Spring 2014 issue of Horizons

Law Firm Security: Steps to Protect Your Firm by Matt Finke, CPA & David Richert, Jr., CPA, CISA, CIA

T here is little doubt the proliferation of handheld devices, workstations with remote access and a seemingly infinite pipeline filled with software tools and applications allow today’s attorneys to become more efficient and increase the quality of the services delivered to their clients. However, while these benefits are undeniable, certain risks associated with these technology advances, such as the possibility of sensitive client information being compromised, have caught some attorneys and their firms off-guard. Emphasizing increased information security with regard to all sensitive data maintained and transmitted by attorneys is a topic that is resonating throughout the legal profession. A derivative of the increasing rate at which attorneys electronically transmit and maintain sensitive information is an increase in law firms’ risks surrounding their information security and controls. This risk factor is becoming a principal concern within the legal profession. Large law firms that work with sophisticated corporate clients have experienced their information security systems being heavily scrutinized by current and prospective clients. Their clients are well aware of the risks posed to their businesses should certain information communicated to their legal counsel be leaked to the media or otherwise compromised during legal proceedings. As a result, these firms expended great efforts in implementing enterprise security programs that address the risks posed by an increasingly virtual workplace. Generally, large firms devote an extensive amount of resources toward ensuring their clients’ data is secure. However, mid-sized and smaller firms may not have the resources to spend on an extensive information security infrastructure. It’s important to note that, while every firm’s budget varies, the potential risk related to clients’ data being compromised, and the impact a breach would have on a firm’s reputation, would cause any firm to consider investing in a more robust information security program.

The key to securing information should be considered at several levels within a firm. Depending on the size of the firm and the level at which its clients require protection from data breaches, analyzing an information security system and which aspects require adjustment may require the use of a professional.

Here are some steps to take to protect your firm’s and your clients’ sensitive information.

Organization Level ∙ Take stock of your data. Know your data sources, where data is altered, transferred, stored and/or destroyed.

∙ Ensure contracts with third-party vendors include non- disclosure and confidentiality clauses.

∙ Complete an IT/business risk assessment and consider hiring a professional to help with the analysis.

∙ Perform ongoing security awareness activities designed to seek out your systems’ vulnerabilities.

∙ Develop policies and supporting procedures that define expectations of your team and contractors.

∙ Control the use of portable data devices such as flash drives and MP3 players.

∙ Have a procedure in place to handle publicity if/ when a data breach occurs.

Technical Level ∙ Identify who has access to your systems, especially those with “super-user” access.

∙ Ensure data transmissions are encrypted.

∙ Implement and maintain firewalls, spam filters and anti-virus solutions.

continued on next page

www.RubinBrown.com | page 43