By Dana Riel and David Michael
Fourth in a Series
In our last post we talked about competence and diligence: What lawyers think it means, what clients think it means, and what it really means. Interestingly, Model Rule 1.1 has a Comment (8) which states: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
What does this have to do with today’s post on confidentiality and data security? A lawyer’s competence includes the ability to properly manage confidential information. A failure to protect confidentiality could compromise a client’s case and ultimately reflect a failure to meet the ethical obligations of competence.
Every firm wants to keep their clients’ data confidential. But where to begin?
- Get an expert to do a security audit of your systems. That may be a cybersecurity expert. It may be your I.T. consultant who had cybersecurity experience. Don’t try to figure it out on your own.
- Write up a comprehensive policy to keep your systems safe and your clients’ data secure. That policy and those rules need to come from the top down. And partners, members and officers have a particular responsibility to follow those guidelines. If there is a data breach, the responsibility falls on attorneys.
- Train your staff on confidentiality and data security policies. Make sure everyone understands what is expected of them. Training is not a one-time event for a new staff member; it needs to be continually reinforced.
- If workstations are left on outside of normal business hours, are they protected from prying eyes? I had the experience of working at a site after hours installing an upgrade of software. While upgrading workstations I walked towards the reception area – and discovered a janitorial staff person who seemed inordinately interested in the receptionist’s workstation, which had been left on. I immediately went to get a staff person and when we went back to the reception area, said person and his trash bin were gone.
- Check the audit tables of your programs. “If you see something, say something.”
- Have procedures in place to remove access by ex-employees/staff. This should be done immediately if not sooner. Do NOT give replacements access to the departed employee’s identity or credentials; new employees/staff need their own.
- Make sure that all programs used have adequate protection against being hacked or stolen. This includes case/practice management, time tracking & billing, accounting, and document management. Are they password protected? If so, are the passwords strong enough? If your data is sensitive enough, do you have the option for two-factor authentication? We also recommend not following your operating system’s suggestion to “save” your passwords. If you don’t have to remember them, neither does a hacker once they’ve accessed your system. If that is a problem, consider a secure Single Sign-On (SSO) system.
- Use secure client portals for document sharing. When you send a document via email, you’ve put it out into the universe. You have no control over where it goes from there. There are several programs which offer good security, both for protecting your data internally, and sharing it so only the intended recipients can access it.
Despite your best efforts, your firm’s data has been hacked. Now what?
Time is the enemy here and it’s crucial to take swift and decisive action to minimize damage, prevent further breaches, and begin the recovery process. Here’s what we recommend:
- Have your I.T. firm disconnect affected systems and identify the scope of the breach.
- Notify key personnel and top firm management.
- Preserve evidence and document everything.
- Notify law enforcement and regulatory agencies, if relevant.
- Notify your staff.
- Notify affected clients.
At Crosspointe, we sincerely hope you never have to discover your data has been hacked, stolen or otherwise compromised. Take steps NOW to strengthen your security. We can advise you on secure procedures, security for your programs and password protection, among other solutions. Contact us at 877-375-2810 or write to Dana Riel or David Michael for more information.
See also:
The Business of Law: Competence Clarified
Trust Account Management: Where Fiduciary Duty Meets Financial Sense
Having the Last Word
At Crosspointe Consulting Group, we recognize that legal professionals often rely on established software platforms to manage their financial and operational needs. With our in-depth knowledge of Sage, QuickBooks, and other legal software, we are dedicated to helping you unlock the full potential of these systems. Our mission is to provide expert guidance and support, empowering your firm to operate efficiently and effectively.
