P2P

I L T A W H I T E P A P E R | I N F O R M A T I O N G O V E R N A N C E 65 of the business world. The 2019 American Bar Association Legal Technology Survey reports that cloud usage bumped up only very slightly, to 58% in 2019 from 55% in 2018. The same survey shows that, while law firms are hyper-conscious of cybersecurity vulnerabilities, their actual use of standard security measures is quite low. Just 35% of respondents report putting standard cybersecurity policies and practices in place and seven percent report they have implemented none at all. Given this low level of security policy-setting in normal times, it's likely that even fewer are addressing the specific data handling challenges that working from home present. Yet law firms were prime targets for hackers even in normal times, even before working from home was common. As more employees work remotely, data is under increasing attack, and now more than ever legal organizations need to be vigilant in protecting sensitive client information. How do we handle data as meticulously as we did (or should have) pre-pandemic? How do we identify and mitigate any potential vulnerabilities and avoid compliance breaches or audits? First, employers adapting to a distributed workforce must foster a company-wide culture focused on data security. Firms need to ensure that all work is done on authorized devices and secure servers, and that access to information is provided only through multifactor authentication. They must also keep data secure as it travels from the employee working at home to the data center. To make this happen, legal and IT must work hand in hand. Data security applies to every single user and every single device. Data-handling policies, processes and workflows must encompass all network endpoints. Legal professionals must also be trained and frequently reminded about the importance of protecting personally identifiable information (PII) in the context of new data-handling regulations like the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Legal departments and law firms need to carefully analyze compliance behaviors and potential pitfalls as they apply to different internal departments. Finance, IT, data security, antitrust, privacy, human resources and marketing professionals all use and hold data in specific, often unique ways. The vast majority of security and data-handling lapses aren't caused by technology. They happen at the personnel level, which is why the effectiveness of an organization's data security depends on the establishment and reinforcement of sound policies, and on the buy-in and cooperation of individual employees. In recent years, all kinds of companies have experienced high- visibility compliance failures and data breaches, each of which brings the potential for severe legal, financial, and reputational damage. In the COVID-19 era and beyond, firms that respond to incidents quickly and transparently, and can demonstrate their cybersecurity planning and protocols have taken work-from-home vulnerabilities into account, will be best-positioned to weather the storm. Here are our recommendations for legal organizations seeking to protect themselves: Build an organizational culture that prioritizes data security Review cybersecurity practices, and educate team members and employees on policies and practices that need particular attention in the work-from-home era. Users need to be aware that they are their firm's first line of defense against every vulnerability, from hacking to improper data handling. Leverage mobile device management Mobile device management (MDM) solutions for maintaining data security are increasingly important in the remote working environment. Organizations need to be diligent about adhering strictly to MDM policies, especially policies for passwords, wiping data from lost phones, and location tracking. Protect chain of custody When transferring any kind of sensitive data, it's vital to document chain of custody. With digital data, appropriate logs and processes need to be established. Particular care needs to be taken when sending data in physical format. For example, organizations should consider using USB padlock drives with AES encryption for data transfer. These drives automatically destroy data after 10 invalid attempts to access it. 1 2 3

• Cover