When it comes to data security, too many law firms have it dangerously backward. They think they’re covered by publishing an adamant disclaimer ahead or after the text of electronic communication or preparing a crisis plan to respond to a data breach. Of course, all of the email legal disclaimers in the world won’t stop a hacker or the havoc they can cause.
Instead, lawyers should be laser-focused on preventing a data breach. The main thrust of a data security program should be to prevent the unauthorized breach before it occurs. Law firms’ generic concern over the end result of a data breach dangerously removes the focus from the proactive protection of their data. Rather than reacting with heavily-worded disclaimers, lawyers should spend more of their time proactively engaging solutions to secure their data.
In fact, they’re ethically required to do so, according to the American Bar Association. Lawyers are required to make reasonable efforts to prevent inadvertent or unauthorized disclosure of or access to, information relating to the representation of a client. And 20 states have concluded that cloud computing for lawyers can be used so long as they exercise reasonable care.
The truth is that most businesses will eventually experience a data breach, especially smaller ones since hackers view them as easy targets. So reasonableness is judged by the effort to:
- Prevent a breach
- Mitigate the negative effects if a breach occurs
In most jurisdictions, reasonable care includes appropriately vetting any software-as-a-service provider (SaaS) that will require you to transmit data to the cloud. However, narrowing down cloud service providers can be daunting and figuring out how to vet the security of selected vendors can be even more so. That is, unless, you know the questions to ask them. Start with these:
Where are your servers located and how secure are they?
When you access the cloud, you’re still relying on physical servers - they’re just somebody else’s. Know where vendor servers are located, and make sure they’re geographically redundant. This way if a disaster in one region takes out a server, a server in another region can take over. Also make sure that appropriate security measures are in place to both physically and digitally guard these servers.
What are your encryption practices?
Know when data is encrypted, where and at what level. It should be encrypted both in transit and in storage. Never entrust your client data to an unencrypted solution; if your potential provider does not resemble a virtual Fort Knox, move along.
Here’s another point to keep top of mind: certifications. Thomson Reuters Firm Central has a SOC 2 Type II security certification. This certification is an independent review to confirm the quality and effectiveness of the processes a provider has in place to safeguard your data. The review includes strict policies and procedures that encompass the security, availability, processing, integrity, and confidentiality of customer data.
What is your backup plan?
Data security should also encompass data recovery. Make sure that if a digital disaster happens and your system crashes, your vendor can easily restore every bit of your electronic information. Make potential vendors detail their backup protocols. If they’re not robust, back away.
Do you want to make sure you’re doing all you can to avoid data-security liability? Be sure to have a security plan in place to prevent an unauthorized breach before it occurs as well as a crisis plan outlining steps to respond to a data breach should it occur.