The short answer is: Yes!
Any organization—including law firms—that collects, processes, or uses personal information must implement information security plans to ensure that the personal data in its control is adequately protected. See CC §1798.81.5. It may not be necessary or economically feasible to create a separate CPO position, but organizations should designate and empower an employee or employees to be responsible for setting security strategy and policy, conducting ongoing regulatory analysis, and overseeing the implementation and enforcement of the security program.
As the new CPO at Pennsylvania’s Fox Rothschild explained it to the Legal Intelligencer, his position will provide “a centralized location for client questions on data privacy, review of firm technology contracts and reviews of data privacy questions on RFPs or engagement letters.” His job will also include “reviewing and revising firm policies on data security and educating attorneys and staff on the issue.”
So if law firms have to protect personal information and data they’ve been entrusted with and should have someone in charge of that effort, how vigorous do those security measures have to be? The various laws, regulations, and enforcement actions aren’t specific; they require that security be “reasonable,” “appropriate,” or “adequate.” See CC §1798.81.5(b).
One thing we do know is that an integral part of any security plan is encryption. For example, California’s statute on protecting personal information applies only to such information that is not encrypted or redacted. See CC §1798.81.5(d)(1). But even that statute doesn’t give hints as to what might be sufficiently strong encryption, probably because of the need to keep the legislation technology-neutral and thus enable it to withstand the passage of time; what’s considered strong encryption today will likely be viewed as weak in a few years.
Smaller law firms may be hard-pressed to find the resources to implement information security, but ready or not, it’s now part of the legal business as it is with all businesses. CEB is here to help with guidance on handling information security and security breach in Privacy Compliance and Litigation in California, chap 3.
Other CEBblog™ posts you may find useful:
- Make These 4 Assumptions about Cybersecurity
- Cyberattacks 101
- Huge Settlement in Massive Data Breach, But Will It Help?
© The Regents of the University of California, 2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.