Tuesday, September 20, 2016

Information Security: Certification, the Cloud and Clients

Two interesting security updates to share. First, Philip N. Yannella, Partner and co-leader of Ballard Spahr’s privacy and security group, writes: "Law Firms Are Seeking Data Security Certification (Perspective)" --
  • "In the wake of a number of high-profile data breaches involving law firms — including the recent Panama Papers breach — many U.S. law firms are moving toward obtaining ISO data security certification."
  • "Law firms did not consider ISO certification necessary to the practice of law. But now, as hackers take aim at the legal profession, many law firms are obtaining ISO certification in order to reassure their clients that the firm’s data security practices are adequate. Some firms are using ISO certification for business development purposes — as a means of differentiating themselves from other law firms."
  • "Since that time, the cyber threat landscape for law firms has increased. In March 2016, The Wall Street Journal reported that the FBI was investigating a series of data breaches involving major U.S. law firms, including Weil Gotshal & Manges and Cravath Swain & Moore. Reports indicate that hackers were targeting sensitive client information concerning upcoming deals."
  • "The coup de grace occurred in April 2016, when the Panama law firm Mossack Fonseca was hacked in the infamous Panama Papers attack. It resulted in the public release of more than 11 million documents, detailing the formation of off-shore accounts and other questionable, if not illegal, financial activities of international politicians, business people, and celebrities to shield income from taxation."
  • "To improve their data security practices, and provide assurance to jittery clients, many Am Law 100 law firms are seeking ISO certification. A March 2015 ILTA survey found that 18 law firms had obtained ISO certification, and that another 30 were in the process of obtaining the certification. It is likely that these numbers have increased since then. Many law firms are using the ISO certification for marketing purposes, touting the firm’s commitment to ensuring the same level of data security as their clients."
  • "The trend toward ISO certification is not likely to abate as long as law firms continue to be targets of hackers. In the future, obtaining ISO certification may be like obtaining malpractice insurance for law firms — a cost of doing business."
Expert Discussion (video):
One area often catalyzing security discussions is the cloud — where some see risk, others see potential advantage (shifting the burden of security management to dedicated vendors). The cloud also raises questions of control and jurisdiction. Here is an interesting video discussion, delivered by Microsoft's own legal team, which explores: cloud security, privacy & control, compliance and transparency.

No comments:

Post a Comment