Perhaps no topic has attracted as much attention – and angst – in the legal profession this year than data security. One strategy that many corporate clients are employing to try to minimize their risk profile in working with outside law firms and their third-party information service providers is to require them to undergo intensive data security audits.
Earlier this year, LexisNexis partnered with Lewis Brisbois to host a CLE panel event in Los Angeles: “How to Interpret and Meaningfully Comply with Audits?” The panelists included: Gordon Calhoun, chair of electronic discovery, information management and compliance, Lewis Brisbois Bisgaard & Smith LLP; David L. Hansen, director of compliance, NetDocuments; Aaron Laderman, regional underwriting manager, AIG; and Jeff Norris, CISSP, senior director of data security for LexisNexis Managed Technology Services.
Over the past several weeks, we’ve been recapping some of the highlights of that discussion with a series of blog posts. Those posts shared some of the general trends in data security audits, explored the art of interpreting data security audits, described the idea of “co-education” among the various players in data security audits, and taken a look at how law firms can collaborate effectively with their outside partners in order to deploy the optimal data security solutions.
This week, we conclude our series by assessing how law firms can deal with restriction of access to data and leveraging data security resources as efficiently as possible.
“Certain data that is case-related just can’t be made available to unauthorized people,” said Calhoun. “For example, health care data can only be made available for the limited purpose for which it’s needed. There are certain types of data that have to be restricted.”
But for law firms, this serious burden need not fall on the shoulders of their own IT personnel.
“Firms really need to understand the different levels of access and the requirements around the protection of data, but it falls on information service providers to help law firms focus on their business by making sure that we secure their data and manage it in a way that protects access,” said Hansen. “We have to build the right access controls so that all of this is easy for law firms to do.”
“We’ve seen a lot of our clients starting to look at their contractors or others coming to do work on behalf of the firm and look at the proper ways to provide them with access to their systems,” said Norris. “That’s one good way to keep data security intact by making sure that you control the things you can control on your own premises and in your own systems. This is all a matter of risk management.”
Moreover, for insurance companies that underwrite this cyber-risk profile, it’s important to be able to demonstrate a serious commitment to access controls.
“We want to see that law firms have compliance procedures in place and protocols in place to follow those procedures, but also that you have protocols in place to make sure the people you’re entrusting with your information have controls that are as good or better than your own,” said Laderman. “We also like to see that IT is involved with auditing some of the vendors so they can verify that those vendors have controls in place, as opposed to just a cost-based decision where they’re choosing the lowest cost vendor.”
The good news in sorting through these challenges is that many law firms already have the tools they need to be well-prepared for data security audits . . . they just need to leverage the third-party information resources in the cupboard.
“I think the important takeaway here is that if you’ve got LexisNexis already under your roof and you have NetDocs or another document management system already under your roof, then you already have a significant part of the data security solution,” said Calhoun. “You don’t have to go out and reinvent solutions for data security for law firms because those solutions already exist and many are already under your roof right now. The question is using what you have and realizing you may already have the resources you need in terms of the issues that data security auditors are concerned about, simply by turning to those people who are already your business partners.”