make a good business better

Resource Center better insights

Print Divider Print Divider Branding

Practice Tips: Risk

11/01/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

As featured in DICTA.

The expectation of confidentiality between lawyer and client is so fundamental that some clients may never ask about it; they just assume it.

But in an age in which computer data breaches are in the news every day, others may be questioning their assumptions – and perhaps with some justification.

About 15% of respondents to a 2013 American Bar Association Legal Technology Survey reported that their law firms had experienced a data security breach at some point. The survey also documented that a substantial proportion of firms were allowing unsafe computing practices. For example, 34% of respondents reported that their firms allowed them to connect their personal mobile devices to the firms network without restriction. Should a personal device be lost or stolen, this is big risk in terms of a potential breach of firm or client data and also could provide a platform to launch attacks on the organization’s network.

It’s easy to see that information like this could cause clients to ask some serious questions about confidentiality. As a result, lawyers may want to rethink not only what kind of data security they provide but also how they are communicating their ability to assure that security. It’s one thing to assure clients that your information security program is strong and based on industry standards. It’s another to be able to provide evidence. That’s where service organization control (SOC) reports come in.

SOC reports provide a common framework for independent security auditors to be able to attest that organizations entrusted with sensitive client data are in fact following appropriate information security practices.

SOC, which is a program of the American Institute of CPAs, came on the scene a few years ago as an evolution of a widely-used report called SAS 70 that focused on controls for financial data. With the increased variety of shared non-financial digital data, such as personal health information, it became evident that something new was needed. Hence SOC, which makes broader information security attestations more easily available to law firms and a wide variety of other professional service providers.

These written attestations can be extremely important to the success of a firm. Whether or not the firm’s clients are familiar with SOC reports, virtually all of them care – really care – about protecting their sensitive data. If you don’t acquaint them with SOC reports and provide one of your own, a competitor likely will.

Initiating an SOC review of your firm can also have internal benefits. Awareness that processes will be examined can motivate additional discipline and diligence in an internal security program, which will strengthen controls and reduce the likelihood of an embarrassing/expensive data breach. SOC comes in three varieties:

  • SOC 1, also known as SSAE 16 and similar to the SAS 70, examines organization-defined controls related to financial reporting, operations, and information technology.
  • SOC 2 and SOC 3 review controls that support system security, confidentiality, availability, processing integrity, and/or online privacy and how well they perform against criteria developed by the American Institute of CPAs.

The key difference between an SOC 2 report and an SOC 3 report is that the SOC 2 report is generally intended for internal use by a firm’s clients and contains a detailed description of the auditor’s tests of controls and results of those tests. There are also SOC 2 reporting options that allow mapping regulatory requirements such as HIPAA or FISMA to the controls tested in SOC 2 to make the report even more relevant in certain vertical markets like healthcare and government services.

An SOC 3 report is a general use report and provides only the auditor’s conclusion on whether the system achieved the criteria. Details about test procedures are not provided. A satisfactory SOC 3 report does permit the firm to use the SOC 3 seal on its website.

Firms should know that the extent and quality of SOC reports can vary significantly based on the experience and expertise of an auditor identifying, testing and reporting on the types of controls important to that particular firm’s clients.

With information security breaches on the rise, an SOC audit can provide peace of mind not only to a law firm’s clients but to the lawyers themselves.