Data Compliance for Law Firms: How to Know When Your Client Information is Bound by Data Handling Regulations—and What to Do about It

by

September 11, 2024

Most lawyers understand that the American Bar Association expects their firm to protect a client’s information correctly. But when industry-specific data handling regulations bind your client, it’s easy to get confused about how this thicket of cybersecurity rules affects your client-lawyer service and communication. Data handling for law firms can be confusing.

As an IT MSP with more than 100 law firms for clients, we deal with this question of law firm data regulations every day. Here’s the short answer:

If your client is bound by data handling regulations, then your firm is, too.

How will this affect your firm’s daily operations? Let’s examine the regulations that might apply to your client and when they become an issue in your consulting relationship.

 

Data Compliance for Law Firms: the Regulations That May Affect Your Law Firm

Gramm-Leach-Bliley Act (GLBA)

The GLBA applies to law firms that provide financial or legal services for financial institutions. Not only are you expected to safeguard the personal financial data of clients or client’s customers, but you must notify them in writing of your privacy practices before information is shared. Those whose data is being shared must have the opportunity to opt-out before the information is shared.

Our advice is to share as little financial data as possible, anonymize that data whenever possible, and create tight levels of access only on a “need-to-know basis.”

 

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to law firms that handle health information, requiring them to comply with HIPAA regulations that require the patient to authorize everyone who views their information. This includes ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI). Like the Gramm-Leach-Bliley Act, the owners of personal health information must be notified if your firm is handling their data.

Remember, if you’re handling a healthcare client but not handling patient records, HIPAA will not apply to you. But, if you are handling HIPAA-protected information, you must provide proof of your safe data handling practices as part of your contract. You can find more information from the U.S. Department of Health and Human Services in this post.

 

Sarbanes-Oxley Act (SOX)

This law applies to publicly traded companies, their auditors, and law firms that provide services to these companies. Law firms must ensure the accuracy of financial statements and maintain records in accordance with SOX requirements. They must also ensure the information isn’t leaked or mishandled before its planned release to shareholders. This will require extra attention to your disaster recovery services, cybersecurity frameworks, and password-protected data transfer programs.

 

Cybersecurity Information Sharing Act (CISA)

CISA encourages the sharing cybersecurity information between the private sector and the federal government. Law firms that handle sensitive information may be required to share information with the government in the event of a breach.

 

New York State Department of Financial Services Cybersecurity Regulation

This regulation applies to law firms licensed by the NY State Department of Financial Services and requires them to implement specific cybersecurity measures. Your firm must also prove its good data-handling practices to the state. The list of requirements is too lengthy to get into here but aligns very well with the Responsible IT Architecture cybersecurity measures we generally recommend for our Integris clients. Here’s where to find out more.

 

Cybersecurity Maturity Model Certification (CMMC)

The CMMC website states, “The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce the protection of sensitive unclassified information that the Department shares with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

So, as you can see, if your firm is working directly for the Department of Defense and handling classified information, your firm will need to become CMMC certified. Or, if you are working for a CMMC-certified client, their data handling requirements will also apply to you and your client files.

 

State data breach notification laws 

These laws require companies to notify individuals in the event of a data breach that compromises their personal information. The laws vary slightly by state and can be found here.

 

Data Compliance for Law Firms: What Steps Should Your Law Firm Take to Comply with Specialized Data Handling Laws?

Suppose you know your firm is going to be handling protected or regulated information. In that case, our first recommendation will always be to seek out the counsel of a CISSP-certified virtual Chief Information Security Officer. This type of cybersecurity expert is the industry gold standard. They can help you on a scalable fractional basis for your firm. They can also examine the regulations that apply and translate compliance into an actionable cybersecurity plan for your business.

Specifically, a vCISO can help you:

 

Understand how client confidential information is transmitted and where it is stored

This includes client files and firm-generated files. They can ensure your password protections and endpoint monitoring are up to the task of keeping the data protected.

 

Understand and use reasonable electronic security measures

Ideally, they’ll help you create a cybersecurity posture and procedure that’s tight enough for most data handling regulations. With the right help, you can set up password protections, levels of access, and encryption services, among other compliant protections.

 

Create client agreements for how data transfer and communications will occur

If the information transferred is sensitive or warrants extra security, they can help you vet third-party services that can appropriately transfer, store, and back up your client communications.

 

Develop labeling systems set around levels of access

With the right tools, you can mark communications as privileged and confidential. This marks the files as confidential. Once on notice, under Model Rule 4(b) Respect for Rights of Third Persons, the inadvertent recipient would be on notice to promptly notify the sender.

 

Train lawyers and nonlawyer assistants in technology and information security

MSPs with expertise in working for law firms can be a tremendous asset for staff training. They can set you up with monthly online cybersecurity training and connect you to partner training programs for your cybersecurity software. These training programs also come with testing, scoring, and verified completion documentation. This can prove your good cybersecurity posture for clients, cyber risk insurers, or regulators.

 

 Conduct due diligence on vendors providing communication technology

A good vCISO knows how to ask the hard questions of the third-party vendors who provide your cybersecurity tools and services. With a comprehensive third-party vendor assessment, they can not only make sure their internal practices make the grade. After purchase, they’ll ensure they work seamlessly with the rest of your firm’s cybersecurity plans, policies, and procedures.

 

Interested in getting help with your firm’s regulatory compliance? Integris Can Help.

Integris is a nationally managed IT service company. Serving more than 100 law firms nationwide, we’ve dedicated our legal practice to the IT needs of law firms. Our company was founded on working in legal IT. We’d love to help you with regulatory compliance and much more. Contact us today for a free consultation.

Chris Lasecki, CISSP, is a vCISO at Integris. Chris has over 30 years of experience in the IT field, with a recent focus on cyber threat hunting and consultation.

Keep reading

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...

Ten Cybersecurity Best Practices for Your Law Firm in 2024

Ten Cybersecurity Best Practices for Your Law Firm in 2024

2024 isn't over yet, and we're already on track to have the biggest year in history for law firm data breaches. According to recent reporting by the American Lawyer, 21 firms reported breaches from January through the end of May 2024—compared to 28 law firm breach...