Bench & Bar

JAN 2018

The Bench & Bar magazine is published to provide members of the KBA with information that will increase their knowledge of the law, improve the practice of law, and assist in improving the quality of legal services for the citizenry.

Issue link:

Contents of this Issue


Page 31 of 75

| JANUARY/FEBRUARY 2018 30 A s an Information Security professional and a lawyer, solo practitioners and small firms often ask me "How do I vet an IT vendor." e word is spreading that we need to super- vise our vendors and vetting is step one. e Law Practice Task Force provided a KLU session 1 this year on technology and our ethical responsibilities. If you missed it, please review the material on the KBA site. WHY LAWYERS NEED TO UNDERSTAND TECHNOLOGY Kentucky Ethics Opinion E-437 2 clearly requires us to properly supervise cloud providers. Kentucky is adopting most of the ABA's Comment 8 to Model Rule 1.1, requiring lawyers to keep abreast of changes in technology. SCR 3.130(5.3) 3 requires lawyers to make reasonable efforts to ensure the nonlawyer's conduct is compatible with the professional obligations of the lawyer. Finally, the ABA's Formal Opinion 477 4 details the need for due diligence on a law- yer's IT vendors. With an increasing number of regulations, law firms are in scope as third parties. Our clients have a duty to ensure their data and that of the clients are protected. Larger law firms should have an information security specialist on staff to vet vendors and to respond to the increasing security demands from clients. Smaller firms have a big challenge. What questions should we ask, and how can we tell if the answers are sufficient? SECURITY FUNDAMENTALS e National Institutes of Standards and Technologies (NIST) Cybersecurity Framework (CSF) 5 is a great starting point for look- ing at security needs. It describes the core areas of focus for all information security vetting. IDENTIFICATION. You must know what needs protection, and have the administrative will to protect it, before you can do much more in security. PROTECT. is is all the hardware, software, and work processes in place to keep the data in your care properly protected. DETECT. Protections will fail. e next line of defense is to know when they fail and what is happening. RESPOND. Once you know what is happening, what are your plans to deal with the incident? RECOVER. Once the incident is resolved, how do you get back to business? WHAT IS THE RIGHT LEVEL OF SECURITY? e level of security you need is a reflection of your risk tolerance, your areas of practice, and the clients you serve. Information Secu- rity regulations vary by industry and are not uniform. As a third party, you could be subject to regulations you are not aware of today. Keep two key concepts in mind when evaluating vendors. First, you get what you pay for. Second, be certain that you are paying for what you need. When vetting an IT vendor, pay attention to the details. ere are different service levels and price points for those services. Know what is in the contract and what is possible. Just because one firm configured Amazon Web Services to host sensitive data does not mean every instance has the same protections. 101 V E T T I N G BY: JEFF SALLEE IT VENDORS FUTURE OF LAW PRACTICE

Articles in this issue

Archives of this issue

view archives of Bench & Bar - JAN 2018