Data privacy has always been a critical area of importance for solicitors’ practices and barristers’ firms.
All the work you perform for each client and the information they share with you is protected by the confidentiality implicit in the relationship between a legal professional and the person they’re representing.
The age of computers dawned a decade or two ago and a gradual transfer from paper-based records to electronic storage and document management took place in the space of just a few years. The rapidity of that change surprised many because the legal sector is, in many ways, often unfairly characterised as slow to adapt.
As that change was under way, technology progressed rapidly and society became interconnected in all sorts of ways that are unimaginable to many born in the 1970s and earlier. Client data and documentation was no longer just accessible from a desktop computer – it went wireless meaning that colleagues could visit clients and conduct business when away from the office just as easily.
Of course, this evolution did not go unnoticed. In fact, business and government went online as a whole. Accessible, informative, and actionable data has transformed commercial relationships the world, meaning that connections are easier to make and subsequently deepen.
All that data creates has value. And cybercriminals want it. What are the top 5 recommendations Sprout IT has for legal firms keen to protect their data from theft or misuse?
Leadership must come from the top
If the leadership at your firm does not make protection of customer data and its computer systems a prime concern, that’s dangerous. Remember that it’s not a case of de-prioritising one area of business to make cybersecurity & data protection a primary issue.
No other priority within your firm needs to take a back seat when you make this choice – it’s all about deciding on what your priorities are and allocating the resources (human, financial, and technical) required to achieve the desired outcome.
First, figure out your firm’s priorities. Then, appoint someone to manage the project – you may wish to bring in an expert from outside for this who has experience in data privacy policies and procedures specifically for legal firms. Finally, implement the plan. From that point on, data privacy and data protection are now business processes that your firm does, it does well, and it does consistently.
Appoint someone with specific responsibility for privacy and security
Ideally, the person in charge of data privacy within your firm should be a partner as this will mean that data privacy and protection will be a live subject at every board meeting your company holds.
It may not be that this person has day to day responsibility for these areas – it may be that they receive reports from either the internal IT team in conjunction with receiving ongoing advice and guidance from an outside IT contractor who provides impartial and critical oversight over the company’s efforts to reach the standards required at meeting where the relevant policies and procedures were agreed.
Having a board member or a partner with a fuller overview of the firm’s systems and their implementation means that, when planning for the future direction of the practice or chambers, data privacy and protection is not overlooked.
A culture of privacy and security
Two thirds of all successful cyberattacks on firms occur because of human error. There should be a real effort to build a human firewall within your firm as well as a technological firewall.
There is rarely any malice in a staff member’s mind when they do something (or don’t do something) that leaves your firm open to attack and vulnerable. It’s usually a mixture of blissful ignorance and a lack of understanding of the consequences a breach in data privacy causes.
From the minute your board and your leadership decide to make data privacy a policy, your staff must be involved through a process of training and coaching. They need to be aware of what they should look out for and they need to be aware that certain behaviours leave the practice or the chamber vulnerable.
Diligence should be rewarded and encouraged because, one day, it’s a staff member’s awareness that may prevent a disaster from occurring.
Understandable policies and processes
Policies and procedures that you implement as part of your drive towards excellence in data privacy must be made understandable and actionable to each member of staff. Instead of having a one-size-fits-all approach to training and to your policies and procedures, they should be made to best fit around the employee. There is little to be gained in your PAs or secretaries who have very limited access to information and to wider systems on your network have the same guidelines as a partner or an IT technician.
Staff must be shown ways to use the computer network in a safe and secure way and they need to be told what to do and whom to inform if they see something they’re unsure about that causes them concern.
When disaster strikes…
In the era of GDPR, a data privacy disaster involving the theft or misuse of personal information requires you to inform both the Information Commissioner’s Office and the clients affected directly by the breach. The damage caused by such a breach is not only financial but reputational.
Work on disaster planning scenarios for different types of attack – for during and after the incident. Let each member of staff know what their responsibilities are and the actions you expect from them.