Would you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case? Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry? Of course not. Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.
But assessing security risks is more than merely a good idea. Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard. Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards. Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers. And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.