Best Legal Data Protection Practices Your Legal Firm Can Implement
Now that we are 18 months into the passing of the General Data Protection Regulations the legal sector have three strong motivators (other than their own desire to offer the highest level of professional services) to protect their data.
First, if a data breach does occur and the Information Commissioner’s Office believe that your firm was negligent in allowing that breach and/or it believes you didn’t follow the breach up correctly then you may be subject to a significant financial penalty.
Second, reputationally, the effects of a data breach could be significant. Not only will you have to email all parties who may have been impacted by the event, you will then have to justify why these very same clients should continue to trust you with their sensitive personal and commercial information.
Last, operationally, the recovery of lost data and the level of work needed to allow your practice or chambers to return to normal could involve days of disruption and a significant level of expenditure on IT consultants.
According to the ICO’s data security incident trends report for Q1 2019-2020, 231 breaches have been reported by the legal sector. And these are just those that are being reported…
In this article, we examine the four main approaches you should take to offer the highest levels of protection to clients.
A culture of cyber security
Data protection is the responsibility of everyone within an organisation, particularly legal firms handling personal and commercially sensitive data. But does everyone in your firm know that they are expected to be responsible for protecting that data? And even if they are, do they know what a cyber attack looks like and how they should respond if they spot one? Phishing attacks of today are certainly not as easy to spot as they have been historically.
Furthermore, do the leaders and senior managers in your firm realise in which areas you are currently providing strong protection and where you need to improve? According to PwC, less than one in six senior management teams within legal firms have taken in part in training to successfully manage crises in the last year.
Make someone responsible
Data protection policies, procedures, and processes need to be updated on a continuing basis – the first step is to appoint someone to that role and to give them responsibility for data protection. That person needs to understand what technical and human-related areas need improving and then to buy in the equipment needed and to provide the training to top up colleagues’ knowledge.
A culture of privacy
For too many organisations within and outside the legal sector, a firewall (or firewall as a service as I like to recommend) is a technical device/s to stop cyber attackers from infiltrating their computer networks.
As important as they are, you need a human firewall because many of the successful attacks on companies’ systems rely on a member of staff being duped (by email or phone) for a successful cyber attack to occur.
On most occasions, the staff member themselves will not be aware following a successful cyber attack that anything has actually happened. It may be days, weeks, or even months before they or someone else within your firm realise that there has been a data protection breach.
In addition to ongoing training and briefing for staff on cyber security issues, your staff need to feel responsible for defending their part of your castle walls. And you need to give them the tools and the insight to do it well.
Comprehensible for staff
For non-IT staff, data protection can be an unprepossessing and somewhat esoteric subject. Your ongoing training and any occasional memos or updates on data protection should be written assuming absolutely no knowledge on behalf of the reader. The surest way to prevent someone from becoming engaged in a company-wide activity to is preclude them through impenetrable language.
With all policies, procedures, and processes, illustrate examples as best as you can with screenshots and how-to guides. If you send staff an update email on the progress of the business every week, send a second email each week keeping staff informed about progress on data protection issues – let them see what successful attacks look like and the effect they have on other commercial enterprises (especially competitors).
The legal sector should be asking itself this question – are you 100% confident in your efforts on a cyber secure culture, making somebody responsible (that isn’t going to pose a conflict of interest), a culture of privacy and helping your organisation to understand the full premise and strategy around this?
If you aren’t, what steps will you take, to remedy and periodically review and maintain?