Even as we move toward the end of 2020, the physical offices of many law firms are still closed with no plans to reopen anytime soon. As remote legal practices remain the norm, the task of keeping client files and other proprietary information safe is crucial—and it can be daunting.
Here are some must-haves for all attorneys in this digital age—and particularly those who are working from home.
Secure Client Portal
Since face-to-face meetings are limited—if they are even happening at all—clients need a way to upload and receive confidential documents securely.
Attorneys should not rely on email as a mechanism for transmitting sensitive information. Email is typically not encrypted and therefore presents security problems. Email can also be unwieldy where a client has voluminous files that need to be transferred. Further, in certain states, it is illegal to transfer personally identifying information via a nonencrypted medium, such as email.
Attorneys frequently handle files with this information and, therefore, these come into play. Finally, according to Rule 5.3 of the Model Pules of Professional Conduct, which serves as the basis of the rules in many states, “Attorneys should take reasonable steps as a precautionary measure to protect against disclosure [of a client’s confidential information].” If an email account is compromised or an email containing highly sensitive information is mistakenly sent to the wrong recipient, the breach could lead questions about whether the attorney has taken sufficient care to protect confidential information.
Rather than use email, clients should be provided with a means of securely transmitting their data. Examples of more secure transmission mechanisms include using standard document management software, such as Google Drive and Microsoft OneDrive. These apps allow you to share links rather than the documents themselves and specify who can access these documents. Practice management software, such as Clio, also offers secure upload options for your clients.
In the event that you have a high volume practice that relies more heavily on your website to interface with clients, you may want to consider working with a web developer to offer a custom solution that integrates with their website. The solution would provide a means of securely uploading files.
All attorneys should make sure that their websites have a valid SSL certificate. (You can do a simple check by making sure that a lock icon appears when a user accesses your website SSL provides a secure channel between two machines or devices operating over the internet or an internal network.)
Incident Response Plan
An incident response plan is a playbook for responding to a breach of data security. You need one because, when you are alerted to a data breach, time is of the essence. Almost every state has statutes requiring disclosure to clients of a breach involving their personal identification. Most of these statutes require that this disclosure happen quickly.
For example, California requires that a business, including a law firm, disclose the data breach to the affected individuals “immediately following discovery.” Cal. Civ. Code 1798.82(b). The relevant Texas statute requires disclosure “as quickly as possible.” Tex. Bus. & Comm. Code § § 521.052 – 521.053.
An incident response plan provides a ready-to-go set of procedures to follow when you detect a breach, so you don’t waste time improvising. It should also include the names of a certified IT support specialist to identify the scope of the breach and remedy it. The plan should identify an attorney who specializes in compliance issues or insurance company contact information so you can file a claim and get access to a legal specialist through your policy (see below).
Your insurance company may have a template for an incident response plan. But even with a template, you should identify the outside resources you will need in advance.
Cybersecurity Policy
A cybersecurity policy is an insurance policy that covers specific incidents of data breaches, allowing you to limit your out-of-pocket costs when a breach occurs. Costs can include complying with regulatory inquiries from state governments and providing services like identity theft monitoring to affected clients. Typically, your insurance company will refer you to specialized counsel to assist with compliance and remediation. Law firms should consider purchasing a cybersecurity policy to manage costs in the event that they are impacted by a data breach. View more must-haves for the work-from-home lawyer here.
In an upcoming blog, we will explore how attorneys can better manage their workflow and supervise their team while working remotely. If you’re looking for assistance setting up processes to manage your virtual office or need paralegal or secretarial help, please let us know here.