Law firms have long been known as a “soft target” for bad actors in the technology space. The amount of sensitive data that exists at a law firm is a treasure chest for hackers or bad actors – privileged communications, confidential financial data, nonpublic personal information are just a few of the examples. Public breaches of DLA Piper in 2017 or the other 100 law firms that have experienced breaches over the past few years show that the threat is real. Despite this reality, American Bar Association Legal Technology Resource Center’s ABA TechReport 2019 says lawyers are failing on cybersecurity.
By AJ Yawn, Cloud Security Expert
Like most large corporations and professional service entities, reputations in the legal profession are foundationally important to the firm’s profitability. There are several examples of events that can impact a law firm’s reputation, but few have the immediate and public impact as a data breach or cybersecurity incident. The nature of the information exchanged between an attorney and their client warrants the utmost protection. For this reason, it’s hardly a mystery why a law firm suffers a considerable reputational blow when their clients discover that their sensitive and confidential information has been pilfered and exposed to bad actors.
On the other hand, law firms are also growing cybersecurity and data privacy practices in service to their clients. According to BTI Consulting Group, “Cybersecurity & Data Privacy is the fastest growing practice of any area of law … this critical developing practice is demanding law firms be well-informed … and well-positioned.” A cybersecurity incident or data breach undermines law firms’ efforts to position themselves as leaders in cybersecurity and data privacy. Organizations of all sizes need strategic legal guidance on how to adapt to the evolving cybersecurity and privacy landscape. They need these services from a law firm that practices what they preach and implements the necessary cybersecurity processes required to protect sensitive data.
While this seems bleak and may not be new to anyone that has been following the cybersecurity and legal professions, there is a way forward for law firms and their clients to enable a culture of security in the legal space.
Clients are increasingly asking law firms to prove their security in a variety of ways. Law firms complete long security questionnaires and allow third-party auditors into their offices because providing proof that their client data will be secured is not nice to have, it is required. The problem with this method is the operational drain it places on your internal information technology teams or legal staff that manages vendor relations. Responding to each client’s questions or auditors can be draining and time-consuming.
Law firms have addressed the requirement to prove security to their customers by achieving the internally recognized ISO/IEC 27001:2013 certification. While this certification is a great way to establish an information security management system, it does not provide transparency to your customers regarding the exact practices in place at your organization. The deliverable of an ISO 27001 certification is a ‘certificate’ from a third-party with very little information about what exactly an organization has implemented to achieve that certification.
ISO 27001 is an internationally recognized standard that is valuable and should be pursued, this article is not discrediting that certification.
However, there is a better way for law firms to transparently demonstrate security to your clients. A report that describes what your information system is comprised of, the controls you have in place and whether those controls were operating effectively over a period of time.
SOC (or System and Organization Controls) 2 examinations were designed by the American Institute of Certified Public Accountants (AICPA) to help service organizations, like law firms, provide an independent assessment of controls at their organization relevant to the security, availability, processing integrity, confidentiality and privacy of the system. SOC 2 is a reporting framework that, unlike other frameworks, is less prescriptive and allows organizations to tailor their report to suit their needs and their customer’s needs.
During a SOC 2 examination, organizations are assessed against a set of Trust Services Criteria which are based on the COSO framework, which notes that “an organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve and formulate plans for achieving them.” This is the flexibility of SOC 2, the framework is not prescriptive in telling organizations how to implement security practices. The cybersecurity practices in each law firm will be different and need a flexible framework that can adapt to their technology or organizational needs.
According to the American Bar Association, 58% of lawyers are using cloud-based technology and interacting with SaaS or IaaS organizations that undergo SOC examinations. SOC 2 examination assists law firms with transparently displaying security in a manner that their vendors and customers understand. The contents of the report include a system description that describes the infrastructure, software, data, people and procedures that make up your law firm information system. The report also includes a list of controls the evaluated law firm has in place and the status of those controls operating effectiveness.
These external benefits of displaying security are ostensibly financially and reputationally clear. However, the most important aspect of a SOC 2 examination is that it requires law firms or other service organizations to establish and maintain a robust cybersecurity program that will protect their organization from data breaches or cybersecurity incidents.
About the Author
AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. He has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.