Is Your Least Qualified Employee Making Your Data Security Decisions?

Do you trust your paralegal with making the data security decisions for your firm?

She’s trying to do a great job for you. She’s willing to do whatever it takes. She’s curious, ambitious, and tech-savvy. She knows some good tricks.

She’s wicked smart when it comes to using her computer. She does things you had no idea could be done. She makes you look good in court, in front of clients, and outside of the office when you do presentations.

Do You Know What Your Employees Are Doing With Your Data?

Last week, she set up an account with Dropbox, an online file storage provider.

Dropbox gave her a free account. She’s using the storage to store work files so she can access them away from the office.

She hasn’t bothered to tell you what she’s doing with the data. She’s sure you’ll approve. She’s just trying to do a better job for you and for your clients.

  • She really likes the idea of having remote access to the client files.
  • She wants the files at home so she can keep contributing after hours.
  • She also wants to be able to access client files while she’s doing research at the courthouse.
  • Plus she needs the data while she’s working with the paralegal at opposing counsel’s office.

Her intentions are good. Her actions, however, are frighteningly dangerous.

The Risks of Abdicating Authority Over Your Data

Remember, she moved those files without your knowledge or consent. She’s freelancing with your data and risking the privacy of your clients. She’s flying by the seat of her pants.

While she did her best to pick a good file storage vendor, she ultimately picked a consumer-oriented service. These services are usually secure, but consumer-oriented file-sharing solutions don’t necessarily offer enterprise-level security, encryption, or policy enforcement. They rarely provide mechanisms and administrative tools for auditing the interactions with your files.

Services like Dropbox make it easy to share files and folders—maybe too easy. With a click or two, she might inadvertently share an entire folder or even make it public. Beyond that, these consumer-oriented services are designed with mobility in mind. They’re intended to be used on mobile devices, and that’s likely how they’ll be used. The theft of a phone may result in the theft of your data.

You need to be involved in deciding where your data is stored. Your law license is on the line when you’re dealing with issues of client confidentiality.

How to Avoid Breaching Client Confidentiality

You need a policy on taking client information out of the office. That policy needs to cover physical files as well as digital information. You need to carefully define the limits and decide what data-related behavior will result in consequences. You can’t have people making their own rules as they go along.

Imagine a 20-employee law firm where 15 employees are determining independently where to store the client information. That’s chaos.

Realistically, it’s chaos whether it’s a 20-employee firm or a two-employee firm. You’ve got to be in the loop, making the decisions and supervising the storage of the data. You can’t afford to have employees making these critical decisions without your input and agreement.

If your current policy manual and related training fail to address the use of web services and software like Box (or Dropbox or Bitcasa, the one I use), then it should. You must address the issue before your employee tackles it on her own.

Bottom Line: Manage the Magic

However, don’t toss the baby out with the bathwater. She has good reasons for wanting access to the client data. She’s using it to add value and serve the firm’s customers. Her need for useful technology to help her accomplish client objectives is not to be ignored.

You just need to evaluate the usefulness of the technology, the available options, and the need to protect the privacy and other interests of the clients. After a complete evaluation of the options, you’ll make well-considered decisions and adopt appropriate policies along with training to implement your decisions.

Technology is good. Ambitious, dedicated employees are great. Put the two together, and you’ve got magic for your clients. Just be sure it’s happening with your supervision. Be sure that you’re managing the magic and that it’s not happening without you.

Start typing and press Enter to search