Tips and Trends Industry Advice and Developments

Cybersecurity Compliance: 4 Questions You Need to Ask

Cybersecurity is about risk management. Firms and legal departments feel pressure not only to protect confidential data for their clients but also to comply with information security and privacy laws such as Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) and the forthcoming California Consumer Privacy Act (CCPA). These types of regulations have raised the stakes for firms in protecting confidential data.
James Harrison

Cybersecurity is about risk management. Firms and legal departments feel pressure not only to protect confidential data for their clients but also to comply with information security and privacy laws such as Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) and the forthcoming California Consumer Privacy Act (CCPA). These types of regulations have raised the stakes for firms in protecting confidential data.

Here are four questions legal management professionals should ask to better promote cybersecurity compliance within their firm.

WHAT CYBERSECURITY REGULATIONS APPLY TO OUR FIRM?

Start with the baseline understanding that every law firm, including yours, has specific data protection laws and industry standards they must follow. Keep in mind that cybersecurity regulations and requirements evolve and change constantly, so it’s important to ask this question and evaluate on a regular basis.

To determine which laws and standards you should be compliant with, evaluate the type of data your firm handles on a day-to-day basis. For example, medical- or health care-related information can require compliance with HIPAA. Financial information can require compliance with the Gramm-Leach-Bliley Act (GLBA) and other banking or securities cybersecurity regulations.

Another consideration is the location of the person or entity whose data you hold. All 50 states have data breach response or cybersecurity laws, and they are updated frequently. Your firm should be compliant with the regulations in each state and country where individuals or entities whose personal data you have collected reside. If you have data on persons in California, New York or anywhere in Europe, pay close attention — their new data security and privacy laws come with significant penalties for noncompliance.

Finally, look at your client contracts for data security and privacy requirements. More companies are requiring their law firms to comply with specific industry cybersecurity standards ascribed by the National Institute of Standards and Technology (NIST), ISO 27001 and others.

To fully evaluate which federal, state and industry regulations apply to your firm, you may consider getting outside help from a cybersecurity compliance service provider. To keep things simple, it’s recommended that you establish a single information security plan with best practices that are common across these major regulations and industry standards.

HOW DO WE IDENTIFY OUR COMPLIANCE GAPS?

A good risk and compliance assessment will help you match up your firm’s current security and privacy practices with regulatory and industry standards. Some firms bring in outside consultants and spend days on in-depth administrative and technical analysis. But for most, using a third-party compliance self-assessment program with review and consultation by outside experts is a simpler, quicker and more affordable way to score your compliance and assess your firm’s risk level.

Your completed risk and compliance assessment should result in an executive summary detailing the things the firm is doing well and the specific areas that need attention. This report should also help you determine the potential financial risk to the firm should a breach incident ever occur.

While compliance assessments deal mostly with policies and procedures, you may also consider doing cybersecurity vulnerability testing at the same time to look for security problems and measure compliance against the technical requirements for your firewalls, websites and computers.

WHAT’S OUR PLAN TO GET AND STAY COMPLIANT?

If you can’t immediately answer this question, it’s time to focus your firm’s attention on creating a formalized, documented information security plan that ensures your firm stays on track. If you already have a plan, perhaps it’s time to reevaluate and update it.

Your plan should establish a clear directive that outlines your firm’s data security and privacy practices, including which members of the management team have oversight and enforcement responsibilities. Your plan should include not just what you will do to protect client data, but how. This should be a living plan with at least annual reviews and updates.

HOW DO I EXPLAIN THIS TO FIRM MANAGEMENT?

Knowledge is power. You may have to help create a narrative that frames cybersecurity compliance as a business issue — not just an IT issue — and a critical part of the firm’s reputation and success. Even a small data breach incident can result in significant reputational damage, financial losses and regulatory fines.

Notably, IBM Security’s 2019 Cost of Data Breach Report found that data breaches now cost companies an average of $3.92 million. The bottom line is that a single data breach incident brings enough damage and losses to tip the scales in favor of spending more time and money on cybersecurity compliance.

There are two things you can do to help make this a priority for the firm:

  1. Ask to form a cyber risk management committee, which should include the firm administrator, IT and HR managers and at least one managing partner.
  2. Spend a little bit of money to conduct a risk and compliance assessment and share the results with the executive team.

Tackling these four questions isn’t always easy, but it can cement firm administrators and managers as essential business enablers. Cybersecurity compliance can be complex and costly in today’s business climate without expertise and proper tools. But the right solutions make it simpler and more affordable to help you reduce risk and stay ahead of changing compliance requirements.

There are two things you can do to help make this a priority for the firm:

  1. Ask to form a cyber risk management committee, which should include the firm administrator, IT and HR managers and at least one managing partner.
  2. Spend a little bit of money to conduct a risk and compliance assessment and share the results with the executive team.

Tackling these four questions isn’t always easy, but it can cement firm administrators and managers as essential business enablers. Cybersecurity compliance can be complex and costly in today’s business climate without expertise and proper tools. But the right solutions make it simpler and more affordable to help you reduce risk and stay ahead of changing compliance requirements.