Why Law Firms Should Care About Data Security
Data security is a major concern of the online age. Moreover, truth be told, almost every business today collects and stores customer data regularly. However, there are very few industries that store highly sensitive data of users. Legal services and law firms are one of them. Naturally, data security for law firms is a matter of concern.
In June 2017, global law firm DLA Piper suffered a data breach; which resulted in the law firm shutting down its digital operations. If reports are to be believed, law firms are increasingly an attractive target for data security breaches. Moreover, with one breach, a law firm suffers long-lasting reputational and financial losses. Additionally, there have been instances where clients have sued law firms for data breaches and left them to partner with other security complying law firms for their future legal requirements.
Laws enforcing data security for law firms:
Clients share a lot of data which may include trade secrets, financial details, social security, and other personal information, contracts, intellectual property agreements, and so on with their laws and law firms. Naturally, data such as these hold a special appeal in the eyes of hackers, identity thieves, and criminals.
Furthermore, every law firm is morally obliged to take the necessary steps to avoid data breach. On another note, the clients place their trust on law firms, it is the moral and ethical obligation of law firms to ensure security of their sensitive data; and taking necessary steps to reduce the impact of the damage, if there is a data breach.
Data security law in USA:
From a legal perspective, as per the American Bar Association (ABA) Rule 1.6: Confidentiality of Information, lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.
Data security law in EU:
Moreover, for a law firm with operation in the European Union, certain principles that should ideally govern the processing of personal data are enshrined in Article 5 of the GDPR. They are:-
- ‘lawfulness, fairness and transparency’ in the processing of data;
- ‘purpose limitation’ by collecting the data for legitimate and specific purposes;
- ‘data minimization’ by processing the data to the extent of the requirement and not more;
- ‘accuracy’ of the data, by keeping it up-to-date;
- ‘storage limitation’ by storing the data in a form that allows identification of the data subjects according to necessity;
- ‘integrity and confidentiality’ of the data by ensuring the security of the processed data;
- ‘accountability’ of the Controller
Data security law in India:
In India, as well, the Information Technology Act, 2000, by way of Sections 43A, commands a ‘body corporate’ to employ ‘reasonable security practices and procedures‘ in order to ensure the safety and security of ‘sensitive personal data or information’, and in the event of a failure to do so, to pay ‘compensation’. Additionally, section 72A of the same act enshrines the punishment for disclosure of information in breach of a lawful contract, which may be imprisonment for a term extending up to 3 years, or maybe a fine extending up to 5 lakh rupees, or both.
Measure to ensure data security for law firms:
- Have strong passwords for all the electronics files, databases, and emails. The importance of a strong password can never be ignored. Moreover, law firms should also mandate multi-factor authentication or biometrics to ensure the ultimate power to allow access lies with the authorized personnel only
- Eliminating global or group access and providing access to client data on a necessary and key personnel basis
- Most of the law firms have a private network for connectivity and accessibility. However, it is best practice to set up encryption keys that give alerts whenever there is any security breach
- Installing antivirus on all computers
- Avoiding paper documentation and ensuring their absolute security, if they are absolutely necessary
- Get insurance to protect against data breaches so that in case the worst happens, law firms would have the financial security to fight some repercussions
- Running regular data breach checks
It is nice to see that data security for law firms is a major point of discussion in the legal fraternity. Additionally, Studies point to the fact that many reputed law firms are investing in cybersecurity programs. However, the practice is not very common yet. Our suggestion, move away from paper-based law firm practice and move to a cloud-based case management system that can aid your cybersecurity measures extensively.