SOC Reports Provide Critical Insights on Vendor Data Security Practices

I’ve written several times during the past year about the importance of information security for legal professionals. Mitigating the threat of unauthorized access to client confidential information is one of the most challenging operational responsibilities that law firms face today.

Although there was a time when some legal community leaders believed that lawyers were not taking their data security responsibilities seriously enough, those days seem to have quickly passed. Today, data security issues are on everyone’s mind.

One area where law firms can significantly reduce their exposure to cyber threats is in carefully managing relationships with third-party vendors. Modern law firms use a wide array of information technology vendors — network providers, email providers, accounting services, employee benefits providers, and litigation support vendors — to deliver legal services. All of these third-party vendors handle client information. As a result, engagements with such vendors represent both a potential security risk as well as an opportunity to meaningfully address data security risks, but only if firms can obtain assurance that their vendors follow information security best practices.

One tool that has become popular in recent years is the series of Service Organization Control (SOC) reports developed by the American Institute of Certified Public Accountants (AICPA). As the Chief Information Officer of a national court reporting agency I am regularly asked to document Esquire Deposition Solutions’ information security practices for our corporate and large law firm clients – including audit reports attesting to our compliance with the AICPA’s information security standards in both SOC2 and SOC3 reports.

Achieving Due Diligence Through SOC Reports

The American Bar Association reminded lawyers in a recent ethics opinion (PDF) that, when engaging third-party vendors in their operations, lawyers have an ethical obligation to “ensure that all of these individuals or services comply with the lawyer’s obligation of confidentiality and other ethical duties.” In practice, this means that law firms should adopt whatever measures are reasonably available to protect client confidential information when it is transferred to, stored, or processed by third-party vendors.

The most significant SOC reports for service vendors are the SOC2 and SOC3 reports, which address five critical aspects of the vendor’s information security practices:

  1. Security: Whether the vendor’s information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the confidentiality, integrity, and availability of information or systems and affect the vendor’s ability to meet business objectives.
  2. Availability: The accessibility of information used by an entity’s systems as well as the services and products delivered to its customers.
  3. Processing integrity: Does the vendor’s data processing operation yield complete, valid, accurate, timely, and authorized data that meets the entity’s business objectives?
  4. Confidentiality: Information designated as confidential is protected as committed or agreed to by the vendor and contracting law firm.
  5. Privacy: Whether personal information handled by the vendor is collected, used, retained, disclosed, and disposed of as described in the vendor’s privacy policy and the criteria set out in the AICPA’s Generally Accepted Privacy Principles.

SOC2 and SOC3 reports contain valuable information that law firms can use to assess the risks and internal controls associated with an outsourced service provider. Increasingly, careful law firms are demanding the opportunity to review SOC reports from service vendors that might be entrusted with client confidential information.

Each SOC report contains a detailed description of the vendor’s information security practices, followed by an independent auditor’s opinion that those practices — as described — provide reasonable assurance that the vendor meets the AICPA’s trust services and information integrity standards.

In the case of a court reporting agency such as Esquire Deposition Solutions, the SOC report explain  controls used to protect confidential client information throughout the course of engagements with law firms and corporate legal departments.

For example, a typical SOC2 or SOC3 report will contain the following information:

  • A description of the services the vendor provides to its clients or customers
  • A description of the vendor’s overall information technology environment, including physical facilities, networking hardware, monitoring equipment, data storage devices, mobile devices, and all internal networks and connected external telecommunications networks that the vendor uses to supply services
  • A list of information technology software used by the vendor, the types of databases used, the nature of external-facing web applications, and the nature of any software applications developed in-house
  • A description of the roles and job descriptions of all vendor personnel (including contractors and third-party vendors) involved in the governance, management, operation, security, and use of the vendor’s information technology environment
  • A description of the types of data used by the system, such as transaction streams, files, databases, tables, and other outputs used or processed by the vendor’s information technology system.

With SOC reports, law firms and corporate legal departments will have the information they need to make sound decisions about whether a particular service vendor can provide the information security required for any engagement involving client confidential information.

Esquire Deposition Solutions routinely shares both SOC2 and SOC3 audit reports with clients and prospective clients. Both reports document controls and compliance with the same AICPA trust services criteria. However, SOC2 reports are highly detailed, and are designed to be shared with a restricted audience that includes company management, customers, and auditors employed by customers.

SOC3 reports provide the same information, albeit with less detail, and are designed to be shared widely by organizations that want to publicize their adherence to information security best practices. Interested parties are welcome to review Esquire’s SOC3 audit report here. 

Buttress SOC Reports With Traditional Due Diligence 

In addition to reviewing SOC reports, law firms shouldn’t neglect other, more familiar due diligence tools. When selecting a service vendor, it is always a good idea to consult colleagues and question service vendors about aspects of their information security operations that are unclear even after a close reading of the SOC report.

The service vendor’s past experience with data breaches, service level assurances, liability limitations, and incident response time are also important considerations. Finally, cyber insurance is now widely available to mitigate data security risks. Law firms should certainly inquire whether the service vendor has such a policy and whether that policy will cover reasonably anticipated losses in the event that client confidential information is lost or stolen.

The American Bar Association’s guidance Securing Communication of Protected Client Information (ABA Formal Opinion 477R) (PDF) is a good resource for law firms that want to learn more about placing adequate safeguards around client information. Two other helpful guides are Cybersecurity Alert: Tips for Working Securely While Working Remotely (PDF), published by the New York State Bar Association, and the Esquire Deposition Solutions article on the same topic, Information Security Basics While Working From Home.