The threat from within
There are a multitude of ways in which an office's data security can be breached by a member of staff - how good are your safeguards?
Perhaps the bestselling author Stieg Larsson is partly responsible for some of us conjuring up visions of computer hackers in darkened rooms when we think of data protection threats to our businesses.
While the data security threat is a very real one (the very nature of legal work means that the profession is often entrusted with clients’ most sensitive information), more often than not the real dangers are from more mundane sources. Your practice is much more likely to suffer the serious reputational damage and potential fines that a loss of confidential data can bring, as a result of a careless mistake by member of staff rather than a malicious attack by a criminal hacker.
Consider the risks to clients’ personal data, or indeed sensitive firm data, in the following situations:
1. Physical files are taken out of the office by staff to work on at home on an ad hoc basis.
2. Laptop computers and smartphones are being used to work on at home and in transit.
3. Documents are stored on memory sticks to take to a meeting.
4. A fee earner disposes of an old draft document in his deskside bin.
Even assuming that an audit trail is in place for the whereabouts of such files, the risk remains that they might be lost in transit on public transport, left in a café, stolen from someone’s home or car, destroyed by fire, or read by someone’s partner, cleaner or a bored babysitter on a Saturday evening.
Laptops and smartphones
Laptops and smartphones, in common with most portable electronic devices, pose particular dangers for data loss. A recent report by Experian Creditexpert (quoted on the BBC news in July) revealed that more than 12 million pieces of personal information were traded illegally online globally between January and April 2012.
Where sensitive data is unencrypted, or the protocols for use are inadequate, the very portability of laptops, smartphones and the like, and the consequential increased risk of theft or loss, means that confidential data can be at risk. It is therefore particularly important to ensure that sufficient controls are in place.
Check whether your devices can have data wiped from them remotely, in case of theft. If so, can this service be accessed out of office hours?
Memory sticks are a particular source of risk. They are tiny, can store an incredible amount of data, and are rarely encrypted. At the legal risks conference in Glasgow earlier this year, Marsh referred to recent research which indicated that about 17,000 memory sticks are found in clothes left at dry cleaners each year, in the UK alone.
If you are to allow their use at all, ensure that there are strict protocols around the use of memory sticks. Good encryption is essential. Try not to store more than the documents you need for the particular meeting in question. Delete saved files from the memory stick regularly.
Disposal of information
Confidential information is still found in ordinary waste disposal. If you do not shred confidential waste in-house, take reasonable steps to ensure that your outsourced provider is operating to sufficiently stringent standards. And, most importantly, reinforce the message within your office that, if in doubt, papers should be shredded – both in the office, or if working on files out of the office. Every time you replace technology in your office – even if it is just the photocopier – remember that many of these devices have memory storage, and that old devices should be made safe before they are disposed of.
While the view might persist among some that data security matters are the domain of the data controller within their firm or the IT department, data security is in fact something that everyone needs to build into their daily working life. Against a background of growing public concern as to the handling of their personal data, and high-profile breaches reported in the media, effective information security is an essential of modern practice management.
Consider whether physical files should be removed from the office (for meetings or to work on from home), or whether alternative methods of working may be equally effective while reducing the associated risks. Protocols – e.g. requiring the signing out of files to a nominated person, or promotion of home working using remote access encrypted servers and suitably protected laptops – ought to be embodied within the firm’s written practices. The simple placing of notices on office doors reminding staff not to remove files from an area without signing them out might be a simple way of reinforcing good practice.
Practical measures you can take to protect data on your laptop or smartphone include maintaining a strong password – and changing it regularly, and ensuring that the latest security updates, including anti-virus software for your smartphone, are installed. Where possible, minimise the risk of cyber attack by not using office laptops and phones for personal purposes (for example downloading non-work-related apps and software). Staff should be being given written instructions as to how to wipe their smart phones in case of loss or theft. This process ought to be achievable via any PC, including outside normal working hours.
While human error can never be completely eliminated by even the most effective risk management systems, increasing awareness of the risks among staff and implementing standard procedures across the entire firm are good starting points.
Recent investigations by the Information Commissioner’s office suggest that many organisations are simply not giving staff sufficient training on information security matters. For solicitors in Scotland, there is relevant CPD training available free of charge on the Marsh website (www.marsh.co.uk/scotlaw). In common with most risk management training, this is not a once-and-for-all process. As technology and behaviours change, so do the risks. Make sure that you are being kept abreast of significant emerging risks.
Liz Comerford, a solicitor formerly in private practice, is the Depute Director of the Diploma in Professional Legal Practice at the University of Dundee. She can be contacted at firstname.lastname@example.org