by RapidRPS.com staff
Many law firms, attorneys and business executives are concerned about keeping their data secure. Fortunately, most large firms have some dedicated information technology departments whose personnel have composed one or more plans for data security and recovery. Smaller firms and sole proprietors should, as well.
Whether your data is stored in your file cabinets, desk drawers, computer, and cell phone, each is a potential target for not only identity thieves, but hackers and corporate espionage provocateurs. Unscrupulous opponents may attempt to gain access to information in order to secure a victory. Or it may be any number of persons or organizations seeking to advance their own interests. In any event, data security should be approached with the axiom of “Prepare for the worst; Hope for the best”.
While competitive intelligence is essentially a legal form of gathering information about a competitor (from observations, interviews, public records and other sources), the use of corporate espionage and computer hacking are definitely not. As part of an ongoing series, we will discuss some basic issues with keeping your data secure and preventing its loss or manipulation.
The Plan. When it comes to protecting sensitive data, one should have an information technology (IT) secure data plan. The plan should encapsulate not only the maintenance and security of electronic data, but address issues as to physical data, as well. The plan should be designed to protect against the most common sources of data breaches, including outside interests and careless employees. Many data security breaches may not necessarily be directly related to compromising electronic data through penetration (hacking), but the failure of employees to follow certain office protocols relating to securing visible (printed) information from prying eyes, or from data leaving the premises in an unsecured manner. The Plan should cover these foreseeable events.
Unintended Consequences. When an employee removes data, such as a client file from the office without adhering to established internal security protocols, the firm runs the risk of not only exposing that client’s information to third parties, but compromising the overall reputation of the firm as a trustworthy entity. We emphasize this in light that clients utilizing attorneys and their contractors often times do so on reputation, alone.
Unsecured Data Compromise. An example of data leaving the office in an unsecured manner would be moving data to a USB flash drive or CD-ROM without the data having previously been encrypted, or otherwise removing a laptop from the firm premises without the necessary encryption measures installed. The level of encryption may vary from firm to firm, and restrictions as to levels of control over access to information. However, in all instances, whether the data is merely password protected or encrypted to a level of sophistication, the management of the data integrity should be first and foremost in any firm’s IT plan. Many times, the data that the employee has possession of is not the property of the employee, or the firm, but the property of the client, or privileged communications between the firm and the client. Consequently, any breach of that data is a breach of the trust between the attorney and the client.
Physical Document Compromise. Another example of confidential data exposure may be the physical document compromise which can come from a non-employee third party visitor having the ability to view documents within a working environment. Most of such incidents occur when the subject documents are left in plain sight; however in other instances, the documents may be present for casual perusal while the employee tasked with controlling the document is out of their office. To help eliminate this opportunity, the firm may establish a policy of not leaving sensitive or confidential documents in plain sight for the casual observer, as well as establishing a visitation policy of not allowing visitors access to an inner office working area without an escort and chaperone.
The “Rings of Trust”. Document control may be further enhanced by the use of physical or virtual boundaries, or “rings of trust”: the further from the center (or highly restrictive domain) a document is allowed, the less sensitive it may be. Establishing access to documents within the office environment may be done by permissive access, with the employees having access on a “need to know” basis.
Sanitization of the Working Office. When allowing a client or visitor into an inner office working area, where access control is increased, the “sanitization” of an office may be advisable. This may be as simple as turning over the top document on exposed files so the blank back side of the paper is only visible, or otherwise covering working documents with other papers or even a tarp or sheet (depending on the size). Of course, unneeded paper documents and folders should be filed away in a locked file cabinet at all times. The same attention in the reception area to removing from public sight any documents should also be emphasized.
Electronic Retention and Document Destruction. The protection of client data from physical removal may likewise be accomplished through the establishment, utilization and enforcement of firm policies and procedures wherein paper files and documents which are not public record (including credit reports and other communications) are committed to electronic retention, catalogued, then shredded. As RapidRPS.com performs skip tracing to locate and serve evasive or parties where our clients do not have confirmed addresses, our firm utilizes a cross-cut shredder to destroy confidential information on-site at the appropriate work stations after electronic retention. Other confidential or proprietary documents are likewise electronically retained and shredded after their physical necessity is no longer required.
Most of the clients of RapidRPS.com transmit their documents for service to our office via email attachment or via fax. As so much of our information, assignments and reports are delivered by electronic means, the initial need for paper documents is minimal. We print the documents vital for service of process, and electronically retain the balance.
Documents which must be committed to paper (such as legal process to serve), are printed in the amount of copies necessary, served or otherwise delivered to the intended recipient, and the appropriate documentation made on the workflow management documents. If documents are non-served, they are generally returned to our office for destruction.
Where paper documents are utilized for workflow management (such as Process Server field reports, Proofs of Service, Affidavits and the like), after quality control, such documents are electronically retained (scanned), catalogued, and the originals remitted to our clients. While many attorney services retain the work order and process server notes, RapidRPS.com submits the originals to the client for their use and retention. The scanned documents are also sent to our clients via an email with the report captioned for immediate electronic viewing.
The Efficiency of the “Paperless” Office. While we have found that a “paperless” environment eliminates clutter, as well as promotes a more efficient workflow, cutting down on time expended to paper management, we have also found it to be a much more secure environment for confidential documents, as well. Many firms utilize outside shredding services which remove documents and papers from the office waste receptacles and perform commercial shredding on or off-site. Whether the paper flow is large or small, the necessities of time and other resources drive whether the firm utilizes an outside contractor for shredding its documents or performs it in-house.
On-Site and Off-site Backup. The subject of backing up data is not to be ignored or made insignificant. As may be said in computer science classes, the way to preserve one’s data is backup…backup…backup. The firm may have an on-site backup system, which may be as simple as an external drive for a single user, or a NAS (network attached storage) drive, or to the complexity of a server farm. In all instances the data management plan should include an off-site backup protocol. Examples of such consumer and commercially available off-site backup services are Mozy and Carbonite.
Off-site physical document storage may be just as important as off-site data backup. The various requirements imposed by private contract, or statute and government regulatory imposition may require a firm or business to retain physical inventory of documents, such as credit applications, mortgages, notes, medical records, evidence, or other paper records. Additionally, as the physical documents may be the property of the client, the law firm may be obligated to return the documents to the client in good order after representation is terminated. By utilizing off-site document storage service providers, a business may put its resources to good use in the physical retention of documents.
Summary. The use of encrypted emails, one time use keys, and other electronic means to protect privacy may be vital in the world of personal and legal information interchange, and businesses must be compliant with the requirements of HIPAA, SOX, GLBA, and other statutes. While the advanced securitization methods to deter or otherwise prevent data leakage are mandatory in some circles, let us not forget the basics of data security, including restricting access to information by the use of tools such as locking doors, restricting visitor access, password protected logins (including screen savers, as well as boot up’s), utilizing a cross-cut paper shredder, and other means to secure one’s data.
Our goal is not to “lock down” our office so that necessary and vital information is not available to our associates and employees, but to secure our client’s information from unauthorized disclosure and disseminate that information on a need to know basis, preserving the integrity of the data, physical or virtual.