by Judy Selby - BDO USA
on April 06, 2017
Cyber Security & Data Privacy
Legal & Industry Education
Slowly but surely, law firms and e-discovery service providers are beginning to tackle cybersecurity risks. Firms are starting to appreciate that they're susceptible to the same privacy and data security concerns as other businesses and, as aggregators of confidential, protected, and sensitive data, they’re a high-value target for cyber criminals.
Nevertheless, many firms still consider cybersecurity a "should have someday"—as opposed to a "must have today"—goal. New York's Department of Financial Services (DFS), the state's financial regulator, has recently changed that thinking.
On March 1, 2017, DFS adopted the first-in-nation cybersecurity regulation. It requires banks, insurance companies, and other "covered entities" to "establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry." Meaning also: stricter requirements for the firms who serve those New York covered entities, wherever they may be based.
Among the most onerous of the requirements in the new regulation are those related to organizations that:
Although law firms may not consider themselves "service providers," many firms fall squarely within this definition in connection with their representation of covered entities.
The current proposed regulation contains rigorous requirements related to the cybersecurity risk profile of service providers and requires covered entities to develop written policies and procedures, identify risks, conduct periodic risk assessments of their service providers, and implement due diligence processes to guard against service provider cyber risks.
Although the deadline for compliance with the third-party service provider section of New York’s new regulation is March 1, 2019, firms that provide relevant services to covered entities should take immediate steps, starting with a risk assessment, to ensure that they’ve adequately addressed the issues raised in the new regulation—particularly Section 500.11, which specifies what issues providers' written security policies should cover.
Additionally, firms outside of New York would be wise to pay close attention to how these regulations come into play and are enforced. Onlookers and experts from the legal and technology communities are already speculating that other states will follow suit before long.
How to begin? Guidance from an earlier post on The Relativity Blog still stands:
Requirements of Section 500.11 aside, covered entities will be under tremendous pressure to meet their compliance requirements under the new regulation in a timely fashion. Service providers of covered entities that don't have demonstrably strong cybersecurity practices will only add to that pressure and put timely compliance at risk.
Without a doubt, when deciding which firms to retain, covered entities are sure to favor those that will reduce their burden of complying with Section 500.11 and the regulation as a whole. Firms that aren't ready for the new regulation, therefore, may find themselves out in the cold and ineligible to provide services to covered entities.
Now is the perfect time to become part of the cybersecurity solution—not the problem.
Judy Selby is a managing director at BDO USA, where she provides strategic advice to companies concerning cybersecurity, privacy, and insurance.
SXSW 2017: Bats, Biometrics, and Solving Tomorrow's Data Challenges
Cybersecurity 101: Protecting Law Firms from 'Bad Actor' Entry via Email Phishing