The Most Powerful (and Cheapest) Risk Management Tool

The Most Powerful (and Cheapest) Risk Management Tool

Funding for security initiatives can be difficult to come by, especially since most lawyers have gotten by for years with minimal investment in this area.  Many still rely on little more than antivirus software and a back-up hard drive.  Naturally, lawyers often ask what they can do to minimize their information security exposure and reasonably manage their risk without large budgets.  Fortunately, the very best (and perhaps the most obvious) way to protect data costs nothing but a little time.  Sound too good to be true?  Think about all the old client emails you’ve saved on the various devices you use and ask yourself if you really still need each and every one.  Or is there a chance that you might better off (and less exposed) by deleting a few thousand copies here and there?  If there is less data to be stolen, there is less need to invest in expensive protections.

The Only Way To Be Sure

Not only is deleting data free, it’s effective.  No other protection can provide a 100% guarantee that data won’t be stolen (and if anyone tries to sell you one, they’re lying).  The ability to delete data already exists in every application and on every device without additional cost or configuration.  There’s nothing to stop lawyers from immediately beginning to manage their information security risks with this readily available tool.  In the event of a breach, a process for deleting unnecessary data could mean the difference between calling one client to tell them you lost their information and calling one hundred clients with the bad news.

Control The Sprawl

In many situations, best practices call for a lawyer to collect as much data as possible, leaving no stone unturned in the advocacy of a client.  It would be wrong for a lawyer to ignore any potentially useful information out of a desire to limit his or her own information security risk.  But does the data still need to linger everywhere it was stored once a matter is settled?  Of course firms need to preserve all relevant materials in a master repository to ensure they meet the necessary retention requirements.  But in this world of mobile devices and cloud computing, sensitive client information may also be stored in non-official, “temporary” locations where it could be deleted without harm.

Perhaps you collaborated on Google Doc’s with a co-counsel or sent some files to a personal email address for review during a vacation.  Even more likely, you’re one of a growing number of lawyers adopting the use of tablet computers, and you copied some files to a cloud account to facilitate access.  Whatever the case, taking the time after a matter is settled to go back and delete temporary or unnecessary copies of confidential client data results in a significant reduction of risk.  Most importantly, it will limit the amount of data lost and the number of clients impacted in the event that there is a security issue like a lost iPad or successful cyber attack.  Reducing your exposure in this way can prevent a minor security problem from becoming a major headache.

Get Proactive To Minimize The Pain

We often intend to go back and delete unnecessary files for reasons unrelated to security.  Who wants thousands of messages sitting in an inbox or unused files eating up precious storage space?  Yet despite all the best intentions, the likelihood of actually performing a comprehensive clean-up is pretty low, especially when it becomes a laborious chore that demands a serious investment of time.  I currently have 19,847 unread messages in my personal Gmail account.  It would literally take me hours to go through and delete the unwanted messages, and so naturally I choose to avoid this hassle and live with a mailbox full of unnecessary (but non-sensitive) email.

So how can lawyers ensure that they delete sensitive data while not wasting time on the unimportant stuff?  Develop processes to help you track and manage client data across systems and accounts.  For example:

  • Create a consistent folder structure for storing and identifying work files.
  • Use a client or matter number in the email subject line or folder name to allow for easy searching.
  • Set reminders to periodically purge files once they are no longer relevant to active matters (like a digital Spring cleaning).
  • Use a separate cloud account or dedicated personal email address to manage and share work files.
  • Designate a “master repository” to hold official copies for record keeping so that you can delete “temporary” copies with peace of mind.

It doesn’t really matter how you track and purge unnecessary files as long as you create a process that works for you.  It may be difficult to find time every day or even every week to clean house, so set a schedule that feels reasonable and manageable.  Purging files just a few times a year could greatly limit your exposure and the number of clients affected by a lost device or hijacked account.  Failure to get a handle on the growing number of files spread across an ever increasing number of apps and devices will only multiply the level of unnecessary risk.

With client expectations about security becoming more heightened amid a burgeoning number of cyber threats, lawyers should look for strategies that can cheaply and tangibly reduce their security exposure.  Something as simple as getting rid of what you don’t need is not only inexpensive, but effective.  And who knows, a less cluttered work environment may even contribute to an overall increase in efficiency and productivity while you benefit from reducing your risk.

About Adam Carlson

Adam Carlson
Adam Carlson, M.S., CISM is a security solutions consultant at IntApp where he helps law firms implement next-generation data protection and security monitoring tools. He has over 10 years of experience in IT and security management. Prior to his consulting role, Adam co-founded Carlson & Wolf LLC, a legal security consulting firm, and has also worked as an external security auditor and as a Chief Security Officer at a large public organization. He views protecting client data as a mission-critical objective for lawyers and one that requires close coordination between IT and law firm management. Adam can be reached on Twitter at @ajcsec or through his LinkedIn profile.
  • Ann Mullen

    Adam, what about all those law and order type shows that say that even wiping the hard drive doesn’t erase the information?