Slowly but surely, law firms and e-discovery service providers are beginning to tackle cybersecurity risks. Firms are starting to appreciate that they're susceptible to the same privacy and data security concerns as other businesses and, as aggregators of confidential, protected, and sensitive data, they’re a high-value target for cyber criminals.
Nevertheless, many firms still consider cybersecurity a "should have someday"—as opposed to a "must have today"—goal. New York's Department of Financial Services (DFS), the state's financial regulator, has recently changed that thinking.
On March 1, 2017, DFS adopted the first-in-nation cybersecurity regulation. It requires banks, insurance companies, and other "covered entities" to "establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry." Meaning also: stricter requirements for the firms who serve those New York covered entities, wherever they may be based.
Demanding Requirements for “Service Providers”
Among the most onerous of the requirements in the new regulation are those related to organizations that:
- Provide services to covered entities, and
- Maintain, process, or otherwise are permitted access to nonpublic information through the provision of services to covered entities.
Although law firms may not consider themselves "service providers," many firms fall squarely within this definition in connection with their representation of covered entities.
The current proposed regulation contains rigorous requirements related to the cybersecurity risk profile of service providers and requires covered entities to develop written policies and procedures, identify risks, conduct periodic risk assessments of their service providers, and implement due diligence processes to guard against service provider cyber risks.
A Word to the Wise Firm: Start Now
Although the deadline for compliance with the third-party service provider section of New York’s new regulation is March 1, 2019, firms that provide relevant services to covered entities should take immediate steps, starting with a risk assessment, to ensure that they’ve adequately addressed the issues raised in the new regulation—particularly Section 500.11, which specifies what issues providers' written security policies should cover.
Additionally, firms outside of New York would be wise to pay close attention to how these regulations come into play and are enforced. Onlookers and experts from the legal and technology communities are already speculating that other states will follow suit before long.
How to begin? Guidance from an earlier post on The Relativity Blog still stands:
- Commission a Third-Party Assessment: Not using an outside expert may expose you to the risk of “not knowing what you don’t know.” A neutral party can benchmark your organization against industry standards and practices and provide a prioritized list of recommended actions. The recommendations can then be evaluated against your organization’s risk profile and budget to develop your action plan for compliance.
- Develop a Security Event Response Plan: A data breach can occur in any department across the company, and the early warning signs can be spotted by any employee. A plan that engages all departments—not just IT—and considers all exposure points will be far more effective in preventing, identifying, reporting, and containing a security event.
- Review Security and Privacy Training: New threats evolve, and standards for prevention and detection should mature accordingly. As this occurs, training materials should be refreshed and tailored to the job function of the employee so that employees can properly protect their data and use the most secure workflows.
…Or Risk Getting Left Behind
Requirements of Section 500.11 aside, covered entities will be under tremendous pressure to meet their compliance requirements under the new regulation in a timely fashion. Service providers of covered entities that don't have demonstrably strong cybersecurity practices will only add to that pressure and put timely compliance at risk.
Without a doubt, when deciding which firms to retain, covered entities are sure to favor those that will reduce their burden of complying with Section 500.11 and the regulation as a whole. Firms that aren't ready for the new regulation, therefore, may find themselves out in the cold and ineligible to provide services to covered entities.
Now is the perfect time to become part of the cybersecurity solution—not the problem.