You’d think, among all types of businesses, that law firms would be at the front of the pack in having a data security policy. After all, law firms regularly tell their clients how important it is to have effective policies in place for legal compliance and risk management. And law firms certainly possess large volumes of valuable data, such as confidential client information and individual’s personal data, and are subject to a daunting array of security threats. But as the saying goes, all too often the cobbler’s kids have no shoes.
How shoeless? Results from the 2017 ABA Legal Technology Survey are grim. Less than half of the responding law firms have the following policies and plans, which are crucial to a firm’s security posture:
- computer acceptable use policy (48%);
- remote access policy (45%);
- disaster recovery/business continuity plan (42%)
- incident response plan (26%); and
- personal technology use/BYOD policy (24%).
This is astounding, especially given the compelling reasons for law firms to put data security policies in place.
Policies are of course only one element in an organization’s information security program. But a policy is the indispensable vehicle for expressing the organization’s commitment to information security; for defining what information is to be protected with what security controls; and for establishing the organization’s security roles, responsibilities, and enforceable expectations.
So … whether in a single policy or a policy suite, what aspects of data security should a law firm address by policy?
Scope and Objectives
The policy should state the firm’s objectives for reasonable information security and should define the scope of the policy’s application to information, systems, personnel, and third-parties.
Important concepts should be defined, reinforcing clarity on the policy’s scope and applicability. Also, the responsibilities of personnel in key security program roles should be made clear.
The firm’s classification categories for safeguarded information should be defined, with sufficient description and examples so that personnel can determine what security controls apply to particular types of information and the systems in which such information is stored. Ideally the classification scheme will be limited to only three or four categories (such as Public, Internal, Confidential, and Protected), with a chart setting forth the categories, definitions/examples, and applicable safeguards per category.
Personnel Security Responsibilities
The policy should clearly state the responsibility of firm personnel for the security of all information they create, access, or receive, in any format. Prohibited activities should be defined with sufficient clarity to help ensure compliance and to enable discipline, if needed. Affirmative security activities should also be defined, including, as applicable, physical security practices (such as wearing identity badges, challenging unrecognized persons in firm offices, and locking computers and devices when unattended) and system access practices (such as use of strong passwords and protection of credentials).
Expectations should also be clarified for personnel conduct while using specific systems, such as the Internet; social media; email and other e-communications; and personal and firm-issued devices and transportable media. Security expectations should be defined for working remotely, including use of wireless connectivity, and for transferring information outside of the firm. And the policy should also address personnel responsibilities for reporting software malfunctions and the various types of security incidents.
The policy should require that firm personnel sign, as a condition of employment, an appropriate confidentiality agreement, and that third-parties with access to firm information or systems are subject to a confidentiality agreement before accessing such information resources.
The policy should require use of unique system logon IDs, strong passwords, and protection of credentials; prohibit credentials-sharing; provide for system lock-out after a limited number of unsuccessful access attempts; and establish a schedule for password expiration and replacement. By policy, access credentials should be audited periodically, and credentials should promptly be retired when personnel leave the firm.
Information access rights should also be addressed by the policy, establishing an approach by which access to categories of information and systems is tied to personnel roles, on a need-to-know basis, and is documented and periodically reviewed.
The policy should authorize or require, as appropriate, the range of technical controls deemed crucial to the firm’s security posture, such as use of anti-malware software; testing and approval of new software before installation; encryption of data at rest and in transit; configuration standards for routers, switches, and servers; and software patch management.
Periodic reviews of system activity should be required, and the policy should also establish protocols for tracking changes to networks, systems, and workstations, including software releases.
The policy should also address periodic vulnerability scans and, as appropriate, penetration testing.
Security protocols for access to the firm’s physical spaces should be addressed in the policy, along with physical controls for firm computer equipment.
The policy should define requirements for disposing of hardcopy documents and also for disposal processing of hardware or media, including effective wiping of data from all firm laptops, workstations, servers, devices, and transportable media at end of life or prior to recycling.
Requirements for addressing data security in service provider selection/due diligence, contracting, and oversight should be defined in the policy. Authorities and approvals for such agreements with third-parties with access to firm information resources should also be addressed in the policy, to help ensure that appropriate data security requirements, rights, and remedies will be included in agreements with third-parties.
The policy should require that the firm maintain a Disaster Recovery and Emergency Operations Plan that addresses data restoration and recovering from information loss. Data backup should also be required, along with periodic testing of data restoration.
The policy should require that an IT Incident Response Plan be in place and periodically tested. A Critical Security Incident Response Plan for dealing with severe security incidents, including breaches, should also be required.
Security Training & Awareness
The policy should require role-based training of all personnel on security threats and security requirements, protocols, and expectations, with such training provided at onboarding and also periodically for all current personnel. Other elements of the awareness program should also be addressed, including the regular distribution of security reminders to all personnel.
The policy should provide that the firm may require compliance certifications by personnel and may perform compliance assessments or audits to ensure policy compliance, and it should indicate to whom requests for policy changes or exceptions should be made. The policy should also state that failure to comply may subject personnel to discipline, including termination of employment.