Law firms need a data security plan. Here is an outline of the major points that should be considered in the structure of law firm data security programs.
- Management level responsibility for security. Data security cannot simply be farmed out to IT consultants. Lawyers need to be involved because of their obligation to assure confidentiality of client information.
- Continuous monitoring of security developments. Threats to data security change frequently. Firms need a way to learn about these threats and deal with them.
- Physical protection of machines. Systems are easier to compromise when equipment can be accessed by third parties. Review who has access to computer equipment, including cleaning crews.
- Asset Management. It is impossible to know if a threat affects you if you don’t know what software and hardware your office uses.
- Human resource management: hiring, termination, training, monitoring. Many security breaches come from within. Usually these are caused by lack of training, but internal malicious activity threats must be considered.
- Response planning. Despite best efforts, data breaches may occur. Know the law on reporting of breaches, and design response plans that can be quickly implemented.
- Auditing, testing and certification. There are many ways to test and certify systems. Consider penetration tests to see where security vulnerabilities exist.