Why Your Law Firm Needs a Data Protection Policy

For any law firm, keeping client data confidential is a paramount concern. To this end, many firms establish a strong data protection policy (DPP) that defines how firms will store, transmit, and eventually dispose of their important files.

In this article, we’ll cover the basics of what a data protection policy is, some of the compliance requirements law firms need to meet when handling sensitive data, and some tips for creating a strong DPP.

What Is a Data Protection Policy?

A data protection policy is a formal document used by an organization to standardize how members of that organization will store, transmit, use, monitor, manage, and eventually dispose of protected data. In law firms, “protected data” could include, but not necessarily be limited to, items such as:

• The firm’s financial data
• Client financial data
• Case documents
• Client documents (like wills, power of attorney docs, etc.)
• Other personally identifiable information (PII) of clients, like names, addresses, and social security numbers that may be on file

In short, if it could be considered a “sensitive” file, then it should be included in your firm’s data protection policy.

One thing that can make a DPP complicated to carry out is the need to account for on-premises data storage media, remote data backups you use for your data retention efforts, and any mobile data storage that may be used by the various members of your firm. Also, it’s important for the firm to add data protection tools so that it can actually follow the guidelines set forth in the DPP document.

Law Firm Compliance Requirements

What kind of protections do law firms need to take? This can be a tough question to answer, as data security standards for businesses vary from one state to another. While legal degrees require years of dedicated study, cybersecurity isn’t typically a required course. As noted by Cybersecurity Guide, a resource that lists cybersecurity programs available in each state, “As the minimum requirement for practicing law, law school J.D. curriculum does not usually include courses specific to cybersecurity law.”

Even in pre-law preparation, there isn’t an emphasis on cybersecurity. The American Bar Association (ABA) states that “You may choose to major in subjects that are considered to be traditional preparation for law schools, such as history, English, philosophy, political science, economics or business, or you may focus your undergraduate studies in areas as diverse as art, music, science and mathematics, computer science, engineering, nursing or education.”

The ABA doesn’t really emphasize any specific type of course to prepare students for law school, and law schools don’t necessarily teach cybersecurity—though there are some schools that do offer cybersecurity law courses that may teach some of the basics for those who wish to specialize. For example, if a student were to go beyond their Doctor of Jurisprudence degree to pursue a Master of Laws degree (LL.M.), they could specialize in cybersecurity law and would likely take cybersecurity-related courses to give them the mastery of cybersecurity concepts needed to parse cybersecurity-related issues.

However, there are some applicable standards and broad legal requirements for businesses of all types that can also apply to law firms. One example would be New York’s General Business (GBS) Chapter 20, Article 39-F Section 899-BB, which requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” To help you prepare your own law firm’s data protection policy, here are a few basic requirements that any DPP document should cover:

Data Storage

How will the law firm store the data it needs to operate as a legal practice? How will sensitive client data-at-rest (i.e., in storage) be protected from illicit access and accidental exposure?

Common data storage security measures that could be considered reasonable may include:

• Implementing a network firewall to prevent outside access to law firm data storage media
• Using data encryption on stored data to make the information unreadable to unauthorized users who don’t have the encryption key
• Installing antivirus/antimalware and monitoring solutions such as security information and event management (SIEM) tools to guard against malware intrusions
• Incorporating a remote data backup solution to prevent the loss of critical files in case of a disastrous event (power loss, damage to storage media, ransomware attacks, etc.)

Data Transmission

How does the law firm handle moving data from storage to another location, such as a lawyer’s laptop or to a client? Who has access to sensitive information and how are identities verified before any data is transmitted?

Data being transmitted is at risk of being intercepted or even being sent to the wrong party. So, a data protection plan should include:

• Measures to verify the identities of anyone accessing protected information
• Solutions to prevent the interception of transmitted data (such as VPNs with encryption for data-in-flight
• Guidelines for verifying that any outgoing communications are only being sent to the correct parties

Data Compromise Response

If a data breach occurs, how will your firm respond to it and notify any affected parties? New York’s SHIELD Act specifically requires businesses to disclose any breaches “in the most expedient time possible and without unreasonable delay, consistent with the general needs of law enforcement.”

So, it’s important to have a solution for monitoring data breaches that can determine what data was compromised. This way, your firm can accurately target notifications to the affected clients.

Additionally, it’s important to have an incident response plan that details roles and responsibilities for the whole of the law firm—including who to report to (such as your network security vendor), what each person should do to help contain the breach, and how to use any data breach remediation tools that may be available.  

