How much do you know about the data security measures that are in place at your corporation in order to protect sensitive corporate data from being compromised? If “data security” in your organization is an issue you haven’t had an opportunity to explore yet, now would be a good time to ask around and come up to speed.
Chances are that your company has an aggressive data security plan in place, likely including a comprehensive security policy, data protection measures and a specific documented business continuity plan in the event of a need for data recovery. These are just commonly accepted best practices for any company operating in today’s Information Age.
Your legal department work product is critical and confidential information that needs to be appropriately protected from attack, compromise or loss. As a leader within that organization, you have a responsibility to insure appropriate protection, either by your internal security teams, your outside vendors or both.
Surprisingly, we often find that corporate legal departments are handing off their highly sensitive and confidential information to internal IT teams or external vendors without exploring how that information will be inventoried, protected, monitored and secured. And all too often, those professionals lack the appropriate control environment for managing that data. This includes documents related to specific matters – litigation, transactions, legal holds, government investigations, etc. – as well as to corporate legal spending, such as outside counsel billing and related legal expenses. In many cases, the data involved may have regulatory impacts, PII, PCI, HIPAA or others.
This blind spot when it comes to data security is rarely caused by corporate counsel and their staff members who are unconcerned about the importance of protecting these documents, and it’s certainly not because they fail to take seriously their obligation to manage risk to the organization from a potential disclosure of confidential information. Rather, most of the time it’s simply because they don’t know what questions to ask of their vendor or internal IT group.
To help bridge this gap between good intentions and lack of awareness among corporate legal executives, here are five important questions to ask about how your corporate legal information is secured, either by your internal IT staff or external vendors:
1. Do you maintain a formal process approach for protecting critical information?
Any organization that is protecting critical confidential information should maintain a formal process for managing and protecting that information. Third-party certifications are often a good sign of organizational maturity in that regard, and there are some standard credentials you should look for in a mature control environment. For example, for third-party vendors you should see references to something called SSAE 16 attestation. This is a statement of auditing standards developed by the American Institute of Certified Public Accounts (AICPA) to audit and examine internal controls of service organizations. SSAE 16 encompasses a number of data security best practices, maintaining formal control environments, and regular internal and external audits of control effectiveness. If not certified, internal IT organizations should be able to provide formal documentation of policies and procedures around management of critical confidential information. Specifically related to information security, alignment with the best practices outlined in ISO27001 is a standard part of a mature information security program. Other third-party security certifications include the eTrust Privacy Certification, Trustwave, TrustE and HIPAA/HiTech certification.
2. Do you regularly audit your security posture?
It’s important to have routine audits conducted by third parties who will subject your internal IT organization or third-party vendor’s data security infrastructure and posture to rigorous independent testing. As a sign of their common acceptance in the set of information security best practices for protecting critical confidential information, these assessments are a common requirement to achieve compliance with the PCI Data Security Standards and other industry standards, which typically require frequent independent audits of the control environment.
3. Do you conduct ongoing internal tests of your security posture?
You should also inquire about whether there is an internal audit team in place at either the vendor’s organization or within your internal IT group. The third-party assessments at specific intervals are crucial, but immature organizations also have an internal team that is tasked with the responsibility of testing protocols, carrying out simulated data attacks and staging disaster recovery operations. These internal tests should be ongoing and there ought to be a clear feedback loop in place for addressing weaknesses in the control environment or possible loopholes in the data security measures.
4. How mature is your Information Security infrastructure?
You need to ask your vendor or IT team about the maturity of their information security infrastructure. Is the application or systems designed with information security in mind? Are they regularly updating their software with vendor patches to prevent against known compromises? Have they implemented best practices around security infrastructure to provide a more active form of protection? How is confidential information protected on employee computers, such as laptops? How are they updating their infrastructure security controls over time to protect against new threats?
5. What are you doing to actively monitor your electronic infrastructure?
In addition to routine third-party audits and ongoing internal testing, a vendor or IT group that follows best practices with data security will also deploy a pro-active monitoring strategy to keep an eye out for potential compromises of the system. There are two ways to make this happen: either build an internal team of security analysts who perform 24/7 infrastructure monitoring, or engage a third-party managed security services vendor that specializes in monitoring information systems for signs of problems. There are advantages to each approach, but the primary objective is to have some sort of active monitoring plan in place around the clock. If a compromise is detected, is there a plan to notify you – the customer – of the incident?
The bottom line to these five questions could be summarized as follows: What does your information security control environment look like, what are you doing to actively monitor this environment for warning signs of possible security compromise and how are you staying abreast of the changing threat landscape?
The reality is that even the best data security measures are not a guarantee against compromise – as we’ve seen in recent stories illustrating security problems at various information security vendors. As computer security expert Gene Spafford is quoted as saying, “The only truly secure computer is the one unplugged from the wall and locked in a vault.”
The key is to make sure you’re partnering with a team internally or externally – such as working with us at LexisNexis CounselLink – that uses aggressive data security controls in order to protect your sensitive corporate legal information as best as possible. After all, part of your job is to manage risk to the organization, and entrusting your company’s confidential data to a vendor or IT team that fails to use best practices in data security is simply inviting unnecessary risk to your front door.
Jonah Paransky is Vice President and General Manager of LexisNexis CounselLink, a matter management, e-billing and legal hold solution for corporate legal departments.