The belief that “The odds of a computer or network breach isn’t an if, it’s only a when” is practically dogma now. Given this reality, every law practice, to include solo attorneys, should have a data security plan in place. Yes, I know the task can seem a bit daunting, particularly if you have no idea where to start; but failing to do this is no longer an acceptable choice. Putting our ethical duties and various state and federal regulations aside, every client expects to have whatever sensitive and personally identifying information they provide to you properly safeguarded. That’s the bottom-line.
The good news for lawyers who practice in the solo space is data security plans needn’t be drafted in the form of some long-convoluted treatise on IT security. It’s really more of a process followed up with a list of to-dos. If you happen to have any staff, you will also need to create a list of guidelines and expectations to be followed on a going forward basis.
The entire process can be summarized as follows. First, determine what sensitive and personally identifiable information you have and then identify all the locations where this information is stored. Second, determine if there is a legitimate reason to collect and maintain every piece of this information. If certain types of information aren’t really needed, stop collecting it. Third, figure out how to properly secure all information that must be kept and then take whatever steps are necessary to do so. Fourth, properly destroy any information that doesn’t need to be maintained. And finally, create an incident response plan so you know what to do if and when a breach occurs.
To help you move forward with this task, I encourage you to take a look at a useful guide put out by the Federal Trade Commission that is intended to help small businesses protect personal and sensitive information. This guide provides the details and instructions most small businesses need in order to make taking the above steps a palatable task. Finally, the FTC has also published a data breach response guide where additional information on what to do if and when you experience a breach can be found.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.