How a Data Protection Policy Can Help Law Firms

What are the benefits of having a data protection policy for your legal practice? Having a strong DPP can have a few different potential benefits for law firms, including:

• Demonstrating the Firm’s Commitment to Data Privacy and Security. Times are changing. In the wake of constant data breaches and identity theft incidents, clients are becoming more conscious about the need to protect the privacy of their data. So, these security-conscious clients may use a law firm’s data security management as a deciding factor when choosing to retain a firm. There are well over 100 law firms in New York alone, and the top 10 firms all have hundreds of lawyers—so those seeking legal services may be spoiled for choice. Every differentiator can be a crucial competitive advantage.
• Securing Data Helps Prevent Breaches. While no cybersecurity setup is completely proof against all cyber threats, having a strong DPP in place can help to reduce your firm’s security risks and prevent breaches from regular intrusion attempts. When clients are entrusting you with their personal information, being able to stop basic threats is crucial. Additionally, by preventing breaches, law firms can avoid the often-expensive and difficult process of remediating breaches as well as the reputational damage a breach can cause.
• Reducing the Risk of Malpractice Lawsuits. A data security breach can easily be grounds for a malpractice suit. However, data protection plans can help law firms minimize their malpractice risks. First, by preventing a data breach, the firm can avoid having a malpractice suit being made against them. If a breach does occur, being able to show the DPP document and how it was followed could help the law firm prove that it was not negligent in handling client data. This could be crucial during a malpractice case for minimizing settlement amounts.
• Minimizing the Risk of Penalties from Regulators. Failing to meet common data security standards can easily open up any business to fines and other penalties levied by regulators. Law firms are no exception. By having documented data privacy and security policies in place and upholding them, law firms can reduce the risk of being penalized by regulators.

5 Tips for Developing a Data Protection Policy for Your Legal Practice

What can you do to make your data protection policy as strong as possible for your law firm? Here are a few tips to get you started:

1. Start by Examining Existing Data Security Standards

Before creating your data protection policy document, take some time to investigate existing data security standards to get an idea for the specific kinds of protections and policies your firm will need.

Some good examples of where to start include:

• The Payment Card Industry’s Data Security Standard (PCI). Governed by the PCI Security Standards Council (PCI SSC), this data security standard provides a specific overview of how to protect payment card information and cardholder data. Law firms can apply many of the standards listed by the PCI SSC to the protection of their client’s financial information and other personally identifiable information.
• The European Union’s General Data Protection Regulation (GDPR). This EU law protects the data privacy of EU citizens and is applicable to any organization that collects and processes the personal data of EU citizens. The specific guidelines of GDPR can be useful for helping your firm establish data access controls that make providing clients with necessary information easier.
• The Health Insurance Portability and Accountability Act (HIPAA). While specific to the healthcare industry, the guidelines of HIPAA can be useful for establishing what a “reasonable” measure to protect data privacy and accessibility is.
• The National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST cybersecurity framework establishes a clear set of standards for developing organizational understanding of cybersecurity management, protecting data, detecting security incidents, responding to said incidents, and recovering from breaches. The framework also separates organizational cybersecurity management into four distinct tiers (partial implementation, risk informed, repeatable processes, and adaptive cybersecurity management) and defines each one to make it easier to see where there may be room to improve your law firm’s data protection.

These are just a few of the different data security standards that you could examine. There are many others out there that you may find helpful for creating a data protection policy.

2. Don’t Forget About Data Security in the Cloud

Remote data backups and other cloud-based solutions can be invaluable for law firms by providing easy access to software and services that would be cost-prohibitive or impractical to handle with IT assets owned by the firm. However, not all cloud solution vendors have strong cybersecurity measures in place to protect your firm’s data.

When contracting with a vendor for cloud-based services, it’s important to verify what kind of cybersecurity measures they use to prevent illicit access to your firm’s data and to avoid data loss events on their end.

3. Take an Inventory of Your IT Assets and Data

Before implementing a data security plan of any kind, it’s important to know what needs protecting. To this end, it is vital to conduct a thorough audit of your IT assets and data when setting up your security policy documents.

Without a complete audit of your data and IT assets, there may be items missing from your data protection policy—leaving them unaccounted for and more vulnerable than other assets.

4. Define Clear Roles and Responsibilities for Every Member of the Firm

Everyone from the partners in the firm to the paralegals, front office staff, and even the summer associates should have some idea of what they need to do to protect firm and client data.

So, it’s important to define clear roles and responsibilities for every member of the firm in your DPP documentation (and make sure they are communicated clearly). For example, everyone should know what kind of data they’re allowed to access, what to do if they suspect a data breach, and how to verify identities when sending replies to emails requesting protected information (to avoid potential phishing scams).

5. Review Local Legislation for Business Cybersecurity Requirements

Data security and privacy requirements may vary from one jurisdiction to the next. So, it’s important to check your firm’s local legislation for any laws pertaining to cybersecurity requirements.

Searching the local legislator’s website for key terms like data security, cybersecurity, data breach notification, and information security can be a good start. Additionally, you could contact local regulatory bodies directly to ask for information about your jurisdiction’s specific requirements.

These are just a few tips that you could follow when creating a data protection policy for your law firm. If you need help managing IT or cybersecurity for your law firm, reach out to Converged Technology Group for information and support!