Note: The following is a guest post from Daryn Teague, who provides support to the litigation software product line within the LexisNexis software division.
In spite of all the (misguided) jokes and caricatures of lawyers in our society, the fact is that the practice of law in America has always been rooted in a strong sense of ethical conduct. From the required curriculum in law school, to the oaths that lawyers take to join the Bar, and then on to continuing legal education requirements for all lawyers, ethics are the bedrock of the legal profession.
So when it comes to the collection and maintenance of client data, law firms have historically been bound by that commitment to ethical conduct and been able to essentially say to clients: don’t worry, you can trust us with your stuff.
Unfortunately, as we’ve all witnessed in recent years, there are bad guys out there who have no sense of ethics when it comes to confidential data and they will go to extraordinary lengths to hack your networks, compromise your security systems and access the information your firm has gone to such lengths to protect.
“A number of law firms have been so overwhelmed by the nature of the data security threat that they have essentially been paralyzed by the sheer scope of the problem, a reaction that is understandable considering they’re in the business of practicing law, not cybersecurity,” said Jeff Norris, senior director of data security for LexisNexis Managed Technology Services.
“But law firm partners and their IT teams simply don’t have the luxury of taking their time to map out the perfect plan for data security. They need to act now and put a program in place immediately, working under the assumption that a hacker is plotting how to attack the law firm network at this very moment.”
Norris sat down with us recently and shared some advice about how a law firm can get started on a data security program today.
“The first thing to do is take stock of your own unique business and industry challenges so you have a risk assessment framework that makes sense for your firm and your clients,” he said. “That will help you determine what data you’re required to protect for regulatory reasons, evaluate how much data security risk is too much for the firm to bear and establish which parts of your network are most exposed to that risk. Hire help from pros if you need it, this is a crucial process to get right.”
Norris then laid out six key ingredients for any law firm data security plan:
1. Clear policy and training plan. Create written policies and schedule regular training sessions for anyone in the firm who is involved with data management in order to “maximize security awareness” among your employees.
2. Accurate inventory. Inventory your information systems so you have a detailed record of exactly what the firm has in its purview and where all of the controls and permissions are located.
3. Access controls. Implement access controls on a “need to know” basis so that employees only have credentials to get into the files that relate to their job functions and then “segment your systems so that specific IT pieces that don’t need to be connected to highly sensitive client data are not inadvertently connected.”
4. Keep software updated. Keep your systems up to date with the most recent software patches, including antivirus software. “It’s crucial to keep your firm’s IT armor updated in order to reduce the attack surface available to criminal hackers,” he said.
5. Review liability coverage. Make sure to regularly check your liability or cybersecurity insurance policies so that your policy coverages remain comprehensive and adequate for the firm’s risk exposure.
6. Incident response plan. Have an incident response plan in place so the firm is “breach ready” on a 24/7/365 basis. “The last thing you want to be doing is guessing how to respond when that dreaded cyberattack occurs,” said Norris.
Every successful law firm is committed to a strong sense of ethical conduct with how it treats client data, but it’s essential to understand that you have enemies prowling around your networks right now, looking for a way to get their hands on that valuable information. Take swift and decisive action now in order to make your best defense against cyberattacks.
* * *
DOJ Releases Cybercrime Response Best Practices
Seperately, the Department of Justice recently jumped into the cybersecurity best practices discussion with the release of a memo – “Best Practices for Victim Response and Reporting of Cyber Incidents” – that provides guidance to organizations for tactics they should consider in response to a cyberattack.
The four-section report addresses:
- How to monitor for potential intrusions and plan for incident response;
- What to do in the event of a breach;
- Common mistakes to avoid in the event of a hack; and
- Recovering from a breach and getting on the road to remediation.
LexisNexis works with law firms, corporations and government agencies to help safeguard their critical systems, data and data access with a wide range of hosted offerings that are customizable to each client’s needs.
With 35 years of legal industry experience, strong data management and world-class global data centers, LexisNexis Managed Technology Services ensures business continuity, increases security levels and reduces exposure to data losses.
If you enjoyed this post, you might also like:
5 Things Corporate Legal Execs are Seeking in Data Security