New federal regulations promulgated by the Consumer Financial Protection Bureau will apply to real estate lawyers. But they are also a pretty solid starting point for any lawyer or law firm.
Here’s a summary of the best practices, compiled by Law Technology Today’s Pegeen Turner:
- Create and implement a written Privacy and Information Security Policy which describes how Non-Public Information (read client data) is protected. This policy should include data stored on mobile devices.
- Obtain an Information Security Risk Assessment to verify where data is stored, processed, transmitted and disposed—including external threats to data exposure.
- Verify that your data security system is regularly tested and any issues resolved.
- Create an Acceptable Use Policy that is annually reviewed, updated and verified by employees including use of the internet, email and company resources.
- Confirm that data is only available to authorized users, including procedures for removing terminated employees. (Lock down your network and don’t give everyone access to all of the firm’s data unless they need it).
- Create, test and implement complex password policies.
- Create and implement a policy regarding removable media and restricted use of USB drives.
- Provide encrypted email and encrypted hard drives.
- Document intrusion detection and security alerts. If this has been outsourced, have external party provide reporting of detection and security.
- Verify physical security to the office, server room and other data (offsite storage) is limited to authorized personnel.
- Create and implement a Clean Desk Policy.
- Create, implement and test a Disaster Recovery Plan.
- Create and implement policies for hardware and software updates and modification.
- Create, implement and test backup procedures to prevent data loss, including if this is done through a third-party backup company.
- Require third-parties that have access to your data that they comply with all of the same security procedures.
- Include a privacy statement on your website and describe how the data that is collected on your website is protected.
- Create and implement a policy for record retention and destruction, including these same policies for third parties that retain and destroy firm data.
How close is your firm to following these best practices?
Featured image: “Hand holding pen and checklist on a clipboard” from Shutterstock.