As we all know, data privacy and data breaches have become commonplace in the corporate and retail world. A recent article from JD Supra goes into detail on how these same issues are affecting law firms. Ironically, law firms are the ones providing guidance to their corporate clients while at the same time, not following the proper data privacy and compliance rules. Firms are responsible for their clients' data as well as their employees. There are a few key areas that every law firm can focus on to ensure a more comprehensive plan.
Storage and Retention
As with any business, firms must work to keep data protected from physical threats such as power loss, disasters or theft. Obviously, various options for storage exist including on-premise and cloud and this decision depends on the needs of the particular firm. Often, clients will want to know the process and procedures their data goes through, so making that information available to everyone prevents any misunderstanding.
Throughout the period this data is stored, there may be various individuals who need authorized access when necessary. Whether by setting up a VLAN or simply encrypting the data before sending outside, it is imperative to protect this data at all costs. All employees handling any client data should be trained on proper procedure to prevent any human error that could not only be damaging financially, but to the reputation of the law firm.
As we have discussed here in the past, disposition is as important as the other parts of your information governance program. This is an especially complicated and important process in the legal world and must involve the buy-in of the partners, client and everyone involved in the case. The disposition workflow should be spelled out in detail so that no records are erroneously deleted.
Mobile Device Management
Theft or loss of any device like a laptop or smartphone can be especially damaging if it contains sensitive information. Requiring difficult and ever-changing passwords on all devices is a requirement. Additionally, encrypting communications whenever possible adds another layer of data privacy.
Law firms especially must consider any devices that may not be a part of their regular inventory such as client or third-party devices. When in your possession, they become your responsibility and should be explicitly documented and tracked.
Finally, Bring Your Own Device (BYOD) policies have become commonplace in the corporate world and a clear policy should be defined for any law firm. If a law firm would like to allow employees to access data on their personal devices, they must meet a set of predefined requirements up to and including installing Mobile Device Management (MDM) software to track the device and ensure its security. This prevents unauthorized access and protects both the employee and the law firm itself.
Unfortunately, not all data privacy incidents are due to poor process or human error. Hackers are continually trying to gain access to any business that has valuable information. There are a number of ways this can be done including social engineering, where the hacker pretends to be someone who needs credentials to access data such as IT staff or a client. Therefore, it is crucial that employees know to never send usernames and/or passwords via email or any other un-encrypted form of communication.
Additionally, phishing attacks are more broad and sent to many more individuals but can be just as damaging. This could be anything from the payment or payroll portal that the firm uses to something as seemingly benign as a social media account. However, any breach of this sort can have consequences for the employee and the firm. For example, the "reset password" link could in fact be malware that could infect the entire firm.
Even a robust information governance plan can be compromised by a data privacy breach. The overall cybersecurity of the law firm should be one of the first steps when considering the information governance environment and where potential gaps might exist.