Tuesday, June 18, 2013

Beazley on Evolving Standard of Care for Firm Information Security

Brant Weidner with professional liability insurance business Beazley sent a link to their latest brief, which includes a featured article on the evolving standard of care for law firm information security:
  • "The standard security model traditionally adopted by law firms focused on preventing an external breach. Firms invested in tools like firewalls to safeguard external network perimeters from attack and granted lawyers and staff “open-by-default” access to client information maintained in repositories like the document management system (DMS)."
  • "The prevention security model no longer suffices to mitigate the cyber risk generated by mobile devices, cloud services, lateral departures, matter centricity (e.g., a central document management system) and sophisticated hacking techniques. Instead, firms are increasingly adopting a data-centric information security approach, managing information more tightly and often restricting access to sensitive client information to only those lawyers and staff who need it to carry out work."
  • "Although law firm cultural preferences and business needs may justify an open-by-default information access model, clients and regulators are pushing for (or requiring) much more restrictive and protective approaches to content security. Firms therefore find themselves caught in a nexus of competing demands, with management struggling to find a reasonable solution that balances collaboration and compliance."
  • "In the past five years, client outside counsel guidelines and client audits have become more commonplace and more stringent. This creates extensive challenges for law firm risk managers, who must ensure that the proper policies and controls are in place to accord with client requirements. Financial services clients are reportedly the most stringent regarding security protocol for protecting sensitive information. Indeed, many firms report that client audits now extend far beyond yes/no questionnaires and can include month-long examinations to verify both controls and overall user training and awareness."

No comments:

Post a Comment