IndyBar: Practice Toolkit: ‘I’m the King of the Castle, You’re a Dirty Rascal’: Data Security Documentation for Law Firms

By Jared Correia, Red Cave Consulting

Just about every law firm owner is concerned about keeping clients’ data confidential, and if they’re not, they definitely should be. There are clearly delineated responsibilities for doing so, not only addressed in the code of ethics for attorneys that are published in every jurisdiction — there are also requirements extending to attorneys based in state and federal law. Of course, beyond all that, some law firms will want to do even more than is required to meet a level of best practice, not ascribed by rule or statute — which set of rules and regulations could be described as a minimum competency standard. Most of the rules break down to a reasonableness requirement = what is reasonable, in terms of data security, for your business, based upon your business’s size, scope of work and (financial) resources. But whether you decide to operate at simply the required level for data security or something more — you’ll want to provide some documentation around what your process is, both to ensure that you will keep to it, and also to allow your staff to better understand your expectations.

These are some of the primary documents you’ll wan to consider launching in your law firm to help govern your overarching data security program:

Written Information Security Program (WISP). The written information security program (sometimes referred to by different names) is your anchor program for data security. In it, you will identify the potential security loopholes in your law firm and how you close those — e.g., this is where we store documents and how we encrypt them, etc. The document should identify a staff person who will manage the program, and it should be reviewed at least annually. There are a number of templates available online for this sort of document. And, it needn’t be long; three to four pages should be sufficient and compact enough.

Remote Work Policy. With the continued prevalence of the hybrid workforce, law firms should also launch remote work policies, which govern how their employees will work from home. Now, while everything covered in this document will not address security directly — e.g., you must have another adult caretaker of minor children when you’re working from home — much of it will address how employees access information about the business, including its clients.

Device Management Policy. A device management policy covers the security protocols for devices that employees use to access and manage law firm data — whether those devices are owned by the firm or owned by the employee (but hopefully locked down by firm IT personnel). The cloud delivers convenience, but also requires due care.

Incident Response Plan. This document identifies how your firm would proceed if a data breach occurs and would likely follow statutory notice requirements, at the very least. Sometimes, this is incorporated within the WISP.

Business Continuity Plan. This document identifies what you would do if you experienced data loss — which could be related to a breach or not. If your firm has lost or can’t access data, or if a disaster of some kind has occurred, this is your recovery plan, which would relate back to data backup protocols that would have already been developed.

Policies & Procedures Manual. Documentation like that described above may also require that changes be made to the firms’ existing policies & procedures manual. So, this primary document would need to be updated at that time — potentially with references to workflows and process management around data security.•

Jared D. Correia, esq., is the founder and CEO of Red Cave Law Firm Consulting. He is a regular presenter at local, regional and national events.