Discover how a fresh approach to IT governance can give legal firms a great framework for data compliance.
The data compliance challenge
For legal firms, the implications of a data security breach are acute. SRA regulations are becoming stricter every day, and fines for data security breaches are growing in parallel, to the extent that a major incident could put a smaller legal practice out of business.
But if you follow these tips - and as the SRA itself makes clear in a new report, Silver Linings: cloud computing, law firms and risk - SRA compliance needn’t be a hindrance to more efficient and cost-effective IT governance. Using them as the basis for an IT compliance audit could also pave the way for wider business benefits.
10 steps to SRA data compliance
1. Take the cloud approach
Hosted systems and services can take the pain and much of the cost out of your IT strategy – but they do involve handing your data over to your service provider for storage and management.
You are still responsible for the protection of that data when it comes to SRA compliance, so public cloud services that could lead to it being stored on unspecified or sub-contracted servers are probably not the ideal solution. Instead, choose a provider who specialises in private or hybrid cloud services, which will allocate secure space for your data.
2. Don’t neglect due diligence
Outcome 7.3 of the SRA compliance code requires law firms to identify, monitor and manage all risks to compliance – which means asking your service provider for evidence of their ability to address every risk-based issue and eventuality. Follow up customer references and insist on proof of their business continuity track record, event history and strategy for preventing data security-related problems from arising in the future. Make sure that specific penalties for SLA failures are defined, as well as your redress in the event of a data breach.
3. Choose a service provider who understands SRA compliance
Outcome 7.10 of the SRA compliance code means that you must provide access to data and audit reports in the event of a breach. A good managed services partner will have no problem agreeing to terms which allow the SRA to access data or commit them to delivering usable data on demand.
4. Prioritise backup and business continuity
If you outsource data storage, you need to be sure that your service provider can protect it in the event of a technical failure or unforeseen downtime. The key is in the SLA. Contracts should define the frequency of backups, and ensure data continuity in the event of the provider’s collapse or your decision to switch hosting partners.
5. Data protection is king
Data protection is the lynchpin of SRA compliance, so you must choose a service provider who is fully versed in the requirements of the Data Protection Act, including the location of stored data.
Choosing a provider who can offer at least full Safe Harbour compliance is essential – and might be a good argument for sticking to suppliers whose data warehouses are in appropriate geographic locations.
If you go for a US supplier, for example, can you be certain that your data will be protected from that country’s increasingly sweeping surveillance laws, which could require a provider to disclose confidential information from the data they are holding for you?
Regardless of location, contracts should stipulate that data will only be accessed or shared according to your instructions, and that you will be notified in the event of any other demand for disclosure.
6. Retain full ownership of your data
Make sure your managed data services contract defines the responsibilities of the service provider in safeguarding the integrity of your data. And above all, make sure you implement software encryption policies that protect all documents containing data – and that you use encryption keys that are not known to your service provider so that there is no risk of renegade employees breaching confidentiality or stealing data on the hosted site.
7. Don’t forget mobile security
Hosted services give legal firms the full benefits of mobility – employee and partner access to data wherever they are, and from any approved device. So you must have properly secured mobile communications channels which eliminate the potential for eavesdropping in public WiFi hotspots, for example.
8. Enforce data security policies
Don’t forget the obvious. According to the Department for Innovation & Skills 2013 Information Security Breaches Survey, last year almost 60% of UK SMBs suffered staff-related security breaches and 17% were fully aware that their staff had broken data protection regulations during the previous year.
Data compliance depends on constant education and enforcement. Hosted services can be a real help here, removing the need for vulnerable USB sticks – easily lost – and even the transmission of sensitive data by email. But service users still need to know their responsibilities and comply with security policies. They should regularly change their passwords, and keep them secure and unrecorded, for example.
9. Don’t let IT compliance become a silo
Consider centralising your compliance information in one place, where you can manage, revise and update policies, protocols, controls and metrics. This will make for easier documentation and reporting in the event of a compliance breach.
10. Keep your clients informed
If you embark on a hosted computing strategy, they need to know that their own data will be secure and that as a service provider yourself, you are complying with any data security regulations that they must adhere to. Also, make sure you get their informed consent when it comes to the storage and handling of any unusually sensitive data.