Information Security in the Legal Industry
Regardless of what industry or professional service, most companies have sensitive information or client/customer data that should be protected. This means companies should seriously consider information security implementation.
For example, if you find yourself or your law firm justifying to an auditor following a data breach or security incident at your firm, or working from home, what reasonable measures you took as a firm to protect your leaked client data, then you should be prepared to consider the information provided within this article.
Spoiler alert, here are the lawyer disclaimers.
This is provided for information purposes only; do not rely on this as legal advice.
Do not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice.
This is general information, and I could be completely mistaken.
I disclaim all liability for actions you take or fail to take based on this information.
This article does not create an attorney-client relationship between you and me or our company.
I am not responsible for the privacy practices of viewers or readers of this article.
As you know, there are a lot of frameworks, opinions, rules of professional conduct and best practices that govern a lawyer’s duty to protect information. The below frameworks, formal opinions and Rules of Professional Conduct set a high bar for lawyers to ensure that information is secure regardless of where it is located or how it is transmitted. And, this is not, by any means, an exhaustive list.
American Bar Association (ABA) Formal Opinion 483 and Rules of Professional Conduct (RPC) 1.4 requires lawyer must notify clients of the data breach in sufficient detail to keep clients “reasonably informed” and to make an informed decision regarding the representation;”
ABA formal opinion 477 – Information should have classifications of sensitivity and handled differently when transmitting over the internet. The opinion provides reasonable steps to protect against disclosures;
Washington State Bar Association (WSBA) formal opinion 2215 requires lawyers take reasonable care to ensure that the information will remain confidential and that the information is secure against risk of loss if a lawyer uses data storage systems to store and back up client confidential information i.e. in the cloud;
RPC 1.1 (competence) requires lawyers to stay abreast of changes in technology;
RPC 1.6 paragraph 18 – requires lawyers make reasonable efforts to prevent unauthorized disclosure; and
RPC 5.1 and 5.3 – requires lawyers properly supervise other lawyers and nonlawyers.
Even with best practices implemented employee negligence is the biggest cause of data breaches.
Considering the above rules and opinions, an auditor has fairly high expectations for how your firm reasonably implemented controls to mitigate the risk of disclosed confidential information. Here are some tips to mitigate your risk and inform your response to an audit after a security incident or to prevent a security incident in the first place.
What do I do to minimize unacceptable risk associated with information security?
Engage Pendulum Partners, Inc for Information Security consulting or ISO 27001 certification or implementation;
Download, read and implement the free guides found on WSBA’s website: Google “WSBA Cyber Security Guide”;
Read the formal opinions we cited and implement the guidance;
Buy the Cybersecurity insurance which is not usually included in malpractice insurance; it is an extra insurance, but it provides protection against data breaches.