Cybersecurity is big worry for law firms. Confidential information is entrusted to law firms by their clients, and hackers are starting to notice. Law firms of all sizes need to get serious about cybersecurity.
Most states’ ethics rules are not looking for perfect security, but reasonable efforts on the lawyer’s part to secure information. What’s a reasonable effort when it comes to cybersecurity safeguards for law firms? State regulators for lawyers have been mostly prescriptive, rather than descriptive on what a reasonable effort might entail.
Fortunately, there is another source that lawyers can review that gives us an idea of what might be considered reasonable—but it’s not from the legal sector.
The Health Insurance Portability and Accountability Act (HIPAA) imposes new privacy standards on covered entities that handle medical records, and the business associates that serve those covered entities. Many lawyers that represent covered entities like doctors and hospitals, are finding themselves caught up in the business associate rules of HIPAA.
HIPAA is requiring that electronic health information be protected “against any reasonably anticipated threats or hazards to the security or integrity of such information.” (CFR 164.306 (2))
In order to protect this sensitive information, HIPPA requires three types of safeguards for information to be considered reasonably protected:
- Administrative (CFR 164.308)
- Physical (CFR 164.310)
- Technical (CFR 164.312)
Within each of these sections of the regulation, the safeguards list required and addressable (i.e. recommended) points that should be taken to protect sensitive information. This article won’t list each safeguard type, but will focus on the required ones. Lawyers should read all of the safeguards in HIPAA to see which work best for their firm.
One Administrative safeguard listed is that firms need a security management process. They need to implement policies and procedures to prevent, detect, contain, and correct security violations. When polled during a Clio Webinar on cybersecurity, 65% of law firms attending did not have a security management process in place. Law firms need to develop and document a plan for ensuring cybersecurity to meet the standards of a reasonable security.
Reasonable administrative safeguards would have at least the following required standards:
- Security Management Process with,
- Risk analysis
- Risk management
- Sanctions policy for workforce members that break company policy
- Information system security review (a procedure to review audit logs or access reports)
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plans that encompass,
- Data backup plans
- Disaster recovery plans
- Emergency mode operation plan
- Periodic technical and non-technical evaluations
- Written contracts with business associates utilized.
Physical safeguards differ from the other safeguards in that they focus on access to the files or devices storing the files. Reasonable physical security safeguards would include the following HIPAA safeguards:
- Facility access controls
- Workstation use policies
- Workstation security
- Device and media controls, with
- Proper disposal procedures for devices that used to contain protected health information
- Media re-use procedures
What’s interesting about the physical safeguards is that cloud services easily provide better physical security than many law firms. Clio’s data center has six different layers of physical security – including 24/7 security staff, visitor screening, biometric access controls, and even a mantrap for intruders! I don’t know of any law firm that has a man trap (though many probably wish they did).
The required technical standards in HIPAA that should be included in a reasonable cybersecurity policy include:
- Access control, with
- Unique user identification
- Emergency access procedure
- Audit controls
- Integrity controls to prevent improper alteration or destruction
- Person or entity authentication
- Transmission security, like encryption
Again, cloud computing tends to excel over older solutions in meeting these standards. For example, Clio has built in audit controls, like our Account Sessions feature, which lets you know who access your data and from what IP.
Addressing All Three Safeguards
By now, you should notice that many of the safeguard standards overlap. Information access management (an administrative safeguard standard) can’t really be separated from access control (a technical safeguard). This means that a reasonable security effort must take all three types of safeguards into account. Ignoring one is like removing a leg from a stool; you are going to fall.
Cybersecurity remains an evolving standard. Lawyers need to implement it now, but must also plan for changes in the future. The three safeguards outlined in HIPAA should give each firm an idea of what they require to create reasonable security standards, even if they are not subject to HIPAA regulation presently. Using these safeguards as a basis, firms can protect themselves and their client data from any reasonably foreseeable intrusions.
Looking to learn more about the steps you can take to secure your law firm’s digital data? Watch our free, on-demand ‘Cybersecurity for Law Firms’ webinar now.