This blog post has been endorsed by The Law Society.
Processing personal data is an intrinsic part of legal work. If you can’t guarantee the confidentiality, integrity, and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.
When the EU’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, law firms that store, process or transmit EU residents’ personal data will face “effective, proportionate and dissuasive” administrative fines of up to 4% of their annual global revenue or €20 million (about $23.5 million) – whichever is greater – for breaches. In addition, aggrieved data subjects will be able to sue them for failing to secure their personal data properly.
When you consider the scale of the new fines, the recent surge in data security incidents affecting law firms is sobering. The Identity Theft Resource Center reports that data breaches in the US are increasing at a record pace: Through June, 791 data breaches have been reported, which represents a 37% increase over the same period last year.
The actual number of incidents will be considerably higher than the reported number, as many organizations don’t disclose incidents. The GDPR will change that, mandating that organizations report data breaches to their supervisory authority within 72 hours of discovering them. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.
For US firms – as with any non-EU organisations – the supervisory authority will be from a designated EU country. This will typically be the one in which they have an office or do most business.
Information security, not just cybersecurity
Although many firms have embraced new technologies to gain a competitive advantage, the information handled by legal professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity, and availability maintained.
In a report published this year, the UK’s regulator for data privacy, the Information Commissioner’s Office (ICO), found that loss and theft of paperwork accounted for 26% of data security incidents in 2015/16, and data being posted or faxed to the incorrect recipient accounted for 17% of incidents. Make no mistake: These are data breaches, just as incidents caused by cyber attacks are, and the fines you’d face would be at the upper end of the scale.
Cybersecurity measures, although important, are therefore only part of your compliance obligations. To secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can’t prevent you from leaving a folder full of case notes in your car.
Information security: The holistic approach
Information security isn’t just a job for the IT department: It’s the responsibility of every single employee, from partners and trainees to clerical staff and cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes, and technology comes in, such as ISO 27001.
ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients’ information – and demonstrate your compliance with the GDPR.
Many leading law firms, including White & Case, Hickey Smith, and Cravath, have already achieved certification to the Standard, but it is not just for larger organizations. ISO 27001 sets out an approach based on regular risk assessments, which can – and should – be tailored to each organization’s requirements, and is as suitable for smaller practices as it is for larger ones.
The GDPR mandates that data controllers implement “appropriate technical and organisational measures.” Annex A of the Standard lists 114 such measures – known as ‘controls’ – that you can use to address the risks you have identified.
Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.
A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfill the GDPR’s principles of purpose limitation and storage limitation.)
A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation. (This will help you fulfill the GDPR’s principles of accuracy, integrity, and confidentiality.)
A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. (This will help you comply with the GDPR’s principles of storage limitation, integrity, and confidentiality.)
A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR’s principles of accuracy, integrity, and confidentiality.)
There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.