BP Perspective Insights from a Business Partner

10 Steps Every Law Firm Should Take to Protect its Data and Create a Secure Environment

As technology develops, so do the methods used by hackers to infiltrate networks and obtain valuable information. Law firms, especially, have become prime targets for hackers attempting to access and profit from sensitive information. Law firms can face severe penalties if they fail to follow compliance standards specific to their organization.
Bryan Gregory

More to the point, however, a data breach can cost a firm on average $6.4 to $7.5 million. This cost includes the expenditures accrued from the investigation, notification expenses, credit monitoring and crisis management — but does not cover the resulting damages to the firm’s reputation and client relationships.

Here are 10 vital precautions every firm should take to safeguard its data:

1. Encryption
Encryption is a means of protecting sensitive information by converting readable data to unreadable data. All confidential data should be encrypted at rest and in transit, including the transfer of information via email, file-sharing systems and even mobile devices. If an employee’s laptop is stolen or a hacker breaks into a firm’s network, data encryption will ensure the unauthorized user will be unable to make sense of the information at risk.

2. Routine Security Tests and Proactive Planning
Law firms can institute fake security tests to identify potential security threats within the organization. If a data breach or loss does occur, a written disaster recovery policy should be in place to ensure the necessary steps are taken to prevent further damages.

3. BYOD Policies
A firm should have an official BYOD — bring your own device — policy in place to specify how devices will be used and handled. The technology should be encrypted, and passwords should be in place at all times. In addition, a firm should have the means to remotely “wipe” an employee’s device if the individual leaves the company, or if the device is lost or stolen.

4. Employee Education
End-users pose the highest risk for data security. Every law firm should hold routine employee education sessions to establish guidelines and uphold personal accountability, making sure every member of a firm’s staff is aware of the ethical responsibility and liability that data security entails. These courses should use real-world examples of jeopardized data incidents and phishing scams to emphasize how data can be put at risk.

5. Data Continuity and Redundancy
The ability to access important data in the event of a natural disaster or network compromise can make or break a law firm. Firms are advised to store copies of vital information both on premise and off-site. Off-site storage should be located in another region, preferably out of state, to ensure the data is protected even in wake of a hurricane or tornado that could affect the firm and its surrounding areas.

6. Private and Secure Wi-Fi
Because attorneys are subject to frequent travel and likely work while in transit, law firms should instruct their staff to avoid public networks and offer alternative solutions, such as virtual private networks and mobile Wi-Fi hotspots, to be used when necessary.

7. Intrusion Detection Software
The use of intrusion detection software is vital to a law firm’s data security. Firms should install antivirus, antispam, malware and intrusion detection software and perform regular updates. Law firms should also check to be sure all software is active and has not been turned off by the end-user.

8. Written Password Policy
The Georgia Institute of Technology determined that a password with eight characters can be hacked in less than two hours, but it can take up to 17,000 years to guess a well-formulated 12-character password. By putting a written password policy in place, employees will be educated and responsible for taking the time to create a highly secure password.

9. Access Controls
Not every employee needs access to all data. Firms should have controls in place to limit employee access to sensitive information unrelated to their ability to do their job.

10. Cloud Safety
If a law firm is using a cloud solution provider (CSP), specific questions should be asked when evaluating the CSP’s security, including: How will data be encrypted in transit and at rest? Who holds the encryption keys? Do clients approve the storage of data in the cloud? Does the CSP implement litigation holds to prevent the deletion of data?

Taking the necessary steps to protect your firm’s reputation and client information in and out of the office, from clerk to partner, are easier than one might think and provide an invaluable service to you, your firm, and your clients.