Seventeen years ago, Harvard Business Review posed a frank and compelling question: Can You Trust Your Law Firm? The article explored the need to hold law firms accountable for their legal advice. But today companies can add another important query: Can You Trust Your Law Firm with Your Data?
Unfortunately, for many legal practices, especially smaller firms, the answer is, not necessarily. According to a survey of small firms by the American Bar Association:
- Adoption of the most commonly used security tools ranged from anti-virus (75%) to training employees on cybersecurity (25%), with many using Apple products believing simply choosing that operating system was enough.
- When assessing their law firms’ preparedness on a scale of 1 to 10, with 10 being fully prepared and 1 being not prepared at all, the average response was 3.5.
- 36% of firms reported they simply did not know what they could or should do to protect data.
Cybersecurity and Data Protection and Privacy Laws on the Rise
Surprisingly, law firms are not subject to one overriding set of regulations around data privacy and security — yet. Generally, compliance laws only apply in specific instances, such as when cases or clients are subject to healthcare’s HIPAA, Europe’s GDPR privacy requirements or the payments industry’s PCI-DSS. But within the legal practice community, there is growing awareness that a firm’s fiduciary duty to its clients likely extends into ensuring their sensitive data remains secure, thanks in part to a growing list of incidents, such as the exposure of the Paradise and Panama Papers.
Experts in data privacy, data security, and the law predict such regulations are just a matter of time. Already, certain law firms are sure to be subject to the impending California Consumer Privacy Act of 2018, even if they’re in New York, New Jersey or some other state. These will add legal penalties on top of already considerable risks stemming from a potential breach of client data.
Multiple surveys suggest law firms lag in their cybersecurity measures in large part due to lack of resources and expertise. IT is notoriously underfunded in law firms, making it difficult to carve out resources devoted specifically to cybersecurity. Law firms are aware of these gaps. According to a recent study, among US law firms, cybersecurity jumped from sixth place last year to first, tying with pricing as these firms’ top challenges.
Achieving Cybersecurity Compliance in the Small Law Firm
Unfortunately, most law firms are hard-pressed to address these challenges on their own; the cost of hiring in-house cybersecurity staff and acquiring all of the technology and ongoing services to achieve state of the art cybersecurity is cost-prohibitive for all but the largest firms.
This is precisely why we launched Partners in Regulatory Compliance (“PIRC”) – to help small and mid-sized law firms meet their duty to their clients and get ahead of likely legislation. PIRC will bring the best resources to bear to help these firms access much-needed consulting expertise as well as cybersecurity assessment, testing, training, and policy development services. Law firms can also engage PIRC for Chief Information Security Officer (CISO) as-a-service, attaining the reassurance of having an expert at the helm of their cybersecurity efforts without the substantial investment. PIRC will collaborate with Exigent Technologies staff to deliver this array of services.
Threats to the security of sensitive client data are rising fast, and regulations to protect it are sure to follow. With PIRC, small law firms in the greater NYC area can protect themselves and their clients from the significant risks of a breach. To learn more about PIRC, visit the new website at www.piregcompliance.com or email firstname.lastname@example.org. Like us on Facebook at www.facebook.com/partnersinregulatorycompliance
Interested in keeping up with the latest in Cybersecurity for your small legal practice? Subscribe to our cybersecurity podcast, “Privacy by Design”.