Law firms have become a major target of cybercriminals, making the protection of confidential information a major responsibility in the business of law. Firms now face increasing pressure from both clients and regulators to demonstrate they have implemented a current information security plan and are compliant with specific best practices for protecting against and responding to data breach incidents. This course will help legal management professionals better understand the risks, regulations and the important leadership role they have in cyber risk management within the firm.
LAW FIRMS TARGETED
Law firms are an attractive target for cybercrime because they handle sensitive information that is worth a lot of money on the underground black market. A recent American Bar Association survey revealed that one in four law firms with over 100 attorneys have suffered from data breaches. Moreover, 52% of firms with 10 to 50 attorneys reported having had one or more cyberattacks or breach incidents — more than twice the rate of larger firms.
Making these statistics worse, the cost of recovering from even a small data breach incident continues to rise to potentially catastrophic levels. The 2019 Ponemon Institute Cost of a Data Breach Report shows the average cost for a small business to recover from a data breach incident is now $2.74 million. Loss of clients was one of the single biggest cost factors in the report. The bottom line is that a single data breach incident brings enough damage and losses to tip the scales in favor of spending more time and money on cyber risk management efforts.
The Ponemon report also revealed that 54% of breaches are due to malicious or criminal attack. Meanwhile, 25% are due to system glitches and IT problems, and 24% are due to employee error or negligence.
Firm administrators and executive management should be aware of these evolving threats and must be proactive in managing this unavoidable risk. In today’s digital age, preventing data breaches and maintaining a formalized information security plan has become an essential business management practice for law firms.
MANAGEMENT OVERSIGHT
Cyber risk management is an ongoing process and requires input and oversight from firm management. Information technology (IT) managers certainly have a vitally important role to play in safeguarding electronic data and preventing cyberattacks. But executive involvement and oversight is now a must. Under federal and state laws, executive management is responsible for data security and privacy efforts, including proper response to security breach incidents.
It is highly recommended that firms create a cyber risk management committee, including the firm administrator, chief operating officer (COO) or executive director, the IT and HR managers, and at least one managing partner. Contrary to what most think, this committee and management responsibility typically is not led by an IT manager but by a legal management professional or administrator who has high-level visibility and reach into all operational areas of the firm. For most legal managers, this new area of responsibility is an opportunity to grow and expand, becoming more valuable to the firm.
For legal management professionals, the basics of good cyber risk management include:
- A basic understanding of cybersecurity compliance requirements.
- The development and implementation of an organization-wide information security plan.
- An ongoing commitment to keep the firm current and compliant with evolving data security and privacy standards.
CYBERSECURITY COMPLIANCE
Start with the baseline understanding that every law firm must comply with one or more specific data cybersecurity laws or standards. This depends on the type of client data collected or handled by the firm as well as the location of the persons or entities whose information is handled. Ignorance of these regulations and standards is not defensible.
Federal Laws
There are multiple federal data security and privacy regulations that could apply to a law firm. Most commonly, medical- or health care-related information can require compliance with HIPAA-HITECH. Financial data can require compliance with the Gramm-Leach-Bliley Act (GLBA) and other federal banking or securities cybersecurity regulations. While firms are not considered “covered entities” under these laws, they are required to adhere to these standards as a “business associate” or service provider to client organizations in the health-care or financial services industries. Failure to comply can result in significant fines and penalties in the wake of a data breach incident.
State Laws
All 50 states have cybersecurity or data breach response laws that apply to any business collecting information on residents of their state. While a firm may only have office locations in one state, they must comply with the state laws in every state in which they collect data on persons or entities. The most notable of these more recent laws include the New York Department of Financial Services Cybersecurity Regulation and the California Consumer Privacy Act (CCPA).
International Laws
Virtually all major international markets and countries now have cybersecurity and data privacy laws. Most notable among them is the General Data Protection Regulation (GDPR) from the European Union. Firms that collect or process data on citizens in any of the E.U. nations must comply with this law that mandates consumer privacy protections. Penalties for noncompliance are stiff and enforcement bodies within the E.U. have investigated and fined thousands of organizations around the globe.
