Meritas, a nonprofit association of law firms, now requires its law firm members to follow a new cybersecurity standard. The reason for this new standard? Law firms' clients.

“All of what you are seeing is because clients are requiring it of outside resource providers,” explained Tanna Moore, president and chief executive officer of Meritas.

Moore stated law firm clients have a heightened awareness of cybersecurity after recent breaches of law firms' confidential data. The 2016 Panama Papers, where Mossack Fonseca was breached and a plethora of data was exposed, leading to the firm's dissolution, inspired Meritas to develop a cybersecurity standard for the company and its member firms, Moore said.

“We [law firms] really have a lot of confidential information about clients; we need standards about how we store confidential client data,” she explained.

The Minneapolis-based company collaborated with a cybersecurity expert for nine months and announced its 10 cybersecurity standards that current and future Meritas members must follow. Meritas' new cybersecurity standards are:

1. Requiring a cybersecurity plan specifying what to do if a cybersecurity breach occurs;

2. Senior management commitment, which Moore called a “culture” requirement where senior management must be committed to safeguarding their data;

3. Yearly risk and compliance assessment;

4. Technical safeguards such as encryption;

5. Physical safeguards, which Moore defined as law firms having policies and procedures in place to ensure physical content and offices are secure;

6. Employee training;

7. Verifying a third-party service provider has a cybersecurity plan;

8. Having a business continuity plan in place to assess if the firm has “appropriate” backup;

9. Breach response;

10. Reviewing and updating cybersecurity plans.

Currently, penalties for not meeting the new standards haven't been set. “As the program is just being implemented, we are in the process of determining the long-term consequences,” Moore said. “At this point, we bring issues to the members' attention for them to resolve.”

The new cybersecurity standards are offered as an assurance to clients that law firms in the Meritas association are members of an organization that requires them to be equipped with cybersecurity standards. The way Meritas operates is that if a member law firm has client work that is out of the law firm's jurisdiction, it can refer a fellow Meritas member law firm to that client.

“If they are referring another firm in our organization, they are assuring that this firm has looked at and is aware of cybersecurity plans,” Moore explained.

Meritas has 181 law firm members spread across 90 countries, according to Meritas' website, and finding a simple core of cybersecurity requirements in a sea of differing international regulations was key, Moore said.

She added, “We wanted to be able to find the common denominator and simplify it so our firms would understand them.”