NIST: Cybersecurity Standards in the Legal Field

Legal services rely significantly on knowledge and information. In addition, the attorney-client relationship cannot exist without confidentiality and privacy. 

For these reasons, the protection of sensitive communications and information is paramount to the legal profession.

In fact, according to a recent ABA Legal Technology Survey Report, 30.7% of all law firms and 62.8% of firms with 500 lawyers or more reported that current or potential clients made specific security requirements a part of their client agreements.

Other law firms reported that corporate clients wanted access to the cybersecurity plans and prevention procedures implemented by the firms.

To better protect sensitive information and maintain privacy in an increasingly digital world, lawyers should know about and law firms should implement cybersecurity standards that are appropriate for the needs of their practice.

This article will address one such set of cybersecurity standards established and maintained by the National Institute of Standards and Technology (NIST).

Cybersecurity Threats

Many recent articles have documented the significant extent to which law firms are a prime target for cyber attack because they “house some of the world’s most valuable secrets.”  Everything from trade secrets, to sensitive “market moving” information about a company’s finances, to healthcare information, and other sensitive non-public information occupy a law firm’s servers and data centers.

Due to the looming threat posed by cyber-crooks who would want to profit from that sensitive non-public information, performing a risk assessment is a law firm’s important first step towards improved cybersecurity.  The risk assessment should follow the frameworks and standards established by at least one of many cybersecurity authorities and institutions.

Federal Regulations

The cybersecurity practices of law firms are not directly regulated by the federal government.  However, the specific nature of legal work performed by lawyers in the law firm, and the varied needs of clients in specific industries that are subject to cybersecurity regulation by the federal government, makes the delineation murkier.

For example, healthcare organizations (1996 Health Insurance Portability and Accountability Act (HIPAA)), financial institutions (1999 Gramm-Leach-Bliley Act), and federal agencies (Federal Information Security Modernization Act of 2014 (FISMA 2014)) are all required to establish and maintain strict processes and procedures to safeguard certain types of information.

Because the protected information may be transferred or made available to a lawyer as part of the lawyer’s representation, lawyers and law firms that regularly represent subject entities may in turn be required to comply with the same or similar cybersecurity standards.

State Regulations

Even for lawyers who do not represent entities that are subject to federal cybersecurity regulations, all American lawyers are subject to state regulation and disciplinary authority.  Many states, along with the American Bar Association, have issued rules or advisory opinions relating to the cybersecurity obligations and lawyers and law firms.

For example, Formal Opinion 477R, which was recently issued by the ABA Standing Committee on Ethics and Professional Responsibility, “explained a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet.”  In addition, the same Standing Committee issued Formal Opinion 483, providing new guidance “on an attorney’s ethical obligations after a data breach.”

Under the ABA’s Formal Opinion 477R, “[a] lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information.” In addition, Formal Opinion 477R notes, “[l]awyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.”

The ABA Formal Opinion has been implemented in most states.

For example, in California, attorneys will be deemed to have violated their duties of confidentiality and competence if they fail to take the proper precautions to protect client data.

Similarly, in Florida, “[l]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely,” and “[t]he lawyer should research the service provider to be used.”

In sum, under these Formal Opinions and similar guidance from various states, attorneys must exercise “reasonable efforts” to prevent “inadvertent or unauthorized” disclosure and access to client information, including by staying up to date on technological developments and threats.

For this reason alone, ignoring the realities of digital threats will expose your firm and clients to potentially significant liabilities.

What is NIST?

One of the most prevalent cybersecurity regimes, at last in the United States, is that which is promulgated by the National Institute of Standards and Technology (NIST).

The NIST provides some of the most comprehensive standards and guidelines in the field. Essentially, the NIST standards are those that are used and endorsed by the United States federal government.

The comprehensiveness and reliability of the NIST cybersecurity frameworks and standards arise from the fact that they are less of a mere thought exercise, and more of a compilation of best practices compiled from various security documents, organizations and publications.

Because cybersecurity is an ever-evolving concern, simply drafting a document of best practices is insufficient.  Therefore, NIST’s Special Publication 800 series on cybersecurity is regularly updated to keep cybersecurity standards as current as possible.

NIST SP 800 is a series of documents that not only detail cyberthreat prevention practices, but also consider and showcase feasibility and cost-effectiveness of the suggested standards.

Although these standards are voluntary, maintenance and implementation of the standards would likely stave off or at least help prevent liability in the event of a data security breach.

Compliance with the NIST SP 800 series is not as intimidating as it may first appear. For instance, NIST 800-171 covers the secure sharing of information.  Federal Computer Week boils compliance with NIST 800-171 down to seven essential steps.

Adjusting the language of the guidelines away from government specific applications, and to suit the needs of law firms, gives you the following list:

  1. Identify systems that contain sensitive information
  2. Separate sensitive information from more benign information
  3. Limit access of sensitive information only to authorized employees
  4. Encrypt all data, including sensitive information
  5. Monitor access to sensitive information
  6. Regularly train and retrain employees on cybersecurity best practices
  7. Regularly conduct security assessments of all systems

Although more detailed examination may be required by some law firms whose needs are greater, many law firms would be well-suited to at least implement and then regularly refresh the simplified list above.

Conclusion

The practical benefits of advancing technology are becoming increasingly clear.  For example, automation is easing the burden of time-intensive and repetitive tasks like billing and research.

As helpful as automation and other applications can be, if the applications do not comply with cybersecurity best practices, they become security risks in and of themselves.  Stated differently, non-compliant legal applications can be more trouble than they are worth.

Choosing legal apps that themselves comply with NIST or other well-established cybersecurity standards is a prudent step to maintaining digital protection.