understand the threat and proactively prepare for the inevitable. With the right plan and help, you should be able to put your partners’ and clients’ minds at ease and focus on the practice of law.