Consequences of Non-Compliance

Earlier this year, I attended LegalTech in New York City. I toured the showroom floor, talked to attendees, and reviewed the discussion session topics. This conference and trade show focus on new technologies that promise to make the legal industry more streamlined and efficient in many different areas. There were several compliance-related vendors and learning sessions, primarily focused on routine interactions: document requests, e-discovery, legal holds on documents, and so on.

I was surprised to find that security and technology compliance were almost entirely unaddressed. By nature, law firms hold some of the most valuable information—from the public and private sectors—including financial information, personally identifiable information (PII), protected health information (PHI), patent information and other intellectual property (IP). Organizations depend on law firms to help protect them from legal challenges, avoid infringements, and stay in compliance with regulatory requirements. To do so effectively, clients must share sensitive and proprietary information with their legal counsel. Many of these relationships cover years, even decades, of confidential affairs and transactions.

It doesn’t take much imagination to foresee the disastrous consequences of losing control over this critical information. The global scandal of the Panama Papers leak is a cautionary tale of epic proportions. But data breaches happen all the time, and to all types of law firms. Clients are paying attention, are you?

In almost every industry, businesses and services are tasked with technology and security compliance requirements from governments, regulatory bodies, insurance companies, customers, and suppliers.  ISO2700x, NIST 800-xx, PCI DSS 3.x, HIPAA, Gramm-Leach-Bliley, and other compliance mandates are a major focus (and headache) for almost every law firm client.  Law firms must not only understand their client’s compliance requirements, they must also be aware of how those compliance requirements flow down to the law firm itself.

In many industries (e.g., financial services and healthcare), regulated companies are explicitly required to ensure their third parties (including their legal counsel) are compliant with particular mandates. Law firms have been slow to recognize their role as a third party to their clients. In fact, they are considered a high-risk third party.  The very nature of the relationship between counsel and client, in addition to the sensitivity of the data being shared between them, means that risk factors are numerous and significant to the security of both parties.

As the legal industry transforms from being relatively unregulated to falling under multiple sets of guidelines, law firms are being challenged by their clients to prove they have carefully deployed processes and technology to protect data and meet regulatory requirements. Law firms are seeing their contracts include the right to obtain compliance information. That may come in the form of a client questionnaire, or it may be a more extensive assessment or audit. Is your firm prepared to quickly and thoroughly respond to such inquiries? How much time are you spending on compliance-related activities? Are policies, records, security controls, and audit processes aligned, regularly reviewed, and visible across your organization? Do you have an incident response plan or team in place? The answers to these questions may not only cause you to lose current and prospective clients, but they may also indicate that your firm is carrying an unacceptable level of risk and exposing your clients to those threats as well.

If these questions leave you feeling queasy, you need to take a closer look at your information governance, risk management, and compliance (GRC) programs. Many firms have not yet developed the internal infrastructure and mature business processes necessary to meet heightened standards of security and compliance. As client and regulator scrutiny of IT infrastructure, data security, and email policies intensifies, traditional approaches will quickly prove insufficient. Many firms still rely heavily on physical documents, spreadsheets, and shared drives. They need to integrate and automate GRC activities and documentation across the enterprise. GRC technology solutions enable law firms to efficiently and effectively manage their compliance, risk management and governance programs, allowing them to streamline client audits, mitigate organizational risk, and demonstrate due diligence in security and privacy measures.

It is important for law firms to demonstrate compliance by establishing processes that meet appropriate standards and comply with their customer’s risk needs and mandates, which includes securing sensitive data. This data and the trust between counsel and client are the most important assets of any law firm. If the data is compromised and the law firm is not fully prepared to respond quickly and effectively, much is at stake—client trust, firm reputation, and future business development. If a firm is found to be negligent, lawsuits, fines, and penalties may result.

Efficient GRC solutions streamline the myriad of tasks involved in maintaining a compliant data security program that will satisfy the requirements of multiple clients. These solutions can also help identify interconnectivity of different tasks and help the organization to realize the benefits of this interconnectivity. Continually updated content libraries house all the relevant regulations, standards frameworks, statutes, and even international privacy laws. These rules are then mapped to internal controls, which are then mapped to internal policies, risks, and related technologies (workstations, mobile phones, etc). When organizations use best practices like this to manage their compliance and risk management efforts, organizations can easily conduct enterprise-wide policy reviews and gap analyses, then route the resulting issues into workflows for remediation or further analysis. Every step is documented, including member or associate signoff that communications and training on policies and security awareness have been completed.

In complex, data-sensitive environments like law firms, an integrated, analytics-driven approach is the only way to gain enough visibility and insight to prepare for audits, client assessments, cyber attacks, internal breaches and unforeseen incidents (pending reforms, geopolitics, mergers and acquisitions, and more). Using a comprehensive framework, routine and exception processes and workflows can be automated and tracked. Incident response plans can be continuously tested, optimized, and recorded. Repositories of client compliance questionnaires make it easy to document and recall answers and solutions for future clients, ensuring continuity in the event of staff turnover or mergers. Firms can respond more quickly and accurately to a variety of client inquiries; the creation of reports proving compliance is streamlined, repeatable, and accessible to all approved contributors.

Cyber security, data privacy, and regulatory compliance are interdependent, and all are essential to risk management. This includes the risk introduced by insiders’ behavior: employees are often the access point for account and credentials fraud and phishing exploits that lead to data breaches, not to mention simple human error that exposes sensitive data. Strengthening policy, procedure, awareness and practice in these areas helps address security needs for law firms and their clients as well as invigorates the entire organization by easing collaboration, building a culture of accountability, and keeping resources focused on core projects. Clients are increasingly rejecting counsel that are not demonstrating adherence to compliance mandates or that have inefficient and ineffective (and costly) compliance programs.

As I saw in New York, the legal industry is clearly interested in making some forms of compliance (e-discovery, document management, etc) more cost-effective and impactful for clients. There is no reason to believe that the legal community would not be interested in an expanded view of technology and security compliance that reaches beyond daily legal interactions. Stringing together manual processes and calling it a compliance program is going to become increasingly unacceptable to clients, suppliers and insurance companies. Taking a more proactive, holistic approach will help your firm stay competitive, avoid the consequences of non-compliance, and earn the lasting trust of clients.

Check Also

NFTs And The Law: What Do I Actually Own?

A quick look into NFTs, and how they fit into a legal landscape that isn’t ready for them.