May is “Privacy Month” on the Pivot Point Security blog, and we’ve already posted a multi-part article on 5 Indispensable Success Factors for law firms’ security and privacy initiatives.
In this post, I’ll move the discussion to the next level, to answer the question “Where do we start?” with addressing security and privacy requirements. I’ll overview the most important steps you can take now to address both short- and longer-term security and privacy goals.
Where to start with information security goals
The basic starting point for attaining security goals is to gather the basic data you’ll need to guide the effort. This includes:
- Understanding and classifying your asset environment, so you know what it is you need to protect. Be sure to take into account assets that are considered confidential or sensitive, assets that are operationally critical, and those with high monetary value.
- Determining what functional areas and specific roles should be the owners of assets. This helps define security and privacy responsibilities related to your assets. HINT – IT does not own everything. 😊
- Assessing risks and control gaps based on legal, regulatory, contractual and best-practice obligations that pertain to your assets and overall environment. This process is highly recommended as these obligations change regularly.
Once you understand what you’re trying to protect, you can take steps to assess and patch technical vulnerabilities, to configure hardware and systems with a focus on security, and to manage privileged access to your assets based on their classification.
Where to start with privacy goals
As with security, the starting point for attaining privacy goals is basic data gathering and analysis. This includes:
- Mapping how your firm collects, stores, processes and/or shares PII.
- Identifying any processing of PII that is considered high-risk or that requires higher levels of data protection.
- Ensuring that data subjects can exercise their rights based on the legal basis for processing (contractual clauses/attorney engagement letters), privacy and retention policies, and applicable laws and regulations.
- Understanding what privacy requirements laws, regulations and client contracts impose on you. Depending on where you collect PII, you could be in scope for one or multiple regulations.
- Understanding your responsibilities and limitations versus those of third-parties, to help reduce overlapping or unnecessary efforts.
Once you understand how you’re currently handling PII and how regulations require you to handle it, you can begin to analyze your control/framework options. This will help you adopt the best strategy or framework (GDPR, CCPA, ISO 27018, SOC2) to achieve your privacy goals, based on the regulations you are in scope for.
Words of wisdom
I’ll conclude this series of posts on security and privacy for law firms with two considerations that have impacted many of the engagements I’ve seen.
First, while implementing components of an initiative can seem comparatively easy, the cascading impacts of changes across the organization may be daunting. Stay connected with stakeholders and provide frequent status updates. This will help keep you from getting lost in the details and losing sight of the big picture.
Finally, remember that while inaction is a choice—it’s not an option. Doing nothing is a “time bomb” that leaves you wide open to both data breaches and regulatory sanctions.
The more proactive you are about strategizing, implementing, managing and educating users about your security and privacy program, the sooner your firm will be meeting its compliance goals and making security and privacy good practices part of its culture. From that point, adapting to the ever-changing security and compliance landscape will become an organic process within your firm.
I sincerely hope you’ve found these “Privacy Month” posts beneficial. To discuss your practice-specific security and privacy requirements and concerns with an expert, or to strategize on next steps, contact Pivot Point Security.