Compliance, Cybersecurity

A perk of working for a law firm is learning about crazy laws and regulations. For instance, if you’re in Georgia, it’s illegal to keep a donkey in your bathtub. It’s also illegal to carry ice cream in your back pocket… on a Sunday. Along with these nutty laws, you’ll likely learn about compliance regulations other sectors need to follow, like HIPAA for healthcare fields and SOC 2 for the technical sector. It’s a good thing you’re in the legal field where those rules don’t apply… right?

In truth, the legal field is one of the most heavily monitored sectors. Lawyers handle a variety of different cases from different industries, so they need to be informed about a huge number of regulations. For instance, if your client’s in the healthcare field, suddenly, HIPAA matters. And if you’re working on a case involving finances, PCI is of utmost importance. Additionally, if your firm hires someone to handle your IT, that company also needs to understand and practice your firm’s compliance regulations.

With all of these rules and guidelines, we could probably create a course dedicated to legal compliance alone. But you already put in your time at law school, so we’ve summed it up for you instead:

What Data Does the Legal Field Handle? 

Some basic compliance standards are important across all cases. For instance, when working with a client, a lawyer will likely receive that client’s social security number. SSNs are considered PII, or personally identifiable information; in order to maintain that client’s PII, lawyers should follow standards set forth by NIST, or the National Institute of Standards and Technology. Some of NIST’s regulations include organizing PII by confidentiality levels and creating an incident response plan in case of breach.

Along with NIST compliance, it’s important that members of the legal sector understand and abide by HIPAA. HIPAA isn’t just important when a client works for a healthcare company; it’s also important when handling personal injury cases. Additionally, HIPAA is a good standard to abide by for all your firm’s important files. It’s one of the most comprehensive compliance standards out there, which can only help when securing your information.

What Are Some Important Ways to Improve Compliance?

Compliance is about both big and small changes. Implementing safe website and email procedures is a lawyer’s first step toward becoming cybersecure and compliant. While understanding and abiding by HIPAA, NIST, and SOC all matter, it’s equally important that a law firm practices general cybersecurity best practices.

It’s not uncommon for lawyers to share SSNs or wire transfer information, but such data is vulnerable to phishing attacks. Additionally, passwords can be easily guessed, especially if strong passwords are not being utilized. MFA, or multi-factor authentication, is a smart way to make these passwords more secure. Using specialized characters and random phrases will also help protect your files.

In some ways, a lawyer needs to understand a great deal about compliance. But in other ways, this matter of compliance is simple: the more secure you are, the more compliant you are. And the better you train your employees, the better they’ll become at identifying and preventing cyber attacks.

So really, these regulations aren’t all too crazy—certainly not as crazy as the Bostonian law prohibiting you from taking a lion to the movies. In fact, we’d go so far as to say these regulations are key in keeping your firm and your clients protected, which makes them essential in our (law) book.