Tuesday, February 21, 2017

Client Confidentiality Concerns, Information Security Standards & More

Not strictly related, but definitely relevant given yesterday's post on confidentiality management: "Clients Turning to Encryption to Combat Law Firm Data Breaches" --
  • "Firing off an email to a client may become a bit more complicated as some in-house legal departments are looking to email encryption as a way to combat law firm data breaches... Corporate counsel are encrypting emails with outside counsel on sensitive matters, including high-stakes litigation and mergers and acquisitions."
  • "'I never considered something like this before I came to Sophos,' said Eleanor Lacey, the network security company's senior vice president and general counsel, who joined from SurveyMonkey in November 2016. 'But I should've, because law firms have had data breaches.'"
  • "Late last year, Preet Bharara, U.S. attorney for the Southern District of New York, announced that three Chinese nationals had been charged with hacking into two national law firms to steal information on upcoming M&A deals."
  • "A legal operations professional at a Fortune 200 company, who was not authorized to have quotes attributed to her name or company, said her company has secured email 'tunnels' with outside counsel on high-stakes litigation. 'We contacted our firm, they put us in touch with the right IT contact, who then talked to our IT contact, and it was done,' the source said, explaining the ease of the process. 'Once it's set up, it's done. It's invisible to me.'"
  • "The source also said some companies are skittish to publicly announce that they use email encryption because it could make them a 'target' for outside hackers."
  • "This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law."
  • "Somehow law firms have escaped being subject to the same legal compliance mandates that many other businesses must adhere to. The American Bar Association has certainly visited this issue and stated the following in 2013. Many firms are now asking, “What do we do to keep our systems and data safe? How can we keep this from happening to us?” There is a simple answer to this question: Hire a chief information security officer, give him or her a budget to hire the staff needed to build and maintain an enterprise security program (ESP), and exercise appropriate governance over the firm’s digital assets."
  • "But do law firms have a security standard like FISMA, PCI DSS, HIPAA or SOX? Not really one specific compliance mandate for law firms. If they handle credit cards it's PCI DSS, if they handle HIPAA, then HIPAA third party kicks in. It’s a disconnected disjointed, patchwork of laws written by? Legal professionals. Add privacy laws to the mix. Forty-seven states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have all enacted statutes requiring companies to provide notification if a breach of personal information occurs."
  • "'We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cyber theft of intellectual property on a daily basis. The ABA Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, lawyers will not stand on the sidelines,' said Laurel Bellows, 2012-2013 President of the American Bar Association."
Finally, commentary on another jurisdiction's move to approve cloud services: "Illinois State Bar Association issues Opinion on using cloud services to store client information" --
  • "Back in October, the Illinois State Bar Association (ISBA) issued a Professional Conduct Advisory Opinion stating that a lawyer may use cloud-based services to store client information as long as the lawyer takes reasonable measures to ensure that the client information remains confidential and is protected from breaches."
  • "Carefully choosing an internet cloud space provider is, of course, the first step a lawyer must take in order to comply with the duty.  But, it is important to note that the opinion clearly states that a lawyer does not comply with the obligation to protect the client information by merely selecting (however carefully) a reputable provider.   Thus, the opinion concludes that lawyers must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected."

No comments:

Post a Comment