Security considerations for law firm data governance

The legal community deals with a huge amount of data. Legal strategies, client communications, research, e-discovery, documentation, billing, personal information about clients—the list of data types with which law firms are entrusted every day is continuously growing. Effective data management is critical, as immediate access to data is just as important as keeping it protected. Data governance frameworks assist in keeping in compliance with current regulations and standards.

Data governance refers to a framework establishing how the data that an organization collects and stores should be managed, accessed, and kept private. How this framework is structured largely depends on the types of data being collected, and it also assigns responsibilities for invested stakeholders who are held accountable for certain elements of the management process. Because law firms need to manage an array of complicated data, delegation is critical. Data management should not be solely the concern of the IT department. Upper management support and involvement helps set expectations for data governance, especially with regard to budgeting and the allocation of necessary resources. 

Laying out this degree of communication within a firm about its data governance strategy requires data stewardship. Data stewards are assigned to specific data assets or business processes and take particular responsibility for how it is accessed and protected. 

More is not better

Data governance strategies should specify how long certain types of data are to be retained and how and when it is destroyed. Storing large amounts of inactive data (especially confidential or personally identifying information) makes law firms a prime target for breaches. Data architecture frameworks are used to document what data assets are being stored and where, as well as their movement within the network. Data inventories should be consistently updated to make data minimization easier to organize and execute. 

Data frameworks are critical in clearly communicating within the firm what types of data are being amassed, where it is being stored, and what technologies should be used to manage it, such as cloud infrastructures. Cloud computing allows for immediate access to data from internet-enabled devices without the physical storing of data within an organization’s immediate proximity or location. Remote servers enable employees to access data from anywhere. The cloud is a cost-effective and simpler technology for many organizations, and replaces centralized data storing with a distributed and expanded framework. That said, this decentralized system requires a strong relationship with your provider, an understanding of what data is being stored, who your client is, and what amount of risk you are willing to take. Implementing cloud security solutions is important for dealing with data that is not completely in your control. Encryption policies and user education also balance data protection with immediate accessibility. 

Strongest possible controls

Law firms are being pushed to implement the strongest possible information governance controls and procedures. Clients have high expectations for data security, and recent international laws draw attention to an increase in future cybersecurity pressures within the United States. The General Data Protection Regulation (GDPR) has a significant impact on U.S.-based law firms that have clients with protected EU status. Breach notification, consent for how data is collected and used, data minimization, and breach assessments are all elements of what is required by the GDPR. “All customer-facing documentation will require revision to comply with the GDPR,” notes a recent article in the magazine American Gaming Lawyer, “which
requires providing detailed information to data subjects regarding the processing of personal data in a concise, transparent, intelligible, and easily accessible form.” Strong data governance frameworks make compliance with security regulations feasible.

The reputational, financial, and legal risks associated with a data breach impacting a law firm are severe. Huge stores of data, increased utilization of the Internet of Things, and varied mobile devices, cyber regulations, and client expectations for data privacy all make for a very complicated set of requirements by which law firms have to abide. Data governance frameworks assign accountability and promote interdepartmental communication, upper level support of secure data policies, and the use of tech tools and resources to protect and access data. Preparing for data breaches with strong incident response plans that take into account compliance (and the costs associated with non-compliance), having qualified security personnel, and perhaps investing in cyber insurance all help to demonstrate to clients a firm’s focus on keeping their data secure.

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.