Would you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case? Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry? Of course not. Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.
But assessing security risks is more than merely a good idea. Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard. Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards. Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers. And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.
Lawyer Rules of Professional Conduct
Model Rule 1.6, Confidentiality of Information, requires that a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Rule 1.6(c). Comment 18 to the Rule sets forth risk assessment factors for determining what safeguards meet this reasonableness test, including “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients ….”
Law Firms as HIPAA Business Associates
Law firms that are business associates of HIPAA covered entities are subject to the HIPAA Security Standards, which govern the safeguarding of electronic protected health information (ePHI). Under the HIPAA Security Standards, covered entities and business associates must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate,” and must “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level ….” 45 C.F.R. § 164.308(a)(1)(ii)(A) & (B).
Gramm-Leach-Bliley Act Safeguards Rules
The Gramm-Leach-Bliley Act (GLBA) requires that financial institutions protect the security and confidentiality of their customers’ nonpublic personal information. Though lawyers are generally exempt from direct regulation under GLBA, many law firms are service providers to the various types of regulated financial institutions. The FTC’s Safeguards Standards under GLBA require that financial institutions “[i]dentify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.” 16 C.F.R. § 314.4(b). The Interagency Guidelines of other GLBA functional regulators follow suit. See, e.g., 12 C.F.R. Part 30 Appendix B.
FTC Data Security Enforcement Under FTC Act Section 5
The FTC brings data security enforcement actions under Section 5 of the FTC Act, which forbids unfair or deceptive trade practices. The FTC commonly alleges that the failure to “perform assessments to identify reasonably foreseeable risks to the security, integrity, and confidentiality of consumers’ personal information” violates Section 5. And FTC consent orders routinely require the “identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of [customer personal] information, and the assessment of the sufficiency of any safeguards in place to control the risks.”
State Data Security Laws
Various states have laws that, beyond breach notification, affirmatively require companies possessing protected personal information of state residents to establish reasonable security safeguards based upon a security risk assessment. For example, the Massachusetts PII Protection Standards mandate that such companies have a comprehensive information security program that includes “[i]dentifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks …. ” 201 CMR 17.03(2)(b). Oregon’s statute provides that a deemed-compliant security program includes “[i]dentifying reasonably foreseeable internal and external risks’ and “[a]ssessing whether existing safeguards adequately control the identified risks ….” OR. REV. STAT. § 646A622(2)(d)(A)(ii) & (iii).
Industry-specific state regulations also mandate security risk assessments. For example, the New York Division of Financial Services’ cybersecurity regulation requires financial services entities to conduct a periodic security risk assessment, considering “the particular risks of the Covered Entity’s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems.” 23 NYCRR § 500.09(a).
Various security standards also make risk assessments an essential element of information security programs. The NIST Cybersecurity Framework places security risk assessment at center stage through a process in which “Asset vulnerabilities are identified and documented … Threat and vulnerability information is received from information sharing forums and sources … Threats, both internal and external, are identified and documented … Potential business impacts and likelihoods are identified … Threats, vulnerabilities, likelihoods, and impacts are used to determine risk … [and] Risk responses are identified and prioritized.” NIST Cybersecurity Framework v.1.0, Framework Core, Identify Function, Risk Assessment Category. And the ISO 27000 Series, comprised of international standards for information security management systems, has a dedicated standard for security risk assessment and management. ISO 27005.
Statutes, regulations, and standards such as the above consistently establish security risk assessment as the foundation of effective information security. So yes, conducting a security risk assessment is more than merely a good idea – it’s commonly a compliance requirement.
And why are security risk assessments so consistently and widely required? That’s easy. It’s because they’re a good idea.