What Compliance Obligations is Legal Contending With?
What Does Compliance Look Like in the Legal Industry?
Here’s what’s interesting about compliance in the legal industry: they regularly house the most sensitive data there is, including electronic protected health information (ePHI), intellectual property and/or patent information (IP), personally identifiable information (PII), and financial information, reported by Law Technology Today—but they aren’t necessarily subject to a specific security standard, such as SOX, HIPAA, PCI DSS, or FISMA, CSO by IDG explained.
Generally speaking, if a law firm deals with credit cards or stores sensitive health information for a client, then PCI or HIPAA will kick in, but a particular compliance mandate designed for law firms specifically has surprisingly not yet been put into place. Here’s where the legal industry differs from, for example, healthcare: it’s not so much the compliance regulations that they’re subject to as law firms, but the compliance regulations their clients are subject to, and those could range from any of the above mentioned to ISO 27001, NIST SP 800-53, or Gramm-Leach-Bliley. Thus, it’s critical for law firms to fully understand the compliance requirements of their clients, as well as how those requirements affect the firm consequently.
Responding to Legal-Specific Challenges
While legal organizations aren’t necessarily subject to compliance regulations specifically aimed at the nuances of the industry, they still have to deal with highly sensitive data, and need to take every precaution to protect it. So, it’s not so much the challenges of compliance itself that are a concern—it’s the consequences of what would be considered noncompliance, given the kind of information the legal industry deals with.
CSO reported on a survey carried out by ALM Intelligence, which revealed:
- Nearly 10% of law firms have not performed a formal information security and privacy assessment.
- Most law firms view cybersecurity as an IT issue, not a business issue.
- Over 55% of firms have established a cybersecurity practice, or have plans to create one.
It would seem, according to research, legal organizations are aware of the implications of failure to take proper precautions, depending on the compliance requirements they and their clients are subject to. Fortunately, all but 10% have performed security and privacy assessments, and half have some form of a cybersecurity practice in place. On the grim side, a lot of firms perceive cybersecurity as more of an IT concern—not a business concern, which is a major misstep.
It’s no secret that a data breach causes irreparable damages, especially for legal firms, and by extension, their clients…
- Major PR disaster
- Brand reputation damage
- Financial damage
Given the nature of the industry, these damages are compounded considerably in the event of breach. Consider The Panama Papers, reported on by New York Times: leaked by the Mossack Fonseca firm in Panama, the documents exposed the suspicious financial activities of business leaders and international politicians. Needless to say, the gravity of this kind of event is not something a legal organization can easily recover from; the stakes are too high.
It’s a risky landscape, but there are ways to mitigate vulnerabilities. Using a colocation facility is an excellent way to offload the risks of maintaining an in-house data center, especially if the data center provider is seasoned in compliance. The all-encompassing need for file-level encryption throughout the legal industry can also be taken care of by the right data center provider.
Security and access controls, both physically and logically, are good protection measures, as well. IT environments should have intrusion detection, IPS services, and log management.
Any law firms who don’t have a formal cybersecurity program should definitely engage with a reputable third-party who can carry out a risk assessment, CSO suggested. A full assessment should include data types, data security and privacy related to government data, HIPAA, intellectual property, credit cards, etc.—any variation of data a particular firm deals with. Every kind of data is subject to different privacy and security laws. Operationalizing the NIST cybersecurity framework is also worth considering. Since there’s no comprehensive program specifically for the legal industry, a general framework such as NIST would work well with a legal organization who wants to cover all their bases for data, technology, and associated risks.
Finding the Right Compliance Partner
Working with an IT partner who is specialized in compliance is a worthwhile consideration for law firms. The risk landscape is too virulent to gamble with, and given that a firm could be affected by any requirements clients are subject to, having a proven third-party to count on is key.
If your legal organization is interested in achieving and sustaining a compliant state in your technology practices, Peak 10 + ViaWest can help. We believe in a shared responsibility model for IT compliance, and our experts are available to answer your questions and explore your IT compliance practice. Visit www.peak10.com/contact-us or call (866) 473-2510.