Policies and processes for protecting information.

• Author: Chiaiese, Beth

Though written primarily for a law firm audience, this article provides all organizations with practical advice about protecting personal, confidential, and trade secret information. It is an excerpt from Confidentiality, Privacy, and Information Security: A Primer for Law Firm Records and Information Governance Professionals, written by Beth Chiaiese, CRM, with Lee. R. Nem-chek, IGP, CRM, editor for the Information Governance in the Legal Environment series.

Best practice dictates that law firms must use a variety of tools and techniques to secure Covered Information in their possession. [Editor's note: Throughout this excerpt, the term "Covered Information" refers to all private or confidential law firm information that is regulated by ethics rules, data privacy and security laws, or common law.] These include implementing a strong security infrastructure for the firm's network, developing robust policies, using specific procedures and systems designed to minimize the risks of a data loss, and auditing to identify gaps in compliance with the established policies and procedures. [This excerpt focuses on policies and processes.]

Policies

A significant component of a law firm's IG [information governance] framework consists of guidance on information confidentiality, privacy, and security. Some IG policies relate narrowly to information security. Others include statements related to the protection of Covered Information but also cover topics such as records management, legal holds, and accepting and releasing client information.

Regardless of the specific objective of a policy, the underlying message regarding information security should be that the firm expects all personnel to manage information in ways that support compliance with professional duties of confidentiality, relevant regulations that govern the use of PI, and requirements to protect intellectual property and trade secrets.

The section below discusses specific policies that a firm can adopt within an overall IG policy framework to strengthen its information security program. Many firms require new personnel to acknowledge receipt, read, and agree to the provisions of such policies on their first day of employment, and they may also require annual re-certification by all personnel.

Confidentiality Policy

A statement of the firm's requirements to maintain the confidentiality of client and firm information is a threshold compliance policy in most law firms. Many law firm liability insurance providers strongly recommend that firms enforce this type of policy. Firms generally place so much importance on maintaining confidentiality that violations can result in severe discipline, including dismissal from employment. Recommended policy elements include:

* Definition of confidential information

* Scope statement defining the policy as covering all client and business confidential information, regardless of format, media, storage location, or method of transmission

* Statement regarding consequences of non-compliance

* Specific requirements to protect oral, written, electronic, and physical confidential information

* Permitted use, access, and disclosure of confidential information

* Transmittal protocols for confidential information, including any requirements to encrypt data in motion

* Guidelines in the event of the inadvertent disclosure of confidential information

* Securing confidential information from guests

* Retention and disposal of confidential information

Information Security Policy

A firm's information security policy should set forth expectations regarding how firm personnel must secure Covered Information. Some firms may also wish to excerpt a brief statement of their expectations regarding information security that can be given to clients and third parties.

The information security policy is a good vehicle to include requirements for password control, although some firms create separate password policies. In addition, some firms create broader "technology acceptable use" policies that incorporate information security requirements.

Recommended elements for general information security policies include:

* Password and authentication requirements

* Securing confidential matters and matters under ethics walls

* Securing confidential documents

* Encrypting information in transit

* Appropriate use of portable devices, including device encryption

* Rules for participation in the firm's BYOD program

* Permissible uses of the Internet

* Permissible use of social media and networking sites

* Use of public cloud storage services

* Securing physical information BYOD Policies

While policies governing participation in a firm's BYOD program might be included in a general information security policy, best practice dictates that firms require program participants to sign a separate [BYOD] agreement, certifying that they understand the parameters of the program and their responsibilities, including a requirement to re-certify annually. Other recommended elements of the agreement include:

* Program definition and scope

* Eligibility statement

* Provision detailing the types of devices that are and are not covered by the program

* Requirements regarding virus protection and encryption

* Requirements regarding temporary and permanent storage of client and firm information

* Description of how the firm ensures connectivity to firm systems

* Requirements that the participant is responsible for software and hardware maintenance

* Financial reimbursement processes

Policy on Managing Personal Information

A...