Client Requirements
Law firms face increasing pressure from clients to demonstrate compliance with cybersecurity laws and specific industry standards such as NIST, ISO 27001, SOC 2, FFIEC or others. Compliance with data security and privacy language in client contracts and successfully responding to cybersecurity questionnaires has become an important part of the business of law today.
Indeed, more firms are receiving information security audit requests or security assessments from key clients. Depending on the type information the firm handles, these security assessment requests can follow one or more regulatory or industry security standards including HIPAA, GLBA, SOC 2, ISO 27001 or others. Some clients are also requiring on-site audits, forcing firms to show higher levels of compliance and documentation. While it may be tempting to hand off these assessment questionnaires to an IT manager, most of the assessment questions are not IT related and involve HR, facilities and other areas of firm management. Gone are the days of cybersecurity simply being an IT issue.
Legal managers should ensure that the firm is ready to respond to these types of security assessments and effectively demonstrate that they have implemented and maintained a formalized information security plan that meets minimum standards.
INFORMATION SECURITY PLAN BASICS
Firms should establish and uphold a comprehensive information security plan, which provides a framework of data security policies and procedures. The plan should meet minimum government and business standards for safeguarding protected client and employee data against exposure, loss or theft. It should meet the needs and objectives of the firm and be manageable by the firm’s cyber risk management team. The plan should include at least these main components:
1. Management Responsibilities
While information security and privacy are the responsibility of all personnel within a firm, a successful information security program requires a commitment from top management to proactively build a culture of security and enforce the firm’s information security plan. The plan should outline management responsibilities for implementing and maintaining data security and privacy objectives. The primary duties of top management include:
- Defining the firm’s security strategy and objectives.
- Assigning relevant roles and responsibilities.
- Allocating sufficient financial and human resources.
- Responding to breach incidents.
- Promoting a culture of security within the firm.
2. Risk and Compliance Assessments
Conducting a comprehensive cybersecurity risk and compliance assessment is not only a best practice, it’s a common requirement in all government and industry cybersecurity standards. Assessments should identify potential threats and vulnerabilities while evaluating the current level of compliance with regulatory requirements, client expectations and industry best practices. Firms should complete an assessment at least annually. It should also be done in response to security incidents or upon changes in geographic market, regulatory environment or firm operations.
3. Technical Safeguards
Reasonable and appropriate cybersecurity protections and vulnerability management systems should be in place to protect against growing internal and external threats to confidential information. Firms should determine what technical safeguards are reasonable and appropriate to their size and scope of business and ensure they meet minimum industry and regulatory cybersecurity standards. Examples of technical safeguards include vulnerability testing, computer and network security, intrusion detection systems, IT asset inventory controls, access rights management, encryption, data backup, and employee computer and mobile device security policies.
4. Physical Safeguards
The firms’ security plan should include measures to prevent unauthorized physical access to buildings, offices, computer equipment and confidential paper documents. At a minimum, firms should consider including policies and procedures for office/building security, document storage, and secure document and equipment disposal.
5. Security Awareness Training
Employee error and negligence is one of the leading causes of data breach incidents. Firms should have a formalized cybersecurity awareness training program in place to ensure all personnel, including management, receives ongoing training on the latest information security best practices.
6. Third-Party Risk Management
Third-party service providers, vendors and business associates who have any access to protected client and employee information can be a serious security risk to the firm. Third-party risk management is also often referred to as “vendor risk management.” To mitigate information security risks from third parties, the firm’s strategy should include measures to assess the cybersecurity readiness of vendors and service providers. Firms should also establish an information security agreement with these third parties that outlines minimum acceptable data security standards and incident response steps.
7. Privacy Rights Management
Newer laws such as the GDPR and CCPA require firms to be prepared to make additional disclosures to clients about the firm’s personal data collection practices, the use of the information and to whom the information is disclosed. To be compliant, firms must be able to:
- Locate and deliver specific information in a timely manner.
