SOC 2 Compliance

What Legal Professionals Needs To Know

The importance of achieving Type II Service Organization Control (SOC 2) compliance cannot be undervalued by the legal community. SOC 2 compliance is part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control reporting platform. These guidelines were introduced in an attempt to restructure the existing (outdated) reporting methods of service organizations, and to align with the growing trend toward more globally accepted accounting principles.

The SOC reporting platform has three options: SOC 1, SOC 2 and SOC 3. Although SOC 1 and SOC 3 will be addressed briefly in this whitepaper, the primary focus will be on SOC 2 compliance, which is designed specifically to address the increasing popularity of cloud computing and other forms of shared technology within the service organization world.

Maintaining secure channels for the transmission and storage of this type of data is of particular concern when dealing with legal matters. Achieving compliance with SOC 2 is indicative of maintaining objective levels of security, availability, confidentiality and privacy. Determining criteria are evaluated by independent auditing agencies, and include such elements as operating effectiveness, design, processes, and procedures involved with data-center controls.

Security Risks in Outsourcing

The way business is done has changed so drastically that it’s become necessary for companies to outsource portions of their functions or tasks – and sometimes even core operations – to outside service organizations. When the service organization takes on these functions, they also adopt the inherent risks that used to be the company’s sole responsibility. Yet, since they are external to the user entity, they often operate outside the bounds of existing safeguards. In other words, the same rules may not apply.

Recent increases in privacy breaches, fraudulent activities, and other malicious ‘hacking’ have served to similarly increase internal regulatory controls, such as HIPAA, the Sarbanes-Oxley Act, and Basel II. As a result, due diligence during the vetting process of prospective service organizations is increasing and the government is now overseeing existing outsourced organizations. Regulatory changes, especially in the field of technology, have underlined the need for assurance that management is capable of maintaining client security and data integrity. The systems used by both the originating organization and any satellite service organizations must process data with the same level of privacy, confidentiality, and integrity.

Enacting SOC 2 compliance, along with meeting other compliance standards, allows an independent entity or CPA to determine whether the existing controls of a service organization meet the necessary standards. Additionally, the service organizations are able to respond with concrete action plans to achieve compliance through this objective evaluation. The three Service Organization Control reporting options laid out by the AICPA provide this necessary framework.

Focus on SOC 2 Compliance

As mentioned previously, there are three different types of SOC reports.

·         SOC 1 Report: Provide focus on internal controls that are relevant to financial reporting. These are conducted in accordance with SSAE 16.

·         SOC 2 Report: Address the controls regarding security, availability, and processing integrity of internal systems, as well as the confidentiality and privacy of any data that is processed by that system.

·         SOC 3 Report: Handle controls related to security, availability, confidentiality, and processing integrity in accordance with Trust Service Principles.

Unlike SOC 1 reports, SOC 2 compliance relies on the AT Section 101 professional standard which uses a criteria-based analysis that centers on the five Trust Service Principles, as stated by the AICPA and CICA:

Security. The system is protected against unauthorized access (both physical and logical).

Availability. The system is available for operation and use as committed or agreed.

Processing Integrity. System processing is complete, accurate, timely, and authorized.

Confidentiality. Information designated as confidential is protected as committed or agreed.

Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally-accepted privacy principles issued by the AICPA and CICA.”

Specifically, SOC 2 compliance is based on the reporting of non-financial controls, like those within the technological sector such as managed services, data-centers, and other aspects of service organizations.

The development of the SOC 2 guidelines arose from the multitude of changes within service organization reporting, the growing trend toward international accounting standards, the previous abuse of outdated auditing standards, and the simple need to provide a more appropriate reporting platform for the way business is done today. The SOC framework delivers a multifaceted approach for reporting platforms among service organizations.

Core Requirements

·         System Description:  A key aspect for obtaining SOC 2 compliance is to maintain a written description of the “system” used by the service provider. The narrative must be both detailed and comprehensive, addressing the services provided as well as any supporting processes, internal policies and procedures, and any other core operational activities that are relevant to the service provider’s user entity. This system description requires much more in-depth detail than the control descriptions mandated by the SAS 70 predecessor audit.

·         Written Statement of Assertion: The service auditor who is performing the examination for SOC 2 compliance must be provided with a written statement of assertion. This document declares factual statements regarding the service provider’s control environment.

·         Criteria Description: Since SOC 2 compliance is based on criteria rather than objectives, documentation is required showing the metrics that are in place to meet the Trust Service Principles.

Benefits of SOC 2 Compliance for the Legal Community

The American Bar Association Formal Opinion #451 specifically states that:

"The challenge for an outsourcing lawyer is, therefore, to ensure that tasks are delegated to individuals who are competent to perform them, and then to oversee the execution of the project adequately and appropriately. When delegating tasks to lawyers in remote locations, the physical separation between the outsourcing lawyer and those performing the work can be thousands of miles, with a time difference of several hours further complicating direct contact. Electronic communication can close this gap somewhat, but may not be sufficient to allow the lawyer to monitor the work of the lawyers and non-lawyers working for her in an effective manner. At a minimum, a lawyer outsourcing services for ultimate provision to a client should consider conducting reference checks and investigating the background of the lawyer or non-lawyer providing the services as well as any non-lawyer intermediary involved."

Rule 1.6(a) of the ABA Model Rules of Professional Conduct states:

“A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).”

Rule 1.6(c) adds:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Comment 3 on Rule 1.6 clarifies:

“The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law. The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source. A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct or other law. See also Scope.”

Rule 5.3(b) requires that lawyers who utilize the skills and talents of non-lawyers must “make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer.”

Above all, the lawyer must preserve fiduciary responsibility to their client. When hiring outside parties and service providers, it’s counsel’s responsibility to ensure that the attorney-client privilege is kept sacrosanct. Independent auditing to determine SOC 2 compliance delivers an extra layer of protection for both counsel and client. Clients have an objective set of guidelines that they know their team is bound by, and counsel has the assurance that all members of the staff must hold to the same ethical guidelines as they themselves are required to uphold.

SOC 2 compliance extends far beyond personnel, as well. The entire organization is covered, as well as the technological infrastructure being utilized. This includes the data-center operating environment, management of data storage, server and database administration, and tools and processes used for system monitoring. Both physical and virtual system security are included, as well as common support processes that are applicable to multiple avenues of service provider and primary business.

Ensuring SOC 2 compliance satisfies the ethical obligations set forth by the ABA in providing insurance that systemic and necessary protocols are in place to protect the lawyer-client privilege. This offers clients a higher level of confidence in their counsel, as well as assurance that any critical data or sensitive information will be handled and stored securely. For clients, doing business with a legal team with SOC 2 compliance delivers an additional seal of approval for the methods used to handle client information, allowing for greater peace of mind for client and counsel alike.

IN CLOSING

There are quite a few individual certifications that complement SOC 2; some of the more relevant to a services company include:

  • CISSP – Certified Information Systems Security Professional
  • CIPP (US, IT, Europe) – Certified Information Privacy Professional
  • ECMP – Enterprise Content Management Practitioner
  • ERM – Enterprise Risk Management

Completing a Type II SOC 2 examination relevant to security, availability, confidentiality and privacy provides attestation that processes, procedures and controls are formally evaluated and tested by an independent auditing firm.  Passing this audit provides certification of compliance to a service organization that qualifies the design and operating effectiveness of their organization.  This examination demonstrates that the service organization is compliant with the relevant criteria and its clients are being served by a SOC 2 standard controlled facility.  The examination's completion also provides valuable insight into the people and procedures responsible for successful data-center controls.