Compliance has become an intensely top priority for businesses of all kinds and requires participation and teamwork from all employees in all areas of the business. One of the challenges that the legal industry is facing today is the ability or inability to manage the necessary levels of data security while allowing the fluidity of this data to be readily available to those that need access to it.
In 2016, some of the most prominent law firms in the country, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, had their computer systems hacked and some confidential information linked with insider trading was stolen. As a consequence of these data breaches, more and more current or potential clients have demanded that they have access to cybersecurity proposals and prevention procedures.
As a matter of Fact, according to the 2016 ABA Legal Technology Survey Report, 30% of law firms in the nation and 62% of law firms north of 500 lawyers have disclosed that clients made specific security conditions a part of the client agreements. Staying compliant with all these demands is no easy task, especially with the weight of all the other burdens of the industry falling on one's shoulders. By and far the smoothest and most accessible way of staying compliant is utilizing managed security service providers (MSSPs).
What Managed Security Service Providers Do?
A managed security service provider (MSSP) is usually offered by a third party for the oversight and legislation of an enterprise’s security processes. MSSPs are responsible for:
Staying in Compliance with State/Federal Regulations
For law firms, staying in compliance is a jungle of complexity. Trying to navigate through the dense zoo of laws and regulations while avoiding steep penalties can be quite the crusade. Law firms working to remain in compliance regarding Federal regulations and laws is not an easy task to overcome. For one thing, Congress implements hundreds of laws annually. New regulations constantly replace existing ones and oftentimes add layers of compliance intricacy. Unfortunately, cybersecurity practices are not directly regulated by the federal government; although specific legalities and the varied demands of clients in distinct industries are subject to cybersecurity regulations by the federal government.
So, depending on the practice of the law firm will determine the different regulations that the law firms have to abide by and stay compliant with. In relation to healthcare institutions (1996 Health Insurance Portability and Accountability Act (HIPAA)), financial organizations (1999 Gramm-Leach-Bliley Act), and federal bureaus (Federal Information Security Modernization Act of 2014 (FISMA)) are all enforced to install and maintain exacting processes and procedures to protect certain information. In most cases regarding attorneys and their clients; guarded client information is usually made available or shared with the attorney for the attorney’s representation. Therefore, all attorneys and lawyers in compliance with federal regulations or laws must comply with the same cybersecurity standards. MSSPs can help keep law firms compliant by keeping lawyers up to date with all federal regulations depending on the law firms practices.
It works a little differently for all the regulations and laws in regards to compliance for attorneys and law firms at the state level. Each state has its own regulation and disciplinary authority. A multitude of states in participation with the American Bar Association (ABA) have expressed model rules or advisory opinions in regards to the obligations of lawyers and law firms relating to cybersecurity. In more detail, let’s dive into the rabbit hole that is the ABA. To start, Model Rule of Professional Conduct 1.1 provides, “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Model Rule 1 makes clear, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Evidently, the commitment to competence requires some serious examination.
Model Rule of Professional Conduct 1.4 demands that an attorney keeps its clients “reasonably informed” regarding the status of a matter and to clarify those matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Seeing that in today's society, communication generally being conducted through electronic means, attorneys have a responsibility to ensure that the apparatus used to communicate are pressingly secure. Model Rule of Professional Conduct 1.6(c) addresses “A lawyer shall make reasonable efforts to prevent inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 sets forth factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
In the state of California, attorneys and lawyers alike will presumably have breached their agreement of duties of competence and confidentiality if they fail to take the appropriate precautions to safeguard client information. Correspondingly, in the state of Florida “[l]lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely,” while also “[t]he lawyer should research the service provider to be used.”
Staying Compliant with Cloud Technology and MSSPs
The amount of data and information between clients and attorneys on any particular case can be overwhelming. Cloud based MSSPs have reengineered the way to manage and secure precious and vital information without the headache. Here are some of the advantages of using cloud technology:
How might this specifically help law firms accomplish a steady compliance approach? Well, it predominantly boils down to unification! Utilizing a Cloud-based platform facilitates law firms by:
Compliance Starts with MSSPs
On the whole, compliance has become a top priority for law firms of all sizes. Staying ahead of the game is imperative to ensuring that the client is getting the best representation as well as keeping reputations in order. MSSPs and compliance seem to land on two sides of the same coin. Utilizing MSSPs will provide clear cut ways and solutions to remain in compliance with clientele contracts and state/federal regulations as well. Because Congress adds or changes so many regulations annually, lawyers must perform due diligence with staying up to date with all regulations to provide full competence to be able to fully protect and remain compliant with the client base.