Monday, February 20, 2012

Law Firm Information Security: News, Opinions & Best Practices

Law firm information security and confidentiality management continues to make headlines and draw industry attention. Here are recent updates worth reviewing:
  • Rupert Collins-White from the Legal Support Network starts things off with some bold opinions -- Why information security has now become a costly issue for law firms:
    • "It's not like lawyers and the business services people who work in law firms don't realise the information they deal in is, usually, sensitive and commercially useful to others - they know this very well... There's another reason things go wrong, though it won't be a popular one for me to say - partners and senior associates. Some partners and senior lawyers, and they're not all older members of the profession, think they are somehow outside the normal rules of behaviour, both in terms of manners and actions." 
  • Next comes a recent article in The Recorder -- 10 Steps to Minimize Cybercrime Exposure at Your Firm:
    • "Recently, federal law enforcement officials have been quietly visiting major law firms to explain they may be vulnerable, which makes sense given the confidential nature of the data law firms store on their information technology systems... At this point, it's fair to say that firms that fail to implement thoughtful and appropriate cybersecurity measures may well be held to answer in the wake of a serious data breach incident."
    • "Review and modify access rights. You, your HR department, and IT staff should take a hard look at access rights, and conform access to what's necessary as opposed to what's convenient... Your firm's document and information management system should compartmentalize sensitive data and records so that the number of partners, associates, and other employees with access is minimized to the extent possible. Pay special attention to the access rights granted to temporary and contract employees, as well as remote access rights. Finally, make sure you timely disable and purge old user accounts; experience has shown these can become external and internal threat vectors. User accounts should be disabled at the time of an employee's departure."
  • Finally, an example of alleged security-related malfeasance -- Pa. Firm Sues Ex-Partner for Allegedly Using Dropbox to Access Client Files:
    • "Elliott Greenleaf said that prior to Balaban leaving the firm, he and others deleted 5 percent of the firm's backup tapes for Harrisburg client files, took 78,000 files from the firm's computer system, and installed 'Dropbox' software that enabled Balaban continued access to Elliott Greenleaf's computer network through remote access, according to the complaint filed by name partner John M. Elliott."

No comments:

Post a Comment