With the new General Data Protect Regulation (GDPR) coming into force on May 25th this year, and with the threat of stricter audits, law firms are under increased pressure when handling sensitive and confidential client data. These days, an attachment containing personal data sent to an unauthorized recipient could be costly – up to 4% of your annual global turnover or €20 Million (whichever is greater).
It’s a difficult path for the legal sector. First, firms need to understand the requirements of the GPDR and then understand what data they’re responsible for. Next, they need to map the two and create policies that will comply with the GDPR. These are mammoth tasks, but firms also need to do this while keeping operations running.
Pulled by compliance on one side and operations on the other, legal firms are walking a tightrope that can only be taken one step at a time.
Here are four steps you can take that will help towards GDPR compliance.
1. Clean metadata
Legal professionals are notoriously overworked and under intense time pressure. They’re emailing documents all the time and, with each document that’s sent, there’s the potential for the wrong piece of information to slip into the wrong hands.
You can help stop staff from inadvertently sending sensitive or confidential data to the wrong people by putting metadata cleaning policies in place. Policies can be general or specific and can factor in specific types of metadata, like track changes and speaker notes, as well as where the email is going, like whether it’s being sent internally or externally.
2. Check recipients
We all know how often attachments are sent to the wrong email recipient, either inadvertently or maliciously. It's the number one cause of data loss for businesses.
One significant step towards avoiding data leaking from your business in this way is to move to a pessimistic data sharing model.
To protect your firm, you can associate confidential attachments to a whitelist or blacklist of email recipients. For example, you can limit matter files belonging to certain clients to a limited subset of people who “need to know” information for each engagement.
Alternatively, you can secure certain engagements by blocking matter files from going to free email domains, such as Gmail, Hotmail and so on.
For the truly paranoid clients that some of you have, you can also block their matter attachments going out over email at all, collaborating over secure online file transfer instead.
3. Monitor data loss
Most law firms consider threats to be outward-facing and miss the threat from the behavior and actions of their own employees. Suspicious behavior could be a sign that staff are planning to leave a firm, or are about to violate a firm policy regarding data sharing.
Keep a watchful eye on the behavior of possible "errant employees" in your firm by using software that provides internal, individual threat assessment. With a complete risk assessment solution, a risk score is assigned by analyzing behaviors of internal team members and then comparing them against past behaviors and the behaviors of their cohorts. Both the frequency of emails sent and the content of each email (number of attachments, variety of attachments) is taken into account. Security admins can then use this information to manually review individuals breaching a threshold.
4. Refine firm-wide security policies
It’s a cycle of continual refinement.
At the beginning, you have to use your best judgement to create security policies. Once they’re in place, you can monitor your mail flow to detect any emails that are violating the rules you set. With this information, you can refine security policies, making them more robust with each iteration.
If you’re not sure where to start, you can also put monitoring software in place first, watch for a little while and then use this information to create appropriate security policies.
When choosing monitoring software, look for reports that you find easy to read. Data can be overwhelming and while legal professionals have a reputation for being busy, your time is just as valuable.
Keep asking questions
We’re living in an interesting time for data security and we hear from a lot of people walking the fine line between complying with the GDPR and keeping daily operations running.
If you’ve got questions, we’re happy to talk through your challenges to see if we can provide more information or help. We’d love to share best practices we’ve developed because security truly is a group effort.