Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Increasing Client Requirements: Securing Law Firms for the 21st Century

By Debra Gray
December 02, 2019

Gone are the days of "basic security." What used to be optional is now standard: two factor authentication, complex passwords, clean desk policies, data encryption at rest and in transit, mobile device management and up-to-the-minute patching. Clients expect these items to already be in place and are further expanding their expectations. They expect sophisticated and secure systems to keep their information safe. This obviously makes your IT professional's job much harder. Additionally, attorneys expect instant performance and near 100% up time. Achieving the delicate balance between accessibility and security is a challenge. Meanwhile, clients continue focusing attention on documentation, planning and training.

The frequency of client-initiated audits has increased dramatically over the last five years. In 2013, Frandzel received its first audit; it was one page long and consisted of seven questions. In 2018, the firm received five audits. All were greater than one hundred pages in length. The longest one included over seven hundred questions. All of the inquiries seek documented information security policies, incident response plans and business continuity plans. Vulnerability scans of networks are required on a monthly basis, with classification and inventory controls put in place immediately. Clients seek annual security awareness and phishing defense training for all staff. The most consistent change is a requirement that the firm conduct substantial employee background checks for every new hire.

Information Security Policies

Developing one security policy for all clients is far simpler than answering every question individually. This practice also provides the firm and its third party vendors with guidelines to adhere to. These policies become a firm's bible to follow with regards to information technology security. They include general information on security management standards, classification and controls, information users, guidelines for personnel and physical security.

  1. Information Security Policies. These identify: 1) the firm's Information Security Manager (ISM), the person responsible for your information technology; 2) how to manage sensitive information; and 3) who can access what in your firm.
  2. Classification and Control. This describes the fundamentals of information security, including a description of the information you maintain and how is it classified (i.e., private, sensitive, restricted or confidential).
  3. Information Users. In most cases, the human factor is a firm's greatest risk. Password standards, workstation security and automatic screen protection, end-of-day log off requirements, unusual behavior detection, mobile device protection, good judgment policy and most importantly, training all come into play.
  4. Physical Security. Having physical controls in place helps staff follow standards with regards to securing visitors and physical rooms. Educating staff regarding visitor policies, such as keeping a log with the visitor's name, date, purpose of visit and physically keeping all server rooms locked, also aid in security. These are standard requirements and commonly considered basic controls today.

Incident Response Plan

This documents your organization's formal response plan in preparation for a breach. Requirements in this area vary widely. Clients frequently dictate policy inclusions such as maximum notification times, specific contacts, and general best practices. Regardless of whether client requirements exist, general best practices include developing these procedures today. It is common for these policies to include some or all of the following:

  1. Names of your incident response team and key clients and the numbers you need to call if an incident occurs;
  2. The name of your key resources needed to maintain or resume operations;
  3. Procedures for various incidents;
  4. Inventory of all hardware;
  5. Inventory of all software;
  6. Inventory of connectivity vendors;
  7. Inventory of critical IT documents;
  8. Location of data;
  9. Location of passwords; and
  10. Inventory of vital business records.

Business Continuity Plans

A growing best practice is to combine both business continuity and incident response plans into a single document. They are of equal importance and tend to contain similar information. Whether it's a breach, fire, earthquake, etc., you will need to follow documented plans of action equally. The primary focus is to ensure operability of technology resources without interruption to minimize loss of revenue. Properly documented and tested plans will enable your firm to remain standing.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Anti-Assignment Override Provisions Image

UCC Sections 9406(d) and 9408(a) are one of the most powerful, yet least understood, sections of the Uniform Commercial Code. On their face, they appear to override anti-assignment provisions in agreements that would limit the grant of a security interest. But do these sections really work?