By Steve Couch, president and CEO of the Ohio Bar Liability Insurance Company
The words “cyber,” “cyber breach,” “data
breach” or “cyber terrorism” should resonate with the typical Ohio
legal practitioner. The highly publicized data breaches
affecting Sony Pictures Entertainment (corporate network comprised),
Target (40 million records), Adobe (2.9 million records), or Schnucks
grocery store (2.4 million records) should cause attorneys to consider
the security of their firms’ records and data. If you haven’t considered
the risk these threats pose and taken the steps necessary to reduce
that risk, your oversight may prove costly.
In addition to obtaining insurance protection against a loss, law firms can and should take the following steps to help prevent a security breach.
1. Develop a comprehensive information security plan designed to prevent data breaches. A great resource is the ABA Cybersecurity Handbook.
2. Conduct a risk assessment, which often can be aided by the services of knowledgeable, objective, independent IT vendors.
3. Use appropriate encryption technology on servers, desktops, laptops and all mobile devices.
4. Limit access to computer systems, email and directories only to known and trusted users, and implement and follow appropriate password policies.
5. Develop and follow a data retention and destruction policy, so that personal data is not at risk. It is important to sanitize and eliminate personal information that is no longer needed, and frankly, to avoid collecting personal data that is not essential. Law firms should carefully analyze where such data is kept, and limit the number of places where such data is retained.
6. Keep anti-virus and security software up to date, regularly applying recommended patches.
7. Educate employees about appropriate handling and protection of sensitive data and use and protection of passwords.
8. Implement and follow a written Internet security protocol (WISP) to explain in detail how Internet access and usage should be conducted on firm computers, and specifically, the limits on such usage. Not only is this employee education process important, but management of this exposure should also continue through employee exit strategies, realizing that unhappy former employees pose a significant risk for a potential data breach.
9. Finally, develop a comprehensive breach preparedness plan, to enable decisive action and avoid operational paralysis when a data breach occurs. This will allow a firm to timely respond to a breach incident, perhaps limiting the scope of the breach and potential damages to those whose information has already been compromised, as well as limiting the amount of lost productivity and negative publicity that might result from a data breach.
With careful thought and planning, law firms can significantly lower their exposure to a potential data breach and have a road map in place when and if such event occurs.