By Eric B. Barnes, CELA
How secure is your firm's data? Here's a practical checklist to help you make a security assessment.
Attorneys receive, store, and transmit a lot of personal client information. We have both legal and ethical duties to protect this information, and the failure to do so can cost our clients and us many thousands of dollars and damage our reputation in the community.
In addition to outside threats, there is always the risk of hardware failure that causes a breakdown in productivity and possibly the loss of critical information. For example, a serious computer failure or data corruption that causes you to lose your client’s billing records could have an immediate impact on your firm’s cash flow.
This information management audit allows you to consider how secure your firm’s data is.
1. Does the firm have a cloud-based backup system that meets industry standards for security from intrusion as well as providing redundancies for hardware failure?
2. Does the firm use an effective and secure system to store documents online?
3. Does the firm use a raid system on its servers so that if a hard drive fails, you have an exact copy to put in service right away?
4. Does the firm use effective virus scan software across all its computers that is regularly updated?
5. Does the firm keep in place a modern firewall system?
6. Phishing scams are responsible for about 95 percent of all security breaches. Does the firm have written data security policies and regularly provide training to employees about data security and how to recognize and avoid phishing scams (i.e., Never open an embedded link or any attachment from a suspicious email)?
7. Does the firm use a secure and encrypted email system consistently across all devices that send and receive sensitive information?
8. Does the firm limit access to sensitive data internally to those who need access to that data?
9. Does the firm use effective password software such as 1Password or LastPass and multi-factor authentication where available to generate and use a variety of complex passwords?
10. Does the firm have policies and procedures in place to keep all computers current with security updates as they come out?
11. Does the firm have an on-call IT consultant to troubleshoot?
12. Have all old computers and other data storage devices been wiped clean and destroyed?
13. Does the firm have an emergency action plan to respond to a suspected or known data breach?
About the Author
Eric Barnes, CELA, practices in Kaysville, Utah, and is an avid cyclist and skier. He is a member of the NAELA Practice Development/Practice Management Section Steering Committee. This article is provided by the Practice Development/Practice Management Section. For information on joining this section, visit www.NAELA.org/Sections.