Take a close look at the client lists for any Legal Aid organization and you’ll find a list of clients that covers a broad range of who’s who in the business world. Boeing, Microsoft, Schwab and the list goes on.
Said no one ever.
The truth is that legal aid groups exist to serve those citizens who do not have the access to legal support that those corporations or more affluent individuals might have. The relatively lower economic profile of Legal Aid clients can sometimes lead to a more relaxed data security program. Not so fast says Ricci Dipshan of Legaltech News.
“Unlike law firms, civil legal aid providers rarely handle sensitive information from public or wealthy clients. But don’t be fooled—their susceptibility to cyber threats are just as significant.”
How? It really breaks down into 3 separate causes. Here are the key issues and how to best deal with them.
1) Fluid and distributed work force
Teams of volunteers often move in and out of Legal Aid groups. Keeping all those credentials straight to make sure only current staffers can see private information can be a tall order. Inactive accounts on the network represent a pretty big gap in security.
Solution: Task your IT group with running regular reports to validate activity and access for non-staffers. Inactive accounts should be disabled ASAP. Also, be sure to maintain a clear policy for what happens when in internal resource leaves the group – all access must be disabled immediately.
2) Information Access
Along with this distributed workforce comes a natural distribution of data. Laptops, desktops, iPads and phones can all contain sensitive and private information with little or no security whatsoever.
Solution: As Michael Donnelly, CIO of Simpson Thacher & Bartlett points out “When it comes to accessing and sharing files internally there should be some restrictions of who has access to what,” Hernandez advised….”make sure [non-staff members] are only getting access to what they need.” This concept also extends to documents. Secure document access would ideally be accomplished through the use of a document management system.
3) Personally Identifiable Information (PII)
In many instances, data breaches can of PII can trigger substantial customer disclosure requirements as mandated by each state. But the rules for when information has been exposed and the trigger for notification can vary. Tina Foster of Law Firm of Tina Foster noted that the obligation to notify New York State of a breach “is triggered when any New York business discovers the private information of a New York resident is, or was reasonably believed to be, acquired by a person without valid authorization.” The term “private information,” however, is defined in two elements—”personal information plus another data element,” Foster explained.
The Answer: Legal Aid groups regularly maintain PII for their clients. However, if they are regimented about keeping certain key information separate and secure, they can greatly reduce their risks. While personal information can be a name or phone number – keeping them separate from other PII info such as a Social Security number, driver’s license, or banking information can limit a criminal’s ability to use the information for nefarious purposes and avoid difficult (and expensive) breach response and disclosure procedures for Legal Aid. It’s only when these items are exposed together that a group can find themselves dealing with the headache of a true data breach.