Data protection requirements US law firms must comply with

September 14th, 2022
Data protection requirements US law firms must comply with

Law firms typically handle sensitive data like intellectual property, personally identifiable information, corporate strategies, financial reports, and business transaction information. That's why cybercriminals love targeting law firms. It's therefore the responsibility of law firms to protect their clients' data, and this involves complying with certain data security regulations. Failure to do so can result in hefty penalties and other related losses.

In this blog post, we'll discuss the various data protection requirements that New York and other US-based law firms must comply with.

ABA Formal Opinions 477R and 483

The American Bar Association (ABA) Formal Opinion 477R tackles a lawyer's ethical obligations to secure the transmission of confidential client information over the internet, such as via email or file hosting services. It requires lawyers to make a reasonable effort to secure client data on a case-by-case basis based on factors like the sensitivity of the information and the likelihood of disclosure if additional safeguards are not implemented.

ABA Formal Opinion 477R lists seven concrete steps lawyers must take to make a reasonable effort. This includes identifying confidential client records, training staff on information security, and properly vetting their IT providers.

ABA Formal Opinion 483, on the other hand, outlines the reasonable steps lawyers should take after a data breach, such as notifying past and current clients affected by the breach and mitigating the damage resulting from the breach.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of security standards that aim to safeguard cardholders' information. It applies to any organization that deals with credit card data, such as law firms that take payments from clients via credit cards.

Covered entities are required to meet PCI DSS’s 12 requirements, which fall into six categories:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a federal law that requires covered entities (e.g., healthcare companies) and business associates to maintain the confidentiality of protected health information (PHI). A law firm can be deemed a business associate if they carry out legal services that deal with PHI for a covered entity or business associate. For example, law firms that work with healthcare providers on health insurance fraud cases are subject to HIPAA compliance requirements.

As business associates, law firms must comply with the same requirements as covered entities. This includes implementing administrative, physical, and technical safeguards to protect PHI. For example, law firms can conduct employee security awareness trainings, install alarms and locks in areas where PHI is stored, and enforce data encryption, among many others.

Moreover, business associates must execute a business associate agreement with any covered entity or other business associates they work with. Should law firms experience any cyber incident that affects their clients, they must promptly notify their clients and cooperate with the necessary compliance investigations.

Read also: 7 Urgent security protections every law firm should have in place now

Stop Hacks and Improve Electronic Data (SHIELD) Security Act

The SHIELD Act is a data security law that applies to companies that conduct business in New York and those that collect the private data of New York residents. It requires these businesses to implement administrative, physical, and technical safeguards to protect this data from unauthorized access and disclosure. Examples of such safeguards include designating a security program coordinator, properly erasing private information on electronic media, and conducting IT risk assessments.

Should businesses suffer a data breach that results in the exposure of New York residents' private data, they are required to notify these residents.

These are just some of the data protection requirements that law firms must comply with. There may be more depending on which industries you work with and the state/s you operate in. To ensure your law firm’s compliance with all necessary data security requirements, work with the IT experts of Healthy IT. We specialize in providing IT services to law firms like yours. Book your FREE consultation today.