At Dell SecureWorks, we are talking to (and signing on) a lot of law firms lately. Attacks on law firms have ramped up as their clients have gotten better at protecting themselves and the bad guys have come after their associated firms. While law firms aren't regulated, a lawyer or firm is required to use or demonstrate "reasonable care" to fulfill its obligation to protect and maintain confidential information of his/its clients.
I asked Dell SecureWorks lead legal counsel what the implications of that were for law firms. His response:
"In the rapidly changing realm of IT security, the decisions as to what specific courses of action (or related fact patterns) demonstrated "reasonable care," and those that fell below this standard, will also be rapidly developing. Many opinions addressing "reasonable care" are not published and, therefore, do not become part of the body of researchable law to which a firm or lawyer could look for guidance."
"And, even if the protective measure in question has been addressed in the "law" before - e.g., means of destruction of client records, the manner in which emails are sent to and from clients, etc. - the facts underlying the relationship and communications between the lawyer and client related to the sensitive nature of the information as well as the protective measure will be examined on a one-off basis to determine "reasonableness." Firms and lawyers, therefore, exercise (or should exercise) a high degree of caution and prudence to ensure meeting the "reasonable care" standard beyond what they believe a judge or jury would deem "reasonable.""
In layman's terms, law firms need to make sure they are staying ahead of the curve so that if they find their actions being judged they can be assured that their actions will be deemed as having been "reasonable."
My question for all you law firm security leaders...how do you stay ahead of the curve? What resources, feeds, training, certifications do you use? And what are you missing that you need?