Legal firms are no strangers to regulations. But cybersecurity regulations coming from the American Bar Association (ABA)… that is a new one.
The truth is, this has been coming for some time. Industry-specific regulations on privacy and cybersecurity are popping up almost monthly. With all the sensitive information legal firms manage, something resembling Opinion 483 was a foregone conclusion.
What is Opinion 483?
If your law firm has a robust information security program, the sections of Opinion 483 should look familiar to you. If your firm is ISO 27001 certified, has a SOC 2 attestation, aligns with a framework like NIST, or has faced complying with GDPR, terminology like “breach notification” and “risk assessment” are already in your wheelhouse.
The best summary I have read so far of ABA Opinion 483 is this:
“…a lawyer must take reasonable steps to monitor for a data breach, to stop it when it happens, to restore the systems after a breach, to determine what occurred, and to provide notice of the breach if it materially affects the lawyer’s ability to represent the client.”
These breach notification requirements ride on the back of needing an effective information security management system (ISMS).
ABA Opinion 483’s “Best Practices”
If you look at the ABA’s recommendations to lawyers and law firms, it’s basically the format ISO 27001 recommends for an information risk management program. Opinion 483 calls these “best practices”:
- Assess risks.
- Identify and implement appropriate security measures responsive to those risks.
- Verify the measures are effectively implemented.
- Ensure they are continually updated in response to new developments.
What are the key takeaways from ABA Opinion 483 for legal firms?
- If you already have an effective ISMS in place, you are probably >80% in compliance with Opinion 483. Key areas to focus on may include your breach monitoring, notification capabilities, and incident response plan. Those are areas where we often find legal firms need to place added attention.
- If you are currently working toward building an information security management system, great! You are in an ideal place to incorporate Opinion 483 into your regulatory requirements and scope. You can certainly save time and money by not having to re-examine Opinion 483 once your program is complete.
- If you are not working towards an effective information security management system and are unsure where to start, that’s okay too! Opinion 483 just means the time has officially come to begin.
Have any specific questions about ABA Opinion 483 that you would like a legal industry-savvy information security expert to answer? If so, we are here to help. Email us at info@pivotpointsecurity or click here to fill out a simple contact form. We’ll get you a spot on an expert’s calendar right away!