Law Firms are agents of Banks in respect of many transactions they perform, and thus hold the personal information of those Banks customers in their electronic and paper records. Data Privacy Assessments and Audits from banks on their third parties should be expected by Law Firms who do Bank work. An assessment is a good chance to answer some difficult questions between the Business and the Information Technology stakeholders. The outcome of an assessment should be some remedial action to be taken to address weak points.
Compliance with Data Privacy and Information Security is a process. An assessment represents an excellent opportunity for law firms affected to assess where they are, and what they still need to do to become compliant. Audits are likely in 2010, and there is a good window of opportunity to take remedial action between now and then. All Law Firms that process personal data of their own clients or on behalf of institutions would do well to be answering questions around these issues as 2010 approaches, and business back ramps up to a point where it will become harder to spend the appropriate time on these important policies and issues.
What personal information is of concern? Michalsons Online have a detailed article on this subject, but to give specifics for Conveyancing firms, a Home Loan Customer's Name, ID number, Address, and account number (at minimum) falls into personal data processed by third parties, namely the Bond Conveyancing Attorney. Home Loan instruction data which used to arrive by Fax and Post, now arrives largely via electronic means, and is typically also stored and processed further digitally, and is also printed at some point during client / matter processing. This data processing alone gives any Conveyancing Attorney Firm cause to look at their Data Privacy and Information Security Policies, and the current implementation and testing of those policies.
Question 1 of a standard Assessment is the absolute starting point towards compliance and underpins all the other initiatives or actions that can be taken to become compliant.
"Do you have a data privacy and / or information security policy?"
It sounds like an easy one to quickly sign off as green, but involves the management of the business taking active responsibility for the planning and implementation of data security, and understanding that very little compliance in Question 1 is Information Technology related.
Having a mandated and signed off Information Security Policy by the business owners is thus the key starting point and can be put into in a single page document. It authorises the operational management to take key steps and implement plans and procedures in defence of all data received, stored or transmitted. This document when communicated makes the first important start towards raising awareness of the employees of the firm about data privacy.
(A basic audit will look for evidence of this policy being signed by senior management as well as evidence of publication of it across the firm)
This is the part probably most ignored by most companies so far in respect of establishing policies around data privacy / security of information. The following are good starting points for areas that must be addressed by a basic information security policy.
Responsibilities for Information Security
Information Classification (Establishing an Information Asset Register)
Physical Security and Access Control
Information System Security
Business Continuity and Disaster Recovery
These are logical and progressive steps. Without a prior step at least having some attention, it may be difficult to move successfully to the next.
Responsibilities identify people in the organisation that must take action and a good body to establish is an Information Security Forum, which would normally comprise at minimum of a legally trained senior staff member (who is aware of the compliance issues), a business person who can authorise the spend and drive the process through to staff, and a technical manager who can translate requirements into technology.
A good first step of the Forum is to identify what information is critical to protect, who owns it, and who should have access to it and the degree of risk / sensitivity associated with that data. This comprises the Information Asset Register and will be a key document in terms of what to protect first and where to expend resources. It may be a surprise to companies who realise they are not adequately protecting their own employee records, as well as their own financial information when this exercise is started. Ownership of data is also interesting to consider, and many would do well to identify Bank Customer data received as "owned" by the bank at all times, and that the firm is merely processing the data for the duration of a transaction. Claiming ownership of customer data received, or unwittingly giving away ownership of such data to providers of technology would raise red flags in a data privacy audit. Ownership of data gives a business permission to sell and distribute that information.
Physical Security is well understood by all South Africans, but acceptable access control could be exposed in companies that have an open door policy for customers and visitors as well as insufficient access controls to confidential document areas and information systems.
The policy needs to detail what is required by staff and visitors in respect of access control, and the assessments have clear guides on mostly traditional security issues.
Information System Security to address the Data Privacy concerns requires demonstrating that the following basics are addressed.
Email policies that define secure / appropriate usage, legal trailers, and encryption.
Printing policies: securing, logging, monitoring and disposal of printed matter
User Access Control Procedures, creating, maintaining and revoking users and rights.
Password Management and Maintenance.
Backups, Offsite backup, access to backups in transit, logical access to backups.
Anti Virus, Firewalls, Network monitoring, Storage encryption.
An Acceptable Use Policy (AUP) is a key document that both educates all staff and users of information systems as to what is expected in respect of business use of the systems provided, and can include a number of expectations from business that address data privacy. The most obvious issues covered in an AUP is an acceptable use of email as well as other web based email / social media internet applications. "Acceptable Use" is a subject all on its own, and ranges from complete lock down of inappropriate technology and websites to a trust policy where staff is educated at recruitment and ongoing training is provided as to what comprises risk based activities of employees for the company.
The AUP would normally detail consequences of non compliance by employees. Audits will look not just for evidence of an AUP in respect of email and other information systems compliance to good practice, but evidence that staff have recently signed or acknowledged the AUP content. An acceptable use policy is common in large corporate companies, but will serve smaller firms well in terms of compliance to data privacy issues. An easy technical setting can have all staff "accept" the AUP every time they login in the morning to access the company Information systems.
The AUP also falls into the Human Resources (HR) domain in terms of ensuring it is part of the induction process and that signed copies of this document are obtained. Further controls from HR are basic screening for criminal and credit histories that can be easily done for a cost of about R50 per employee. These are well documented as a necessary part of compliance. Contractor management is another sub section that requires it own attention from HR and management as these staff may fall outside of normal staff procedures and policies.
Mobile and Remote working facilities is an area that may expose many firms as Laptops travel home with key information on local hard drives and if lost or stolen may well expose large amounts of client information. Once policy establishes what level of protection is required in this area, it is normally a technology decision on how to protect the data on the local laptop as well as any weak access points that are provided for the remote worker including Wireless or Virtual Private Networks.
Business Continuity and Disaster Recovery are key technical aspects of ensuring that Data Privacy is compliant. Ironically offsite backups and transport of the same can introduce data privacy issues of their own, as those processes need to demonstrate that they do not create their own risk of loss of data. The signed off plan for Business Continuity and Disaster recovery are as important as having technical systems in place that appear to provide for disaster. The most simplistic form of Disaster recovery is back up of information and preferably offsite. Most firms would address this, but is the schedule outlined in a plan and is it ever tested except for in a real disaster? These are the hard questions asked at audit time.
Protection of Stored Data can be addressed in many different ways by a Technical Department but is more focused if the information asset register is used to prioritise what information is sensitive and the levels of access available.
An Incident Response Process provides for the event in which a data breach occurs and indicates who needs to be informed from the relevant organisation affected. The information asset register would be a key document used in this process, as it would detail the information owners of breached data, and who would be contacted according to the incident response process. This part of compliance may seem like something that is only done when a lot else has been put in place, but it is actually relatively easy to do quite early on in the overall process.
Correct disposal of Printed and Electronic media with customer information is probably often missed as Waste bins might mean that printouts end up in regular refuse and old hard drives may not be correctly removed of all data when sold or given away.
Existing Internal and External Audit may well cover some of the aspects of the data privacy requirements discussed. The complete Information Security policy will mandate that at least an annual audit report is carried out to assess all aspects of policy implemented and suggest current remedial action towards compliance.
Data Privacy is here, and what was acceptable in terms of risk is no longer. It cannot be fixed from the Technology side and driven back to business. It must start with a business decision to establish policy and frameworks to ensure the risk and compliance issues are addressed through technical and non technical means. Although the expected Bank assessments may spring Law Firms to action weak points, they will be glad for the kick start that it gives a process that cannot be implemented overnight.
Contributed to Tech4Law by: