Security without Compliance: The Legal Industry Needs to Step Up Security

This is a guest post from Matt Wilgus, Practice Director for AT&T Consulting. Take a look at Part 1 – Internet Security Assessment of the Legal Profession: An Easy Target.

The argument of a formal regulatory body versus self-regulation in an industry is commonplace. The common argument made is that self-regulation is more efficient than a bureaucratic third party setting rules.  Both sides have arguments that can result in a false sense of security.  Self-regulation assumes the industry will look out for the interests of those beyond its members, while formal regulation may set a minimum bar that thus becomes the end goal.  Several industries, such as the financial, healthcare and retail industries, have compliance drivers associated with data security.  The adequacy and effectiveness of these industry regulations is frequently debated, but at least these regulations have set a minimum bar and raised some level of awareness.  One industry where information security seems to be lacking is the legal field.

Learning from Other Standards

Many large organizations, such as financial and healthcare organizations, require their third parties to verify some level of security compliance. While software, hardware, marketing organizations and other vendors undergo security assessments, law firms often use the argument that controls around client data are strong, and leverage the concept of client-attorney privilege as a way to stress the adequacy of their controls.  In the past, this argument may have been good enough to bypass the third party assessment requirement.  However, the controls around client data may not be as good as advertised and should be verified.

Annual penetration testing activity, a common compliance requirement for many industries, may not even be conducted by some law firms.  AT&T has seen law firms conduct penetration testing as infrequently as every four to five years, with every other year being commonplace.  Password policies almost certainly exist, but actual implementation is questionable.  Additionally, weak passwords are still very possible with reasonable policies.

Although a formal compliance standard for the industry does not exist, Information Technology  (IT) personnel can leverage other standards as a guideline. ISO 27001 is an internationally recognized security standard of good practice. Additionally, firms may be able to certify against the standard, which could be used as differentiator to garner new business and demonstrate due diligence.

As the debate over whether to establish a governing body to oversee security compliance in the legal industry continues, law firms—and their clients—would be better served by the stepping up of security controls.

Matt Wilgus leads the Secure Infrastructure Services practice for AT&T Consulting.  In this role, he shapes the delivery and direction of offerings involving vulnerability and threat management, incident response and forensics, secure architecture design and other technical solutions.

Bindu Sundaresan Strategic Security Solutions Lead AT&T About Bindu