Legal Information Security


Cyber attacks, the HIPAA Omnibus rule, and a firm’s vendor risk management practices – these are the legal profession’s equivalent to lions, and tigers, and bears (oh my!). Protecting sensitive client data by insuring that cyber defenses are capable of addressing evolving threats is integral to maintaining a firm’s standing and mitigating reputational and financial risk.

To protect information regarding clients’ pending deals and litigation, safeguard Patient Health Information integral to work products, and implement/prove industry best practices for information security, law firms are increasingly looking to leverage leading information security frameworks/certifications like SOC 2 and ISO 27001.


Diagnosis: Legal Information Security Risk Points

✔ Demonstrating compliance with the HIPAA Omnibus Rule to ensure that a violation of the principle of “least privilege” is addressed by internal risk assessment mechanisms to prevent it from escalating to breach notification and/or triggering CMS fines.

✔ Securing mobile devices (phones, tablets, laptops) and wireless networks necessary to support mobility and BYOD requirements.

✔ Demonstrating to increasingly vigilant clients that their sensitive data is being secured consistent with their requirements (e.g., penetration tests, Shared Assessments, SOC 2 Type I/II/III, ISO 27001).

✔ Protecting your Document Management System in a way that achieves the partners’ objectives.


A Prescription for Law Firm CIO Pain

Addressing the unique challenges of financial information security likewise requires a unique and flexible approach.

Addressing the unique challenges of legal information security requires a unique and flexible approach.

Compliance Simplified

Typical engagements include:

HIPAA (Omnibus) – Is the design of our environment consistent with the HIPAA Omnibus Rule? Are we segregating practices and supporting systems that contain PHI? Do our access control mechanisms prevent non-client personnel from accessing PHI? HIPAA Gap Assessments are commonly done during a broader Gap Assessment to provide significantly greater value at moderately additional cost.

Shared Assessment/ISO 27002 Gap Assessment – Increasingly, law firms recognize that the best way to know they’re secure and prove they’re compliant with a myriad of regulations is to align their Information Security Management System (ISMS) with a Security Framework. Is the design of our environment consistent with prevailing guidance? Gap Assessments may be scoped to address different elements (e.g., Document Management Systems, eDiscovery, Litigation Support Systems).

Design/Compliance Assessment support via Vulnerability Assessments and Penetration Tests across the network/applications/people/facilities layers to ensure vulnerability and configuration management and Security Awareness practices are operating as intended.

Attestation (Proof) Simplified


Why Partner with Pivot Point Security?

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.

✔ Domain expertise means we know the ins and outs of the key regulations (e.g., HIPAA, PII) that a law firm is subject to. It also means that we are experts in the Security Frameworks (ISO 27001, ISO 27002, OWASP, NIST, AICPA TSP (SOC2)) that should form the basis of the Information Security Management System you architect as the basis of the attestation you provide to your customers.

✔ Legal sector experience means that we understand the challenge of selling the partners on the need to implement more restrictive policies.

✔ Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll appreciate.

Typical engagements include:

✔ ISO 27001 Consulting Services to work collaboratively with the law firm to develop an Information Security Management System that is capable of being certified via the ISO 27001 standard. ISO 27001 provides the strongest, most widely accepted/recognized form of third-party attestation.

Penetration Tests (Application/Network/Physical) to provide independent and objective proof of the net security posture. This is often an important form of “interim” attestation if the service provider is in the process of achieving a higher level of attestation (e.g., ISO 27001, SOC 2).

Representative Energy Clients

View more representative Legal Industry clients of Pivot Point Security

legal client e1461605842178 1
henryk 1

Meet Henry

He’s the CIO of an NLJ 250 firm… already worried about increasingly vigilant client security requirements / questionnaires.

Now the partner who runs Medical Device & Health Care Litigation wants to discuss the HIPAA Omnibus Rule and how Protected Health Information (PHI) needs to be segregated within the firm’s Document Management System.

He needed somewhere to turn.