The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/34686
BEST PRACTICES Legal Information Risk — Action Plan and Roadmap A law firm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it is responsible. Ensuring the quality of this information and protecting it from risk is critical to a firm’s viability. While many share responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility, and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law firm information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs, COOs and security directors when considering their firm’s priorities and risk tolerance. action plan Risk: Theft by External Parties Security firms have conveyed that law firms are easy targets for obtaining information on law firm clients; hackers might not even bring their varsity team to break in. Whether this situation drives law firms to third-party providers of infrastructure and security services or improves internal procedures is yet to be seen; in any case, security know-how is an IT responsibility that is growing in importance. Considerations include: • Annual audit by third-party security specialist, including penetration testing • Expert (third-party or in-house) monitoring of WAN and firewall security incidents • Mature (consistent and fresh) software patch management procedures • Secure client software for iPhone/iPad and other PDAs • Two-factor authentication (something you know, something you have) for network logon • Password policies to ensure appropriate complexity and occasional change • Clear information security design and incident response responsibilities, including appropriate training Risk: Theft by Internal Parties For collaboration, law firms trust their own employees and provide wide access once logged onto the IT systems. Headline events of associates selling firm information for profit have not yet driven most firms to change this model (although a small number of firms have done so). Firms can take more prudent steps and better protect sensitive information by moving to a “trust but verify” model. Considerations include: • Consistent, automated ethical walls across major information systems (online accounting, business intelligence reports, time entry, document management, file shares, intranet and search results) • Private folders and need-to-know project code names for sensitive matters not subjected to an ethical wall • Rights management and/or encryption applied to very sensitive client and firm documents • Expiration dates on information, e.g., the information is purged or access is denied after a defined period of time • Automated monitoring for extraordinary events (e.g., mass export or printing) • Secured screen savers and daily log-out policies 32 www.iltanet.org Peer to Peer