Taking the Lead: Yes, Another Reminder About Data Privacy and Security Issues

There are things about which we can’t be reminded enough. Between spouses, it is taking out the garbage. In the office, it is about getting the time entered so the invoices can go out. While lamenting these kinds of chores recently with our colleague, technology and privacy attorney Vivien Peaden, she reminded us that data protection and cybersecurity are on the top of her list. So yes, this is a quick checklist, courtesy of Vivien, to keep us all hypervigilant in safeguarding our clients’ most valuable and confidential secrets. 

Given the types of information entrusted to lawyers, it is no surprise that hackers and bad actors target law firms of all sizes to steal and misuse data. A client’s personal data could be used for a blackmailing scheme or to steal trade secrets. In one notable example, international hackers specifically targeted a law firm to gain access to its documents related to a Chinese dissident. Successful hacking of client data undermines the lawyer-client trust relationship, opens clients to potential financial losses or personal embarrassment, and exposes law firms to the loss of clients and their own financial losses.

To ensure best data privacy and cybersecurity practices within law firms, Vivien asked us to remind you, whether you lead a large law firm or practice solo, to keep these issues top of mind:

Data encryption. All data that is being transferred or stored should be encrypted. Additionally, it is crucial to protect data that is being used by employees working from home by only allowing off-site access through a secure virtual private network (VPN). Smaller law firms may want to outsource their security operations center, allowing a third-party contractor to implement, assess and monitor all critical IT systems for security precautions on a fractional basis. Conducting routine internal and external security audits can help detect security gaps. If you don’t know how to encrypt your data or you don’t know how to create a VPN, please get started with a visit to the Law Practice Division website (americanbar.org/groups/law_practice).

Physical security. Besides protecting paper files by storing them in safe places, law firms need to carefully evaluate and select cloud servers with appropriate physical backups in secure locations. Also, make sure that access to the office is only granted to permitted persons by key card access and security camera systems.

Employee training. Employees are typically the weakest link in the security chain. It is therefore a best practice to limit employee access to information necessary for their jobs. Vivien recommends that law firms adopt and implement formal data and security policies. Enforcing policies is as important as having the right policies and processes on paper. It is especially important to provide repeated employee training on topics like phishing, social engineering and password security. There are vendors that can help you send simulated phishing emails that prove to the employee how dangerous it can be to click on the wrong email. Those same vendors provide training modules, too.

Hiring and departures. When hiring new employees, firms must ensure that ethical walls are implemented as necessary. Firms should also routinely conduct internal monitoring to identify behavior that may signal impending departures. Moving data out of the firm by currently authorized personnel risks client security.

Regulatory compliance. Depending on what kind of clients a law firm has, certain industry-specialized data security laws may be applicable. This is relevant, for example, when working with doctors, hospitals or other health care providers (HIPAA and HITECH are applicable); working with financial institutions and those that collect personally identifiable information (PII) that is not publicly available (GLBA is applicable); or working with entities that collect credit card data (PCI DSS is applicable). If you do not know the meaning of these acronyms, please use the internet to find out. You want to be sure you do not need to take extra precautions.

Email marketing and website cookies. If your firm is considering email marketing or placing cookies on your websites to target potential clients, you need to learn about the various federal, state and international privacy regulations. For example, under the U.S. law called CAN-SPAM, the sender of email marketing must identify the email as an advertisement and must not use misleading information. Each email sent must allow recipients to opt out of receiving further email communication, and the sender must honor and remove opt-outs from their email list within 10 business days. Be aware, effective January of this year, the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) may be applicable to some firms, and any firms targeting the European market must meet the higher standards imposed by the General Data Protection Regulation (GDPR).

At the end of our conversation with Vivien, we knew we had to share this information with you. The failure to remain vigilant with data security creates incalculable risks for your clients and your firm.