We’ve previously written on the need for law firms to scrutinize the data security protections in place at all third-party vendors who have access to client confidential information. Clearly, that’s still good advice. Vendors, whether they’re cloud storage providers or litigation services providers or any other entity in the legal services supply chain, are tempting targets for hackers.

However, for legal professionals without data security expertise, the meaning of the directive “vet your vendors’ security” is not always immediately apparent. How should a law firm vet data security practices of third parties trusted with client information? This article will attempt to answer that question and provide a high level list of tangible steps that law firms should take to meet their legal and ethical obligations to provide an acceptable level of security over client confidential information. The focus here will be on evaluating the data security practices of third-party vendors.

A workable approach to meeting a law firm’s data security obligations might look something like this:

Establish Clear Security Standards. Law firms should define and document specific security standards and requirements that vendors must meet, such as encryption protocols, access controls, data storage policies, and compliance with the most stringent relevant regulations.

It’s difficult to overstate the extent of a law firm’s data security compliance obligations. All law firms have an ethical obligation to safeguard client information. Under American Bar Association Model Rule of Professional Conduct 1.6(c) (and similar state-level ethics guidelines), lawyers have a duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Most state bar regulators have fleshed out the meaning of “reasonable efforts” through ethics opinions specifically addressing necessary protections for client information in electronic storage.

State ethics opinions are a great place to start getting a sense of a law firm’s data security obligations.

Additional compliance obligations arise from cyber-insurance policies, state and local data breach and data privacy laws, federal laws protecting health information, and international data privacy laws that come into play for law firms that handle personal information of individuals outside the United States. A sound cybersecurity plan will ensure that vendors meet the most stringent requirements across this ecosystem of relevant obligations.

Conduct Comprehensive Due Diligence. Before engaging with a vendor, law firms should thoroughly evaluate the vendor’s alignment with those standards. That includes reviewing security policies, conducting background checks, assessing past security incidents or breaches, and verifying compliance with industry standards. That process is much faster and easier if the vendor has a SOC 2 report or ISO Certification, as they document the company’s controls and alignment with a known security framework.

Request Security Documentation. Law firms should request comprehensive documentation from vendors that demonstrate intentional design and operational compliance with those standards. Artifacts such as security audits, penetration test reports, vulnerability assessments, and compliance certifications are all examples of documentation that can validate the vendor’s security claims and provides insight into their actual security practices.

Assess Data Classification and Handling Practices. It’s crucial for law firms to understand how vendors handle sensitive data. This involves evaluating data encryption methods, data access controls, data retention policies, and procedures for handling data breaches or incidents.

Evaluate Fourth-Party Relationships. Law firms should assess the security posture of vendors’ subcontractors and/or third-party service providers. This includes understanding how these relationships are managed, what contractual agreements are in place, which security measures are in place, and how data is protected throughout the entire supply chain.

Implement Ongoing Monitoring and Compliance. Security assessments shouldn’t be a one-time event. Law firms should establish mechanisms for ongoing monitoring and compliance verification. Regular audits, performance reviews, and updates to security agreements can help ensure that vendors continue to maintain an acceptable security posture over time.

Smaller law firms might be overwhelmed by the number and complexity of the data security action items listed above. For them, here’s a streamlined approach that should be manageable for law firms with a more modest level of resources to dedicate to data security:

• Define Basic Security Needs. Small law firms should outline essential security requirements, focusing on areas such as data encryption for sensitive information, secure access controls, and basic compliance with relevant regulations (e.g., local data protection laws).
• Perform Simple Vendor Screening. Conduct basic due diligence on vendors who will handle sensitive data by reviewing their security policies and assessing any past security incidents or breaches. This can be done through online research, inquiries with industry peers, or requesting references.
• Request Essential Documentation. Ask vendors for basic security documentation such as a summary of their key security measures such as data classification schemes, data encryption methods, access controls, and general data security practices. Focus on the most critical aspects relevant to your firm’s operations and the sensitivity of the data involved.
• Implement Basic Monitoring. Establish a lightweight process for periodically revisiting vendor security practices after the initial evaluation such as annual evaluations or periodic reviews based on contract renewal cycles to ensure ongoing compliance without overwhelming administrative overhead.

Whether your law firm is large or small, now is the time to carefully review whatever data security protections your vendors have in place and, if necessary, bring them up to current legal and ethical requirements. Threats to client information are real and growing – cybersecurity experts at the World Economic Forum believe that 2024 could bring a record number of data breaches. Phishing campaigns, already the source of several law firm data breach incidents, will likely become more sophisticated and difficult to detect as a result of artificial intelligence and cleverly faked images and email messages.