Layers: Why a Law Firm Is Like an Onion
Law firms are obligated to protect their client's data, as dictated by federal and state laws as well as local jurisdictional ethics rules. You'll read and understand the relevant rules—you're a lawyer, that's basically what you do.
August 06, 2018 at 09:35 AM
5 minute read
The original version of this story was published on Pro Mid-Market
Law firms are obligated to protect their client's data, as dictated by federal and state laws as well as local jurisdictional ethics rules. You'll read and understand the relevant rules—you're a lawyer, that's basically what you do. Technical compliance, however, is where the rubber meets the road. Leaving aside the matter of data breach reporting, to focus on the preliminary issue of data protection, questions of technical compliance, at a number of levels, come to the fore.
Data hackers are relentlessly poking at systems, in order to find weaknesses. It's telling that a common technique is known as a brute force attack. Throwing everything they have in a concentrated blast at one part of the wall before moving on to the next is basic siege mechanics for hackers. So, in order to effectively track your data, it's important to protect it at all levels— and, there are a lot of layers here to look after.
Take the humble Microsoft Word document, and consider the myriad ways it might be subject to exposure. At the document level, you've got the potential for exposed metadata (essentially buried information about edits), as well as questions about restrictions on document access: Is it encrypted? Do viewers have “read-only” access, or which ones have read-only access? Can the document be forwarded, or printed? Will access to the document expire after a set time period? You can trigger basic protections like those alluded to above within Microsoft Word, or even via conversion to a PDF management program, like Adobe Acrobat; but, unless you're asking relevant questions related to data security, and acting on those, you're potentially exposing sensitive data.
But, a document does not exist in a vacuum; and, as soon as that document is available within a particular system, it is also exposed to any loopholes inherent in or created by, that system. So, consider whether the document is encrypted as it resides on the system. Does the case management system you use, for example, encrypt all data at rest, including documents? Do you trust that protection alone, or will you encrypt your documents first, before uploading them, or making them available, within a system, to add another layer of security? In terms of personnel management, do those staff persons accessing your systems only have access to the files and documents they need access to? With the availability of granular access options, including down to the document level, it pays to be thoughtful about who gets to see what, to secure your information from overexposure. If you use integrated systems—perhaps you link a document repository, like Microsoft OneDrive, to a case management system—are all of the integration points encrypted, and does each system you use apply viable security measures? If you choose to share documents with clients and colleagues, do you utilize client portals or sharing protocols within the systems you use? Do you have a single process or workflow for how you share information that all employees adhere to?
And, if you're not sharing a document within a system architecture, but prefer email as a transit method, there are other issues to address, since you can't know the security protocols for every server an email passes through. Do you consider an email encryption service, which allows you to send a document to a third party, secure inbox for access by a recipient? And, will you turn that feature on manually or use automated triggers, e.g.—the presence of information sets protected by your state's data security laws? If you decide that an email system is too costly, or that you don't send enough documents via email to justify the use of such a system, do you then encrypt documents on an ad hoc basis, using a productivity or PDF software, only when you need to?
Even at this late date, hardware has not been totally eliminated. And, even if you're not accessing documents directly via your laptop or tablet or smartphone, you're using that hardware to access the systems where you get those documents. Therefore, it's also imperative that you appropriately secure the devices you use to access the software you use to access the documents you need. This includes, for most modern law firms, the creation and maintenance of a BYOD (bring your own device) regime.
Most law firm managers, and especially law firm IT people, blanch at the sheer breadth of data security requirements in the legal environment. And, managing that effectively does require a thoughtful and systematic approach. But, the implementation strategies built around such an approach will significantly reduce any law firm's risk profile.
Jared D. Correia is the founder and CEO of Red Cave Law Firm Consulting, which offers subscription-based law firm business management consulting and technology services for solo and small law firms. Red Cave also works with legal institutions and legal-facing corporations to develop programming and content.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'Appropriate Relief'?: Google Offers Remedy Concessions in DOJ Antitrust Fight
4 minute read
'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute read
'Unlawful Release'?: Judge Grants Preliminary Injunction in NASCAR Antitrust Lawsuit
3 minute read
'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute readTrending Stories
- 1Slideshow: Jewish Bar Association of Georgia Marks 1st Year With Hanukkah Party
- 2Holland & Knight Launches Export Control Disputes and Advocacy Team
- 3Blake Lively's claims that movie co-star launched smear campaign gets support in publicist's suit
- 4Middle District of Pennsylvania's U.S. Attorney Announces Resignation
- 5Vinson & Elkins: Traditional Energy Practice Meets Energy Transition
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
