Data security for law firms

How to keep clients' personal information safe and secure

Law firms are faced with the same important decisions that any client-centric and technology-reliant business is faced with today. Protecting and securing their clients’ personal identifiable information is one of them.

But what’s the best approach? Is it a single option. like a thorough data governance plan, cybercrime security and prevention, cloud storage, or is it a multi-layered approach involving all of these security options? The truth lies somewhere in the middle and depends on the firm’s size and data security budget.

These days the cloud looks appealing, especially with the pay-for-what-you-use model and with employees requiring access from anywhere and from any device. But what does “going to the cloud” exactly mean? Many businesses and individuals truly don’t know what it requires, or entails. It’s not as simple as an “on” and “off” switch.

For those businesses, such as law firms, that maintain, manage, and access person identifiable information on a regular and continual basis, consider these key questions before going to the cloud:

 • How will you use it – for cloud-based server access and storage or email and file sharing?

 • Will current business applications work in the cloud?

 • Is replacing physical servers with a cloud-based server and data storage an option?

 • What is Office 365 and how does it apply to my business?

In today’s data breach-riddled world, it’s difficult to know whether a network is protected enough from ransomware attacks or the next resourceful cybercriminal. Law firms are particularly attractive to these thieves because of the confidential records and data routinely maintained and exchanged.

An information security program with a layered approach to security is an excellent option, but before instituting one, be sure to consider certain factors and enable specific updates and services:

 • Apply security updates to servers and endpoints (desktops and laptops) on a regular basis

 • Run anti-virus to mitigate risk of infections

 • Force encryption of endpoints in case they are lost or stolen

 • Have a modern firewall in place

 • Scan the part of your network that is exposed to the Internet for vulnerabilities

 • Implement a security information and event management solution, along with the ability to respond when a security event is detected

 • Engage a good spam and anti-malware filter service for your email

 • Use a two-factor authentication security solution to make sure you know who is connecting to your network

Additionally, it’s imperative organizations ensure their end users go through security awareness training. All too often, companies fall prey to ransomware, due to an employee clicking on an email or a malicious advertisement on a website.

Today, businesses are far more likely to lose data to a cyberattack than to a disaster, like a fire or flood. A data availability and recovery plan will ensure clients’ data is not lost and is easily retrievable in a reasonable amount of time.

Before adopting a data availability and recovery solution first secure alignment between the senior leadership and IT teams and then answer these questions:

 • Is there an existing disaster recovery plan?

 • If so, has the plan been tested to see if it works?

 • Which business processes and applications are at risk in the case of a single server failure or loss of data due to cybercrime?

 • How long will it will take to begin working from a recovery site in case of a major disaster?

 • How long will it take to move data and applications back to the primary production site once the disaster is over?

If it seems overwhelming, here are two simple steps to begin the process of designing an appropriate plan so that your law firm or business can withstand different technical hurdles, from ransomware to a natural disaster.

1. The senior leadership team should identify the critical systems and applications, then decide on the recovery time objective (RTO) and recovery point objective (RPO) they can live with should a destructive incident occur.

2.The IT team should then utilize the RPO/RTO timeframes dictated by the senior leadership team to find the data availability and recovery solutions that will deliver on those goals. Note that with the amount of data many organizations have today, you may need more than one solution to meet both recovery and budgetary requirements.

No matter the size of your law firm, protecting your clients’ personal identifiable information has to be a top priority. Take the time to assess your specific business data security needs and then create an approach that works best for your given budget. Options exist today that didn’t 20 years ago, and the solutions today are more nimble and more flexible than ever before.

Justin Whitlock, an account manager at Maine-based Systems Engineering, can be reached 603-226-0300 or through

Categories: Legal Advice