Compliance in the Legal Sector: Laws & How to Comply

  • 16 September 2020

Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind. 

It makes sense. 

Keep reading to find out…

  1. Why the legal sector is bound to such strict compliance standards
  2. Which regulations govern law firms
  3. How cybersecurity can help ensure compliance

Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more.

“96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously. ”

Why is the legal sector bound to strict compliance standards?

Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients. 

Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised. 

Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom. 

But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too. 

96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously. 

The regulations governing law firms

When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union.

In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by.

General Data Protection Regulation (GDPR)

When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data.

The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant. 

You can read more about the largest GDPR fines (so far) in 2020 on our blog.

What is the GDPR’s purpose?

The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface. 

Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law). 

What is the scope of the GDPR?

The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location. 

What should law firms know about the GDPR?

The main part of the GDPR that law firms should be paying attention to is Article 5. 

This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data:

  1. Should be processed lawfully, fairly and in a transparent manner;
  2. Should only be collected for legitimate purposes;
  3. Should be limited to what’s necessary in relation to the purpose(s) it’s processed;
  4. Must be accurate and kept up to date, with any inaccurate erased or rectified;
  5. Should be held for longer than is necessary for its purposes*; and
  6. Should be held with adequate security against theft, loss, and/or damage. 

The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations. 

What should a firm do in the event of a breach?

Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO): 

The notification must:

  • Contain relevant details regarding the nature of the breach;
  • The approximate number of people impacted; and
  • Contact details of the firm’s Data Protection Officer (DPO). 

Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”. 

It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO

That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith

What are the penalties for non-compliance?

Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher.

American Bar Association Rule 1.6

Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Simply put, lawyers must make efforts to protect the data of their clients. 

Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 

“According to the ABA’s most recent annual survey exploring tech use in the legal industry, 1 in 4 law firms experienced a security breach of some kind.”

In essence, Formal Opinion 483 states: 

  • Lawyers have a duty of competence in implementing adequate security measures regarding technology.
  • Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach.
  • In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data.
  • When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions. 

The bottom line: law firms must protect data with cybersecurity.

Solicitors’ Regulation Authority Code of Conduct

In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements. 

The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT. 

Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm: 

  • Is proactive and immediately notifies the SRA.
  • Has taken steps to inform the client and as a minimum make good any loss.
  • Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again. 

That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting. 

The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 

“A lot of our investment in recent years has been in security systems. Our investment into Tessian was part of the next step to ensure that our systems and client data remain secure.”
DAVID FAZAKERLEY Chief Information Officer

How Tessian helps law firms stay compliant

Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place. 

But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email.

90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel.

Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams.

  1. Tessian Defender detects and prevents spear phishing
  2. Tessian Guardian detects and prevents accidental data loss via misdirected email
  3. Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats

Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way.

Tessian stops threats, not business. 

To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts.