Wednesday, July 23, 2014

Law Firm CIO Responds to Suggestions Industry Security is Lacking

Industry expert, Judith Flournoy, CIO at Kelley, Drye & Warren and chairwoman of ILTA’s legal security working group, takes to the pages of Law Technology News to address frequent stories suggesting that law firms are a juicy and attractive target for hackers: "Law Firms Respond to Security Risks in Client Data: After being dubbed the "soft underbelly of American cybersecurity," law firms embrace robust security programs." --
  • "So, we may have been characterized as the 'soft underbelly' but we are no softer than any other industry, government or institution.  On behalf of my colleagues around the world in firms large and small, we understand the call to arms and we are engaged."
  • "Law firm clients in the financial services industry heavily scrutinize their outside counsel with vendor security audits. Governed by the Office of the Comptroller of Currency and the Federal Financial Institutions Examination Council in compliance with the Gramm-Leach-Bliley Act, all law firms who have financial institution clients are required to respond to a comprehensive security audit."
  • "The audit process is detailed, and in many cases includes questionnaires with several hundred questions, on-site interviews and or on-site physical security assessments covering everything from hard-copy file security to data center security."
  • "Why does this matter?  For the first time in the history of our industry, we find ourselves in a position where we not only have to provide highly detailed information about our security programs but we are also required to remediate any risks identified in the audit process.  The end result for many firms is to redirect efforts and funds for security based projects and policies, including security education programs, resulting in a battle for resources."
  • "Law firms continue to adjust to the 'new normal' business model based on client demands. Prior to 2008, firms provided services to clients based on the billable hour and what the lawyer believed was the value of the work performed. Since 2008, clients have been demanding alternative fee arrangements, fixed fee projects and have been generally unwilling to pay for the work of junior attorneys.  Combine the new normal with clients requiring outside counsel firms to adhere to a much more stringent security practice.  These are the newer set of demands we find ourselves adjusting to."
  • "The good news is that many firms have already begun the complex process of implementing a more robust security posture.  As previously mentioned, many firms have acquired, or are in the process of obtaining, ISO 27001 certifications."

No comments:

Post a Comment