Law firms are attractive targets for cyber criminals. While the information they harbor isn’t as closely protected as that of the healthcare industry, it can be just as sensitive, if not more so. A data breach could lead to financial damage, whether fraud, theft, or ransom. Thus, it’s imperative to develop a cybersecurity plan for your practice. The various cybersecurity requirements for law firms impact not only the attorneys on staff, but also the many clients you have a duty to protect.
For many firms, finding a quality service provider or partner is the best way to stay safe.
What Types of Cybersecurity Partners Should Law Firms Consider?
For small- to medium-sized firms, which have more modest budgets for IT and cybersecurity, contracting outside help is a wise financial decision. Managed IT can be the difference between safety and potentially irreparable damage from cyber attacks. But to even be considered as a cybersecurity partner for your firm, a provider needs to meet two key criteria:
- Helping you meet law-specific cybersecurity requirements
- Optimizing your firm with best practices beyond what’s required
The best potential partners for your firm are those that not only meet these criteria, but go above and beyond, tailoring their services to the exact needs and means of your particular business.
Before getting into what that looks like, let’s cover the basics.
Biggest Cybersecurity Requirements for Law firms
First and foremost, you want a cybersecurity partner that helps you meet any and all legal obligations with respect to cybersecurity. However, there are few (if any) strictly required practices that apply categorically across the legal field, unlike in certain other industries.
There’s no law-specific HIPAA-like equivalent for attorneys, but that doesn’t mean law firms are off the hook…
For instance, the American Bar Association (ABA) has published a form of the Model Rules of Professional Conduct since 1983. Since its inception, rule 1.6 has required lawyers to take “reasonable efforts” to maintain the confidentiality of their clients’ personal information.
As a result of recent years’ ABA meetings, formal opinions on professional ethics were issued to modernize the scope of rule 1.6, along with a few others rules:
- Formal Opinion 477 – Published in 2017, this decision specified new security parameters for information held and transported in digital formats (i.e. via email).
- Formal Opinion 483 – Published in 2018, this decision defined lawyers’ obligations with respect to data breaches. They’re obligated to monitor data breaches and work to actively prevent them, while also notifying any impacted parties should one occur.
For these reasons, adoption of cyberdefense architecture is a de-facto requirement for law firms. In the absence of industry-specific mandates, many choose to voluntarily apply generalized cybersecurity frameworks. Two of the most prevalent are:
- Cybersecurity Framework (CSF) – Published by the National Institute of Standards and Technology (NIST), the CSF defines key outcomes and implementation tiers with respect to the scope and nature of a business, as well as its risk profile.
- Critical Security Controls (CSC) – Published by the Center for Internet Security (CIS), the CSC comprises 20 controls that cover the basic, foundational, and organizational cybersecurity practices applicable across businesses in any field.
Another important consideration is that there may be compliance requirements that are applicable to a given law firm. It simply depends on the specific nature of its business (clientele and logistics).
Regulatory Compliance Advisory Services
Your firm should seek out a cybersecurity partner that can help you meet compliance requirements that are required because of the nuances of your particular practice.
As noted above, there’s no “HIPAA equivalent” for law firms that applies unilaterally to all legal practitioners in the same way that HIPAA does for all medical professionals. But HIPAA itself actually does apply to some legal practices — specifically, those working with healthcare provider clients.
Attorneys and law firms typically do not qualify as covered entities under HIPAA. That designation applies to:
- Healthcare plans
- Healthcare providers
- Healthcare clearinghouses
However, HIPAA requires these covered entities to ensure that business associates (including attorneys and law firms) who work with protected health information agree to protect it. This agreement is solidified in a contract that, in practice, makes the business associate itself a HIPAA entity. If you work with healthcare clients, you likely need to be HIPAA compliant.
Compliance with HIPAA involves abiding by its four rules, which echo the requirements for confidentiality and data breach diligence required by ABA’s formal opinions.
Another compliance framework that applies more or less unilaterally to most legal practices is the Payment Card Industry (PCI) Data Security Standard (DSS). If your business processes payments from clients via credit card, you’ll need to be PCI-DSS compliant. Maintaining PCI DSS compliance involves implementing its 12 core requirements and all sub-requirements.
Law Firm Cybersecurity Best Practices for Safety
Your cybersecurity partner should be committed to keeping you safe beyond the baseline standards legally required. The best providers utilize cutting-edge practices, incorporating all of the best and most effective technologies and methodologies for optimal cyberdefense.
For example, one of the most common and yet important forms of cyberdefense architecture is firewall protection. A firewall acts as a buffer between your organization’s internal resources and external threats sent by malicious cybercriminals, such as:
- Remote, unauthorized access to company resources
- Malware disguised as innocent downloads
- Social engineering emails (phishing)
However, even a powerful firewall is often not enough to block all threats.
While a firewall is a great starting point, a more comprehensive and proactive web filtering system, like the Cisco Umbrella is preferable. These filters scrutinize all content that passes through your firewall and is capable of identifying the most insidious and well-hidden threats.
In addition, another best practice is strengthening your defense with offensive measures.
Penetration testing is a form of ethical hacking in which a mock attack is launched against your company to see how a hacker could and would infiltrate your systems. Staging and studying such an attack enables you to understand your weaknesses and address them accordingly.
Managed Detection and Incident Response
Ideally, the cybersecurity partner you choose to work with should take a comprehensive approach to cyberdefense. Rather than just offering select services piecemeal, they should integrate any and all practices into one, cohesive cybersecurity program.
One strong, systematic approach to cybersecurity is managed detection and response (MDR).
An MDR program isn’t an individual tool, practice, or piece of cybersecurity architecture. It does, however, boil down a vast array of safeguards into four simple functionalities:
- Threat detection – A robust, continual matrix of scanning and monitoring to identify all internal and external threats, categorize them, and quickly respond and recover.
- Incident response – A structured, formal process of addressing, mitigating, and ultimately eliminating attacks and other cybersecurity events as they occur.
- Root cause analysis – A deep and broad analysis of any and all risks and events that seeks to eliminate underlying weaknesses and prevent future exploitation.
- Regulatory compliance – Covered in greater detail above, the important element to note here is that compliance should be integrated throughout all your systems.
Whether you choose this particular scheme, or another that fits your firm’s needs more closely, the important takeaway is that the overall approach should be holistic rather than disjointed. You want to partner with a cybersecurity provider that packages things in a neat, accessible way.
Professionalize Your Cybersecurity Today!
For law firms and legal practices searching for a cybersecurity partner, there are many factors to consider. RSI Security is a uniquely apt partner for legal firms because of our flexibility, as well as the depth and breadth of our expertise and experience with all matters of cybersecurity.
Our team boasts over a decade of experience providing cyberdefense solutions to law, medical, financial, and other firms across nearly every industry. We’re dedicated to not just compliance and legal requirements, but cutting-edge best practices to keep you and your stakeholders safe. Contact RSI Security today to meet all cybersecurity requirements for law firms, and then some!