The General Data Protection Regulation (GDPR) reinforced the need for businesses to take 'appropriate technical and organisational measures' to keep personal data safe. Law firms have for a long time had a regulatory responsibility to keep client data safe and just as importantly, confidential. So what advice can you provide to your employees to ensure that client personal data is safeguarded?
A lot of the focus tends to be on cyber and digital threats to data, but physical security is just as important. Here are 5 top tips for physical data security:
- Have a policy for taking files out of the office - Any file taken out of the office is a potential risk so it's important to have a documented policy which sets out the procedure which should be followed. You could implement a policy where all files are booked in and out of the office. The policy should specify if there are any restrictions on working on files outside of the office (for example not working in coffee shops or public areas) and should cover the storage of files (for example not leaving files or laptops in the car overnight).
- Ensure laptops are encrypted and have privacy screens - None of us like wasted time, so frequently we work on the train either on a laptop or on paper files, but do you know who is watching over your shoulder? When working on a laptop it's important to use a privacy screen to protect the data you are working on. If you have a paper file, then keep it close and guarded. Most important of all, don't leave it on the train. Even if you retrieve the file it's still a potential data breach (and SRA breach) as you don't know who has picked it up and read it. Forgotten laptops are likely to be stolen. Any laptops that are taken out of the office should have encrypted hard drives in case the worst does happen.
- Only take the documents needed for the meeting/hearing – consider whether you need the whole file or whether it is possible to scan documents to they can be transported more securely.
- Have a policy for homeworkers/remote workers - more and more firms are now allowing employees to work from home, either on an ad hoc or more regular basis. It's important to have appropriate policies in place to control client data in the home environment, for example it may be beneficial to provide a filing cabinet in the home location for an employee who works from home on a regular basis.
- A clear desk policy for in the office and ensuring all files are located away overnight, especially if you are in a shared building with a cleaning service.
Cyber threats and data breaches are not new. There have been a number of high profile data security breaches since the internet was created (and many more low-profile ones which didn't make the news). The key to tackling this kind of threat is understanding what data you process, where it is stored, how it flows through your firm and how it is used by your employees and any third parties you deal with. This is reflected in GDPR Art 30.1 (Records of Processing for Controllers) and Art 30.2 (Records of Processing for Processors).
The biggest source of data breaches in your firm will be your employees. It's important to train your staff on basic information security and to limit their ability to put data at risk with robust information security policies.
Top 5 tips for digital data security
- Lock down USB and CD ROM access to your laptops and desktop PCs – this prevents people removing data and prevents viruses being introduced. Update passwords on a regular basis.
- Train your employees to recognise phishing emails and suspect email attachments, where possible have some software in place on your network that traps anything that looks suspicious- scenario testing can be very effective
- Ensure you have a robust policy for updating your PCs and laptops- some of the big hacking incidents have occurred because machines had not been patched with software updates
- Ensure your network is protected with firewalls and anti-virus software which is kept up to date
- Remove the autocomplete function from your email software – the most common data breach you will have is an email full of personal data being sent to the wrong email address
These are computer programs that record every keystroke made by a user to gain access to card details, passwords and other confidential information. Keyloggers are generally hard to detect and are designed to damage beyond the infected computer. You can protect against this type of threat by making sure you have a firewall and security software installed, and importantly kept up to date. You can also consider installing a password manager and ensuring that passwords are regularly updated.
Keyloggers can also be installed manually onto machines, (via a USB device) so limiting access to your computers is also important. You could log visitors to the office, keep them away from desks, and use meeting rooms. Some firms carry out physical penetration testing to see if an unauthorised person can gain access to the machines.
Incident response plans
It's important to recognise that data breaches/incidents will happen so having a tried and tested incident response plan is a must. The plan should cover physical and digital incidents and include the requirement to report data breaches to the ICO within 72 hours of becoming aware of a breach.
No firm will be able to completely avoid data breaches, hopefully by using some of the tips in this blog you will avoid any major issues. My key message is – if you are not sure if you client's data is protected then get some advice from a trusted expert.