When it comes to data security audits, one size doesn’t fit all. The metrics of one industry don’t necessarily translate to other industries – and this is particularly true when it comes to the document-intensive legal industry, where confidentiality in communications between client and attorney is a central value to the entire profession.
“As a legal service provider, we’re seeing the full spectrum of data security audits, from simple vendor assessments to 100-question audits followed by in-person visits,” said Jeff Norris, CISSP, senior director of data security for LexisNexis Managed Technology Services. “They seem to be more pronounced in industries such as financial services, health care and others that handle a lot of regulatory data. The good news is that law firms are getting much better at dealing with these audits.”
To help law firms understand their responsibilities, LexisNexis recently partnered with Lewis Brisbois to host a CLE panel event in Los Angeles: “How to Interpret and Meaningfully Comply with Audits?” The panelists included: Gordon Calhoun, chair of electronic discovery, information management and compliance, Lewis Brisbois Bisgaard & Smith LLP; David L. Hansen, director of compliance, NetDocuments; Aaron Laderman, regional underwriting manager, AIG; and Norris.
The panelists were asked to share their thoughts on trends in data security audits. We’ve captured some of the highlights from this event and will be summarizing them in a series of blog posts in the weeks ahead. Some of their overview comments included:
- Number and intensity rising
More clients are requiring data security audits than in previous years. In addition, the level of audit intensity has increased, with some audits now including multi-tiered questionnaires that require narrative responses and are followed-up with telephone interviews.
- Vendors under scrutiny as well
Law firm vendors face even greater pressure from data security audits. First, they must certify themselves as qualified vendors by passing audits for ISO, SOC 2 and other standards. Second, they most be re-audited by law firms and other clients to validate the results of their compliance audits.
- Insurers look for benchmarks
Insurance companies tend to use data security audits as a benchmarking tool to evaluate law firms and other insured businesses. One of the ways they analyze risk exposure is by determining the data security framework the firm has in place.
- Law firms are businesses too
Law firms are expected to be protectors of their clients’ data, but many of them are also large commercial enterprises in their own right and have the same data security challenges as any other company. This includes departments such as HR, Finance and Employee Benefits that are in possession of sensitive personal information and must be protected as rigorously as client data.
In the weeks ahead, we’ll share more highlights from this all-star panel discussion and will make available free video clips you can view with each post.