What North American law firms need to know about the GDPR

Law firms arguably hold more sensitive data than any other type of business. After all, it’s not only their corporate data they need to account for, but also that of their clients. Files and servers contain intellectual property information, financial information, personal data, litigation strategies, and other legally privileged data, and there would be serious and immediate damages if any of it was leaked.

It is therefore no surprise that crooks often target law firms for cyber attacks. One report estimates that one in five law firms were hacked last year.

But targeted attacks are only one part of the information security equation. Organizations need to prepare for any incident in which data can be compromised, and that includes accidental or malicious loss, destruction, alteration, or access.

They also need to make sure that personal data is collected and stored in line with regulatory requirements. This is something many organizations have reassessed following the introduction of the EU GDPR (General Data Protection Regulation).

Why the GDPR matters

The GDPR has been in effect for six months, but many organizations still don’t realize that they are within its scope, and an even greater number don’t appreciate how important compliance is.

Earlier this year, the National Law Journal wrote that lawyers in the U.S. knew about the Regulation “in the same way that a child knows about the boogeyman. They know it’s out there, and they know it’s scary – but when you get down to specifics, things get hazy fast.”

To clarify: The GDPR may be an EU law, but it doesn’t have geographical borders. Rather, it applies wherever EU residents’ personal data is collected. Many organizations collect such data, meaning the Regulation has a significant presence in the U.S.

As a result, there will be plenty of people seeking legal advice on compliance. This might come in the form of guidance specifically aimed at compliance measures or ensuring that business practices don’t infringe upon the Regulation’s requirements.

Thinking long term

The GDPR is only the beginning when it comes to data protection regulatory reform. The Regulation has become the global standard for information privacy and security, and its influence is already apparent in the U.S.

California and Ohio recently passed data protection bills that borrow from the GDPR, and the NYDFS (New York Department of Financial Services) Cybersecurity Requirements, which is comparable to the GDPR in detail, takes effect on March 1, 2019.

Register for our webinar

Webinar: How can law firms tackle information security with data protection laws?

To learn more on this topic register to our webinar ISO 27001 and GDPR: How can law firms tackle information security in conjunction with data protection laws.

This webinar will cover:

  • How ISO 27001, the international standard for information security, can help organizations comply with the GDPR
  • How organizations can identify the risks associated with data breaches
  • The GDPR’s breach reporting requirements
  • How to mitigate risks presented by suppliers that have access to personal data
  • Why organizations must conduct a data flow mapping exercise

This webinar takes place on Tuesday, December 11, 2018, at 1:00 pm (EST). If you can’t make it, the presentation will be available to download from our website, where you can also view our past webinars.

Get #BreachReady

You can discover how to prepare for a data breach by visiting our #BreachReady page. We break the process down into six simple steps and recommend tools and services you can use to complete each task.