The belief that a computer or network breach is a ‘when,’ not an ‘if’ is practically dogma now. Given this reality, every law practice, regardless of size, should have a data security plan in place. Yes, I recognize this task can seem daunting — particularly if you have no idea where to start — but failing to do it simply isn’t an acceptable choice anymore. Here’s why: All clients absolutely expect that whatever sensitive and personally identifying information they provide to you will be properly safeguarded — period. And if that’s not motivation enough, remember our ethical rules and various state and federal regulations are also in play.
The good news is data security plans needn’t be drafted in the form of some long, convoluted treatise on IT security. It’s really more about creating “to do” lists and developing internal guidelines and policies. The entire process can be summarized as follows.
- Determine what sensitive and personally identifiable information you have and then identify all the locations where this information is stored.
- Determine if there is a legitimate reason to collect and maintain every piece of this information. If certain types of information aren’t really needed, stop collecting them.
- Figure out how to properly secure all information that must be kept and then take whatever steps are necessary to do so.
- Properly destroy any information that doesn’t need to be maintained. And finally, create an incident response plan so you know what to do if and when a breach occurs.
To help you move forward with this task, I encourage you to take a look at a useful guide put out by the Federal Trade Commission that is intended to help small businesses protect personal and sensitive information. This guide provides the details and instructions most small businesses need in order to make taking the above steps a palatable task. Finally, the FTC has also published a data breach response guide where additional information can be found on what to do if, and when, you experience a breach.