With cybersecurity risks on the rise, law firms and their clients are looking for more assurances within the software and apps they use.

To meet their security needs, many legal professionals turn to Filevine, which has recently received a third-party SOC 2 Type II + HIPAA compliance report. This report includes a detailed review of the HIPAA Security Rule illustrating that Filevine is a leader in protecting legal and personal health information.

What does the SOC 2 Type II report mean for end users?

We’ll get into the details of the report below, but for Filevine’s end users here’s what the SOC 2 Type II report means:

  • Greater peace of mind. You can trust your software to provide robust security for your data, which helps you satisfy your professional duty to keep client information secure and confidential.
  • Greater ability to serve the largest and most sophisticated of clients. You can demonstrate to demanding clients that you have the security sophistication to keep up with the ever-changing cybersecurity landscape.
  • No procurement hang-ups. It’s challenging when deals go awry at the last moment because your case management software doesn’t meet specific security requirements. With a compliance report including both SOC 2 Type II and HIPAA, Filevine is ready to meet the requirements of even the most selective customers.
  • Broad trust and recognition across all industries. SOC 2 Type II is widely accepted as a high standard of security across the legal industry. You can be assured that your security credentials will shine regardless of your practice area.

Why lawyers can’t ignore security standards:

According to the ABA Model Rule of Professional Conduct 1.6(c), lawyers have an ethical duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” One of the most common ways lawyers can run afoul of this rule is by failing to vet the security posture of the software or apps that handle their case information.

But lawyers are legal professionals, not necessarily tech experts. They can’t be expected to sift through every detail of each app they use, hunting for any gap or weakness in the developer’s security protocols. That’s where security standards can come in handy. They can verify that an accredited third party has audited the company and determined if they are compliant with well-recognized security standards.

But clearly not all security standards are equal. How can you recognize which standards are truly meaningful—and which are simply empty badges with impressive names?

What makes SOC 2 Type II compliance different?

As we mentioned, the cybersecurity landscape is constantly shifting, with new threats discovered every day. That’s where the traditional idea of a ‘certification’ can be misleading. There’s no such thing as a one-and-done security effort. You can’t simply create a ‘secure’ product and stop worrying about it.

That’s why some of the most meaningful security standards include requirements for active teams of security experts. These are the people working to constantly improve their product’s security posture, respond to emerging threats, and engage with on-going audits, risk assessments, privacy impact analyses, penetration testing, and vulnerability assessments.

SOC 2 Type II compliance typically requires a year of audits to achieve. It doesn’t just mean a well-designed product. It means an entire team of top-tier experts, investing a tremendous amount of time, resources, and energy to continuously advance the company’s security posture.

When it comes to security, it’s not just about the product—ultimately it’s about the people. That’s why Filevine seeks out some of the most dedicated, creative, and respected security experts in the field to find new ways to improve your firm’s security posture. They’re led by Dean Sapp, the Vice President of Information Security, Risk, and Compliance at Filevine. Dean is a widely sought-after security consultant, security researcher, writer, and public speaker around the issues of new cybersecurity threats and data protection techniques.

To achieve SOC 2 compliance, Filevine worked with an outside auditor that’s certified by the American Institute of CPAs (AICPA), the organization that governs IT and security auditing standards. SOC 2 Type I audits investigate the in-scope systems in place, looking at policies, procedures, and executive support. They explore whether the security features, team, and processes are sufficiently robust.

What makes the SOC 2 Type II audit process particularly applicable is that it assesses how a company performs across a span of time. Compliance at this level shows that an organization has security practices that are operating effectively across time, not just at one given moment.

Recognizing that there are no one-size-fits-all security practices, the specific requirements for SOC 2 Type II compliance are unique to each organization. But they all revolve around the following 5 Trust Service Criteria (TSC 100) that ensure the proper protection of customer data:

    1. Security:

    Auditors analyze the strength of the tools being used to stop unauthorized data access, like web application firewalls, two-factor authentication, intrusion detection, etc. TSC 100 includes incident response, written information security program (WISP) documentation and a defense-in-depth approach.

    2. Availability:

    This principle looks at how readily the organization can detect system or service interruptions and how quickly they can respond to and remediate any problems that arise. Auditors analyze how the organization monitors service performance, and plans for disaster recovery and business continuity.

    3. Processing integrity:

    You want to be sure that any data you put into a system retains its integrity, without being altered. This principle ensures that the organization’s data processing is accurate and consistent across the service.

    4. Confidentiality:

    To protect confidentiality, auditors look for access controls, audit logs, network and application firewalls, data encryption and the principle of least privilege among other security controls. Confidentiality ultimately means that there is a high level of assurances that only authorized parties can access client data.

    5. Privacy:

    This principle looks at the way organizations collect, use, retain, disclose, and dispose of all personal information. In addition to the organization’s own privacy notice, they must comply with the HIPAA privacy rule and applicable COSO principles. The goal is to protect personal identifiable information and to correct it or remove it from the service as required by law or contractual obligations.

No service provider can guarantee foolproof security to stop every new attack or threat. However, SOC 2 Type II compliance is a critical step towards a robust security culture that includes a host of security tools, practitioners and proven techniques to safeguard your data. These rigorous audits, focused on the 5 Trust Services Criteria (TSC 100), enable tech companies to strengthen their security posture, rapidly evolve to confront new threats, and give their customers greater peace of mind.