Lawton Brown spends his time focused on helping customers manage their IT Security efficiently with XOGENT. That means he’s having real conversations everyday about how data security can impact an organization. Here are some of his thoughts.
From a data security perspective, different industries are subject to different rules. If you are in the healthcare industry then HIPAA compliance is top of mind. Financial industry? Gramm-Leach-Bliley and Sarbanes-Oxley. Data compliance does not stop at just these industries. We also see data compliance requirements based on your role. If you are a CPA then you are handling financial data that may be subject to regulations depending on the industry of your client. Lawyer? There are ethical rules and considerations beyond just industry regulations. The list is long and we could keep going.
You see our point. Depending on the industry or what category of information you need to protect, you might be subject to various types of data regulations. How can you protect yourself and your organization from mis-steps when it comes to data compliance? Beyond just being fined heavily you could also be sued by an organization for a data breach. These are likely all scenarios you want to avoid.
Let’s Talk Specifically About Lawyers
We’ve seen lawyers sued for breaching their duty of confidentiality when data is stolen or otherwise exposed due to a lack of compliance. In most states, lawyers are subject to ethical penalties for a data breach which opens up the possibility of disbarment, censure, or financial penalties for failing to protect their client’s data. The questions that every firm should ask are:
How do I protect myself from these types of scenarios?
How do I know my firm is doing what we should in order to properly protect client data?
Building Your Cybersecurity Framework
Fortunately, there are several standards that can be used to build your cybersecurity framework. And “cybersecurity framework” is exactly the term you want to use to talk about making sure your data is protected and your practices are compliant. For example, the National Institute of Standards and Technology (NIST) as well as the International Organization for Standardization (ISO) both provide comprehensive guidelines to help maintain data security. These organizations effectively provide policies that govern how we maintain, store, and transmit data. If your organization is following either one of these frameworks it decreases the likelihood of a data breach significantly.
There are many other organizations out there that are all searching for the same objective: to protect the consumer’s data. From HIPAA to the CCPA in California, or even the GDPR, with a proper cybersecurity framework you can rest easy knowing that your organization has the right practices in place.
You Might Already Be Required
Many organizations today have cybersecurity insurance policies. If you don't have a cybersecurity insurance policy, then it’s safe to say you desperately need one. That’s not meant to be a critical statement about your organizational planning. It’s important because your normal errors and omissions policy stopped covering cybersecurity in 2014. Likewise, your general liability policy does not cover cybersecurity events either. You need specialized cybersecurity insurance which will require that you take reasonable steps to secure your data. If you're not taking reasonable steps to secure your data, you can be disqualified under the policy which is not an onerous requirement. All it takes is a commitment to securing your data and fortunately a roadmap already exists in a cybersecurity framework.