The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 66 ASK THE EXPERT How will increased security regulations affect legal organizations in the long-term? Jon: Increased regulations will have a net positive effect. The controls you see in things like HIPAA and the ISO 27001/27002 frameworks will become more regulated, maybe at the federal and state levels. For example, Massachusetts has some data privacy and protection laws, and they have an organization called the Law Office Management Assistance Program (LOMAP) that helps attorneys in that state follow the rules. This trend could continue. I'll also add that as we all look at cybersecurity insurance, there's a lot of gray area related to premiums, coverage and liability. I've heard insurers say they might use the ISO 27001 framework as the guideline for measuring risk at firms that want to have cybersecurity insurance. The more you follow the standard or the more systems you've certified, the more it might positively affect your premiums or your coverage. While that wouldn't be a regulation, per se, the methods by which the insurance industry determines cybersecurity insurance premiums could have a long-term effect on how law firms operate. Butch: In the long-term, our security will continue to increase and improve. We'll experience revised recommended minimums, and those should be reached, if not exceeded. David R.: For firms making strong efforts at security, not much will change. There might be more red tape to go through, but that will improve the state of information security in law firms. Peter: We haven't seen any federal or provincial regulations around security in Canada — yet. However, I have no doubt that they're coming because we have more and more clients asking about our security policy for XYZ. They want to see it and hear about it. For those employed in the security industry, much work is available for them ahead. David B.: What we are seeing now and will see in the future are regulations that affect our clients, and those regulations will be passed along to us by proxy of working for the client. Many of us have already seen that working with financial institutions in the form of audits and security requirements and policies. As a result, we're seeing a change in philosophy on how law firms share data internally. No longer does every attorney and staff member have access to every document, referred to as an "optimistic" document management system. Clients want us to restrict access to their documents, shifting us to more of a "pessimistic" document management system. They say people are the weakest link. How do you get users to be motivated to keep the firm's data secure? David B.: Overall, security awareness is improving, and we have a more informed population. Mainstream media are motivating users to keep data secure by having security hacks on the front page of the news. After one of these attacks is reported in the media, I always get more inquiries about how we protect our firm's environment and how to protect a personal environment. Today's attorneys and staff have a much more vested interest in the law firm succeeding and know that security is a part of that success. Mainstream media are motivating users to keep data secure by having security hacks on the front page of the news.