Chapter § 9.04 Essential Risk Management Tools
Jurisdiction | United States |
Publication year | 2020 |
§ 9.04 Essential Risk Management Tools
There is no one-size-fits-all approach to cybersecurity and data privacy. Instead, the appropriateness of a cybersecurity and privacy program is generally a fact-specific, individualized determination based on an organization’s size and complexity, the data the company processes, and its risk profile. Below, however, we discuss some common practices that most cybersecurity and privacy frameworks include and that all law firms should consider. Many of the practices we discuss are key features of available guidelines for (i) non-regulated organizations, such as the NIST Cybersecurity Framework, and the ISO/IEC 27000 family of information security standards and (ii) sector-specific rules, such as the Health Insurance Portability and Accountability Act and its implementing regulations.
[1] Encryption
Data encryption is perhaps the most common data security safeguards organizations employ. Encryption protects the confidentiality of digital data, known as plaintext, as it is stored electronically and transmitted using the Internet or other networks. As for the process, software encrypts plaintext with an encryption algorithm and encryption key, resulting in ciphertext that recipients can only view in its original form if the text is decrypted with the correct key (called a “decryption key”).68 Two main types of data encryption exist—i.e., asymmetric encryption, known as public-key encryption, and symmetric encryption. The primary difference between the methods is that symmetric encryption uses two decryption keys, a public and private one, to encrypt and decipher plaintext, while symmetric encryption uses only one secret key to encrypt and decipher data.69
[2] “Bring Your Own Device” (BYOD) Policy
Most law firms permit their employees to use their personal devices (e.g., laptops, tablets, and smartphones) for work purposes. “Bring Your Own Device” (or BYOD) refers to the policy of allowing employees to use their personal devices in this manner. There are many data security and privacy risks associated with implementing a BYOD program, including lost or stolen devices, devices having access to the firm’s networks, and mixing personal information with client data on one device. Law firms should implement policies and procedures to address these risks. The firm should, at a minimum, (1) allow all relevant stakeholders (e.g., legal, IT, human resources, data privacy, information security, and compliance) to participate in developing the program, (2) limit the program to employees who require remote access to the firm’s network for work purposes, (3) provide clear and specific guidance on the appropriate use of authorized applications, (4) clearly convey the firm’s policy regarding ownership of data on devices, (5) allow the firm to monitor and control the data on devices in the program, and (6) train employees on the proper use of authorized applications.
[3] Vendor Management
It’s common today for law firms to rely on third-party vendors to support core business functions. And, in some instances, these vendors have access to a firm’s client data and its internal systems. This level of access presents an inherent risk that firms must manage. Therefore, firms should review vendors’ data security and privacy practices—before engaging them and during the vendor relationship—to ensure that those measures are sufficient for access to the firm’s high-risk data. Also, to comply with laws and regulations or as a matter of best practices, firms should enter into agreements with vendors that expressly require vendors to implement adequate security measures to protect sensitive data. Effective contracts will (i) give a firm a right to review a vendor’s practices and (ii) include language requiring that the vendor maintain adequate data security procedures, facility procedures, safety procedures, and other safeguards against destruction, alteration, and disclosure of the firm’s data.
[4] Training
Employee training is critical for mitigating a law firm’s enterprise cybersecurity and data privacy weaknesses. To be sure, phishing and...
To continue reading
Request your trial