Tuesday, July 8, 2014

Jason Atchley : Data Security : Law Firms Respond to Security Risks in Client Data

jason atchley


Law Firms Respond to Security Risks in Client Data

After being dubbed the "soft underbelly of American cybersecurity," law firms embrace robust security programs.
, Law Technology News
    | 3 Comments

In February 2013, Joe Patrice wrote inAbove The Law that law firms were the “soft underbelly of American cybersecurity.” Today, it is safe to say that many law firms across the U.S., Canada and Europe take exception to that characterization.  Why?  In part due to the efforts of individual firms to adopt ISO 27001 security standards or implement more robust security programs, including information security education.
Also in February 2013 the former special agent in charge of cyber and special operations with the FBI’s New York office, Mary Galligan, stated “We have hundreds of law firms that we see increasingly being targeted by hackers.”
There isn’t one single law firm CIO or IT director who doesn’t understand the weight of these statements.  Many large law firms have actively engaged in internal and external initiatives to fight security threats. And many midsize, large, and international law firms are actively participating in the  International Legal Technology Association’sLegalSEC initiative, which provides the legal community with guidelines for risk-based information security programs that are achievable, measurable and mature.
LAW FIRM SECURITY AUDITS
At the June 2014 LegalSEC Summit, held in Lombard, Ill., representatives from two large financial institutions spoke on a panel about the industry’s expectations for security in legal services and the security audit process.
Law firm clients in the financial services industry heavily scrutinize their outside counsel with vendor security audits. Governed by the Office of the Comptroller of Currency and the Federal Financial Institutions Examination Council in compliance with the Gramm-Leach-Bliley Act, all law firms who have financial institution clients are required to respond to a comprehensive security audit.
The audit process is detailed, and in many cases includes questionnaires with several hundred questions, on-site interviews and or on-site physical security assessments covering everything from hard-copy file security to data center security.
Why does this matter?  For the first time in the history of our industry, we find ourselves in a position where we not only have to provide highly detailed information about our security programs but we are also required to remediate any risks identified in the audit process.  The end result for many firms is to redirect efforts and funds for security based projects and policies, including security education programs, resulting in a battle for resources.
NO INDUSTRY IS IMMUNE
No industry is immune from the threat of cyber-espionage. For example, on July 2 CNN Money reported that Russia had hacked into Western oil and gas companies, infiltrating the computers at power plants, energy grid operators, and pipeline companies and industrial equipment makers.
Make no mistake, law firms must adopt a mature security posture to protect their clients and in doing so will satisfy much of the requirements outlined by the financial services industry as prescribed by current legislation and governing bodies.
Back to the “soft underbelly,” the security services industry continues to engage with law firms to assist them in both understanding and mitigating risk.  In May 2013, Symantec Corp. and Ponemon Institute presented a report, "2013 Cost of Data Breach: Global Analysis," which revealed the total cost of data breaches in the U.S. amounted to $5.4 million—and in Germany, $4.8 million. In 2013, Traveling Coaches introduced its OnGuard Security Awareness program, which has been adopted by a number of Am Law firms.



Read more: http://www.lawtechnologynews.com/id=1202662139978/Law-Firms-Respond-to-Security-Risks-in-Client-Data#ixzz36uKYzOO2




No comments:

Post a Comment