GDPR Compliance for Law Firms: Controlling Access to Your Data

Following my recent blog posts Preparing your Law Firm for GDPR and GDPR Compliance for Law Firms: Just Where is your Confidential Data?, I have received a number of enquiries from law firms as to the ways in which they should be controlling access to their data, so today I thought it would be worth sharing some information on this important topic.

Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.

GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.

Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.

As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Any business's data is precious, but none more so than that of law firms who are privy to so much confidential information and who must meet their SRA regulatory obligations to maintain client confidentiality.

Not only do law firms hold much personal data, which is governed by the Data Protection Act and forthcoming GDPR legislation, they also hold a wealth of commercially confidential details ranging from large financial transactions, to trade secrets, through to the personal affairs of high-profile clients.

But in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards. Indeed, aside from GDPR, data residency is a major concern for law firms from a jurisdiction point of view as well.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone. Indeed many of you may have read about a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. Under GDPR, the financial and reputational consequences for such a breach could be crippling, so it is imperative that law firms have a real understanding of where their data is.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your law firm to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Senior Partners have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

-------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing your Law Firm for GDPR

The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

Whilst law firms already have onerous SRA compliance responsibilities to meet in relation to data protection, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.

So what do law firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
-------------------------------------------------------------------------------------------------------------------------
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Secure Remote Working for Law Firms

Most law firms I speak to these days are keen to embrace the commercial benefits that remote working can deliver for their firm, allowing their fee earners to work from home or other remote locations, thus maximising their time and productivity as well as facilitating more flexible working practices.

However, given the wealth of highly confidential data that law firms are dealing with on a daily basis, there are naturally also concerns about the implications of providing remote access and whether this could compromise client confidentiality, SRA compliance or data protection.

There is no doubt that a myriad of risk management issues exist around cyber security, as those who read my previous blog Effective Cyber Security for Law Firms will have seen. 

However, there is much that can be done to mitigate these risks, and enjoy the best of both worlds, by deploying well designed, well managed, highly secure technologies that ensure that no data ever leaves the security of your law firm’s servers or data centre.

As an example of this, I’d like to share a recent implementation we have completed for a UK law firm, where there was a pressing business need to provide secure remote access to all their systems for their fee earners.  In this case, the solution designed allowed nominated staff to access their full computer desktop from any internet connected laptop or computer, at any location.   As well as the normal office suite of applications and email, the system provided fee earners with full access to their practice management software, dictation software and all their files.  They key here was that all data and applications remained at all times on the law firm’s highly secure, tightly managed back-end servers, with the end user device effectively just providing a “window” into that system.    In this manner data remained centralised, subject to the firm’s stringent security policies, safely backed up and never being transferred to individual fee earner’s personal devices.  A number of additional layers of security were also put in place, including 2 factor authentication via SMS message, which requires a logon from outside the office to be authenticated via a text message to the individual’s mobile phone, thus providing an additional level of security over and above a password alone. 
 

In other cases, where law firms are receiving emails on their personal smart phones, and thus copies of potentially confidential data has been transferred outside the secure environment of their servers, we work with their in-house IT department to implement robust mobile device management solutions.  These provide the firm with the control needed over corporate data that is on staff members’ own devices, but cleverly allow a separation of work and personal data on the smart phone so that the firm has all it needs to control data from a compliance perspective, but that control does not interfere with or extend to the user’s personal applications and data, such as photographs or personal emails.   As well as pin protecting company email, such solutions can be configured with a variety of policies that allow the network administrator to lock or wipe the corporate data from the device remotely and immediately in the event of an issue such as a device being mislaid or a staff member leaving.

So, whilst nothing in life is completely without risk, with the right advice, people, technology and structured processes in place, there are certainly effective ways that law firms can achieve mobility without compromising confidentiality or compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you would like to know more about secure remote working solutions for law firms, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Effective Cyber Security for Law Firms – Why a Structured Approach is Paramount to Managing Risk

With cyber attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cyber crime is now a massive issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, I frequently get asked by my law firm clients for advice on the best ways to manage the risk around cyber security, so today I thought it would be useful to share some information on this important subject.

Cyber crime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

The types of attacks experienced are diverse, ranging from "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

Protecting confidential client information is one of the most essential requirements for any legal business to ensure compliance with SRA Principle 10 and outcome 4.1. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

And this is where a structured approach to IT management becomes critical. With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures? How is your system backed up and how long would it take to recover it in the event of something like the recent ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?

To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for law firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.

With so much to consider, does this mean law firms should shy away from using technology? Absolutely not. Effective use of technology is essential to the survival of any business these days, and law firms are no different. With changes in working practices, increasing globalisation, increased competition and the widespread adoption of new technologies by consumers, it is actually critical that law firms embrace technology if they are to survive and thrive. Cyber security is just like any other risk which needs to be managed.

And in my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies. Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen. Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to law firms.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you are concerned about your firm’s vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/