The legal industry is under attack by cybercriminals. Need a second reason to care about cybersecurity? How about this one? Your business depends on it. Clients work hard to protect their and their customers’ data. They expect the same standard of care from outside counsel and other legal services providers.
Security of customer, patient and employee personal data is serious business. Data breaches of personally identifiable information (PII) and protected health information (PHI) trigger various legal and regulatory obligations at both federal and state levels. Common requirements like consumer data breach notifications are onerous and expensive. Data breaches may also lead to substantial fines and open the door to civil suits.
To protect themselves from supply chain breaches, many companies now require their vendors – including legal providers – to respond to detailed, extensive security questionnaires. Some additionally demand vulnerability tests, periodic security audits and similar guarantees. Competition for legal work is fierce. Security questionnaires are an easy way to eliminate unqualified contenders.
Health care, financial services and other highly regulated sectors were the leading edge of this trend. Companies in all industries are requiring stronger data security protections from providers. They’re also allocating risk by aggressively negotiating data breach liability and indemnification provisions in vendor contracts.
Illustrative of this trend, the Association of Corporate Counsel in 2017 published Model Information Protection and Security Control for Outside Counsel Possessing Company Confidential Information. The document’s stated purpose is to help in-house counsel set expectations with outside counsel and other legal service providers. Recommended baseline security controls include:
- Robust information security policies, procedures and an incident response plan
- Employee training and background screening
- Encryption, logical access controls and physical security
- Operational procedures and controls to ensure technology and systems align with applicable standards and certifications
- Continuous monitoring, annual vulnerability tests and breach reporting
If there’s a silver lining, it’s this: Cybersecurity is a business opportunity as well as a risk. Data security and its close cousin data privacy are fast-changing areas of law and technology. Clients are looking for lawyers and providers who offer informed counsel and practical guidance. Getting your own house in order is the critical first step.