In the wake of a number of high-profile data breaches involving law firms — including the recent Panama Papers breach — many U.S. law firms are moving toward obtaining ISO data security certification.

ISO is an international organization that provides formal certification of a company’s data security practices. In the past, ISO 27001 certification (covering information security) has typically been sought by U.S. companies for regulatory and compliance reasons. Law firms did not consider ISO certification necessary to the practice of law. But now, as hackers take aim at the legal profession, many law firms are obtaining ISO certification in order to reassure their clients that the firm’s data security practices are adequate. Some firms are using ISO certification for business development purposes — as a means of differentiating themselves from other law firms.

The move toward ISO certification was initially driven by law firm clients — particularly those in financial services industry — that have long been the target of malicious cyber-attacks seeking customer credit card and financial information. In an effort to enhance their data security, and driven by enhanced regulatory scrutiny, financial services firms began asking the laws firms (as well as other vendors) that have access to sensitive company information submit to data security audits and questionnaires. In many cases, financial services companies are mandating that law firms add physical and logical controls to mitigate the risk of data loss or a breach.