Meritas Law Firms Worldwide, a global law firm network that includes 11 Canadian firms, has recently implemented cybersecurity standards for all current and future member firms to follow as part of its quality assurance program.
The data of law firms and their clients is valuable to hackers, and the 10 standards developed by Meritas aim to protect firms from data breaches with proactive and reactive measures.
“If you think about it, cybersecurity is not just technology; it’s physical safeguards. It’s employee training. It’s third-party risk management,” says Tanna Moore, president and chief executive officer of Meritas. “It’s protecting clients’ confidential information, employee information and other kinds of things that may be at risk. There’s also a component about breach response, business continuity and then the fact that it’s not just a one-time deal.”
Canadian Meritas firms include BCF LLP (Montreal, Quebec City), Benson Buffett PLC, Inc. (St. John’s, N.L.), Boughton Law Corporation (Vancouver), Brazeau Seller Law (Ottawa), Key Murray Law (Charlottetown/Summerside, PEI), Pitblado Law (Winnipeg), Lawson Creamer (Saint John, N.B), McLennan Ross LLP (Calgary, Edmonton, Yellowknife), Minden Gross LLP (Toronto), Patterson Law (Halifax), Pitblado (Winnipeg) and Robertson Stromberg LLP (Saskatoon).
The areas addressed in the standards include: information security plans, management’s commitment to these standards, ongoing risk assessments, technical safeguards, physical safeguards, employee training, third-party risk management, business continuity during a breach, breach response and reviews and updates to a firm’s security plan.
Moore says the creation of the cybersecurity standards was sparked by the 2016 Panama Papers incident, wherein the confidential legal and financial documents from the offshore accounts of many prominent people were leaked. The incident affected the business of a member law firm in the Latin American region.
The incident caused Meritas to establish the standards for firms to implement for their own safety but also for the satisfaction of clients knowing their data is secure.
The standards considered included regulatory standards, industry standards and international standards and were reviewed and boiled down to the current 10 key points. The standards were developed by a team of people: a board-level quality assurance committee (comprised of approximately seven member firms), internal Meritas staff and an outside cybersecurity consultant — James Harrison, CEO of Invisus.
“Law firms must be aware of client pressure or client demand for better privacy and security of their private data,” says Harrison. “Where the rubber hits the road with that is clients will literally move on and find another law firm to work with if the law firm they’re [currently] with can’t prove or provide evidence that they’re meeting these minimum [security] standards.”
Harrison also strongly recommends that firms should create an internal cyber-risk management committee, perhaps comprised of a couple of managing partners to represent the executive side of the firm, a human resources director (if there’s one) and an IT manager to represent the tech side. He says this team should do “consistent assessments” at least once a year to ensure they’re meeting the cybersecurity standards — both Meritas standards and regulatory standards set forth by a firm’s respective jurisdiction.
Moore says that the standards to remain part of the Meritas network are high, and this is just one thread of the necessary standards that the network monitors.
For member law firm Boughton Law Corporation in Vancouver, the standards didn’t change any of their current cybersecurity protocols, although they have helped foster an ease of understanding among other departments within the firm that are “intimidated” by cybersecurity, says the firm’s IT manager, Robert Walls.
“Boughton Law already follows strict guidelines for our information security management system and we refer to ISO 27001 protocols. Meritas’ efforts provided us with a good check for us to affirm that we’re following the right cybersecurity path,” says Walls.
Regarding compliance enforcement, there’s an annual survey administered to member firms, the last one given in September 2018, to check in and see if firms are complying to all standards, including cybersecurity. She adds that quality performance and engagement is measured, which is also part of the re-certification process that takes place once every three years to remain part of Meritas.
“What was essential about [the establishment of the cybersecurity standards] is if we didn’t take that step to boil it down to 10 essential standards, it would have been almost impossible for the firms to live up to the standards out there,” says Harrison. “We’ve made it possible, trackable and accountable . . . so now it’s a simplified way of measuring yourself and making sure you should be doing what you should be.”
Editor's note: Comments from Boughton Law Corporation added Jan. 22, 2019.