- Identify contracts that may constitute a sale of data under new broad definitions.
- Have established specific policies and procedures, including but not limited to protection against discrimination of individuals who exercise their privacy rights and opt out of the use of their personal information.
8. Business Continuity
Adverse or disruptive events such as natural disasters, power failure, ransomware and other denial of service attacks, or even widespread hardware failure can create a variety of information security risks and can render client information inaccessible. To follow industry best practices and meet regulatory requirements, the firm should have a business continuity plan (BCP) in place. At a minimum, this includes policies and procedures for data backup, system and data recovery, and the security and availability of client information during adverse or disruptive events.
9. Breach Response Plan
With law firms being targeted by cybercriminals, it is almost certain that every firm — no matter its size and sophistication — will experience information security problems or data breach incidents that put clients and the firm at risk. Timely and appropriate response to even a small data breach incident is critical in order to meet U.S. and international regulatory mandates.
To minimize reputational, legal and financial risks, firms should have a formalized breach response plan, including at least:
- Incident response team duties
- Breach discovery and containment procedures
- Reporting to authorities
- Communications and PR strategy
- Victim notification and remediation
- Post-incident review, correction and training
REVIEWS, UPDATES AND REPORTING
Cybersecurity risks are evolving and growing at unprecedented rates. To keep current and stay compliant, it’s necessary to conduct regular reviews and updates of the firm’s data security and privacy practices. Among other things, this includes regular vulnerability testing, updates to the employee training program and information security plan.
Firms should assess, review and update their overall information security plan at least once a year, after a data breach incident, or when significant changes to business operations or regulations occur. Examples of changes to business operations could include firm merger or acquisition, the opening of new office locations or geographic markets, or special cybersecurity requirements from a key client. New or updated U.S. federal and state laws or international data security regulations may also necessitate a review of the firm’s security plan.
The information security plan review and update process should include:
- Conducting a full risk and compliance assessment based on current regulatory requirements and industry best practices.
- Identifying and addressing newly discovered security risks or gaps in compliance.
- Updating the information security plan to document and incorporate necessary changes to policies and procedures.
- Training on new policies and procedures for executive management and employees.
Management Reports
In order to help firm executives and partners meet their obligation to effectively manage cyber risks, legal management professionals should be prepared to provide the executive team with regular reports that summarize the firm’s current efforts to follow its information security plan and meet minimum regulatory and business standards. These types of risk and compliance reports are typically preceded by a scheduled review and assessment process. There are helpful programs and tools available that help simplify and automate these regular reviews and management reporting.
AN ONGOING COMMITMENT
With the escalating data security threats against law firms, cyber risk management has become an essential function in successfully managing law firms large and small. To be sure, businesses, government agencies and other organizations are demanding their legal counsel stay current with the latest data security and privacy best practices. Government cybersecurity regulations will continue to evolve, and the pressure to be compliant will continue to mount.
Cybersecurity and compliance shouldn’t be looked at as a necessary evil. Rather, it’s an opportunity to become more forward-thinking, increase client trust, and help mitigate financial and reputational damages that inevitably come with even small data breach incidents. The cost of implementing an information security plan can be substantial and should be managed just like any other significant budget item.
It’s important to remember that cyber risk management is an ongoing process and commitment. Information security is more than security software, and compliance is not a onetime event. Managing cyber risks and staying compliant is an ongoing process of assessment and implementation of proper safeguards, followed by consistent training and improvement. It’s vital that the firm stays current with the latest protections and best practices to protect their clients and meet the changing threat landscape.
With their consistent involvement and reach into most or all operations of the firm, legal management professionals are best suited to lead the firm’s cyber risk management effort. This is an incredible opportunity to expand skills and become more valuable to the firm. With the help of outside experts, and by embracing the training, tools and resources available today, legal managers can quickly become prepared to lead and manage the firm’s information security plan and cybersecurity compliance tasks.