Blog Details

Introduction

Benefits to Stakeholders and Organizations of Socially Responsible Values

Do you have a strategy to archive old paper case files? What are you doing with all that paper that is sitting around in your office… you know, the ones from all your old cases, how long do you have to keep them, and what would happen if they landed in the wrong person’s hands? What’s actually in all those papers anyway? Like organizational problems, there’s a system: a fool proof system. Large boxes are stored in the garage until the bottom molds and only then, do you consider tossing it. Whatever your organizational preference may be, I suggest a better way to handle this: cloud storage. I became concerned about security practices of many lawyers after seeing the filing system that they practice, or don’t practice. Initially, documents would be scanned and put into an online drive. But suddenly, questions arise. “Is this a good idea?” “ Is it secure, and will I be able to find these documents in five years?” Let’s dig in andsee what is actually protecting our files when we put them in the ever changing “storage cloud.” see what is actually protecting our files when we put them in the ever changing “storage cloud.”

So I ask again, what’s really in that old musty box from the 2008 divorce case? All kinds of records and legal documents, past wills, deeds, agreements and medical records that are junking up your everyday living space. All of that paper, but how long do we really need to keep them laying around on file? What if we could just scan them all and put them into an online drive when we are done with them? Imagine doing that while the case was still relevant, we could then share documents with clients almost instantaneously while collaborating with otherlegal professionals. legal professionals.

When shopping for a cloud solution you should take into account the three types ofdocuments that you will be placing in the cloud: documents that you will be placing in the cloud:

  • >General records (will, agreements, decrees etc.)
  • Financial records
  • Medical records
  • Each type of record is protected by a “standard.” I use the term standard loosely because in some cases it’s just a suggested best practice.
  • Each record type falls under a different standard. But let's back up and explain the mechanics behind this ever growing concept.
  • There are three areas that we need to be concerned with when moving to cloud storage: are three areas that we need to be concerned with when moving to cloud storage:

    • The file transfer
    • The physical files on the disk
    • The password needed to access and/or to transfer

    The password needed to access and/or to transfer In order to secure the files, we need to add encryption to the transfer so someone can’t just read it as it comes over the wire. This is where the importance of the SSL certificate comes in. Once the files are in place, they need to be encrypted in your folder; otherwise, other people on the server can read files right from your server. In fact, that’s what happened with the Dropbox controversy back in 2011. While Dropbox might not have accessed any personal files, it became known that their policy was not clear. Having the files encrypted on the server prevents them from being read by anyone but you.

    General records are protected by two tightly coupled standards, and while they appear similarthey are quite different in practice. they are quite different in practice.

    ISO 27001 ­ Information security management system standard with an internationallyrecognized framework (here’s everything you should do.) recognized framework (here’s everything you should do.)

    ISO 27018 ­ Establishes commonly accepted control objectives and is applicable to all types andsizes of organizations. PII (here’s how we actually do the things laid out in 27001.) sizes of organizations. PII (here’s how we actually do the things laid out in 27001.)

    It’s interesting to point out that Google Drive is 27001 compliant but not 27018. This is most likely due to the ISO 27018 not allowing contents to be scanned even for advertising purposes which breaks Google’s revenue model (it’s unclear if a paid version of Google drive would be ISO 27018 compliant.) Financial records are protected by SOC, Service OrganizationControls, which covers roughly all the financial buckets mandated by Sarbanes­Oxley. Controls, which covers roughly all the financial buckets mandated by Sarbanes­Oxley.

    HIPAA is its own entity with their main concern being how records are moved. It started to become closely regulated when people in the medical industry were moving documents without regard to the patient leading to information being leaked. When transferring HIPAA records for medical records, it’s crucial to be sure that you transfer them with a HIPAA compliance, which means not via email. If the records are sent via emai, be sure that there's no personal patient identifiers. While HIPAA regulations technically don’t pertain to law firms, itseems wise to follow their safeguards as a best practice regarding patient and medical records. seems wise to follow their safeguards as a best practice regarding patient and medical records.

    What Type of Data Solution is Best For Me?

    • ISO 27001/27018 SOC HIPPA
    • Dropbox Yes Yes Yes with Business Associate Agreement (BAA)
    • One Drive Yes Yes Yes with Business Associate Agreement (BAA)
    • Google Drive 27001 only Yes Yes with Business Associate Agreement (BAA)
    • We can see from this chart that each of the big cloud providers are compliant with each type of data, and if you were to sign a BAA agreement you would also be compliant withHIPAA. HIPAA.

    Once you have decided on a drive storage it’s important to come up with some type of data and password policy of your own. It can be as simple as adopting the ISO 27001. This policy drives the password changes and protects the company by securing the data in the cloud. Simply put, it’s a policy on how you keep track of the keys to the kingdom. It can be relativelyeasy, but it's all about protecting the passwords. easy, but it's all about protecting the passwords.

    In the worst case scenario, should you get breached and actually losing data to data thieves, you can show that you did in fact, have a policy. Furthermore, was the policy being followed by all the employees? If yes, then there must be a weakness in the policy or possibly some other type of mistake. The point here is, if you are breached, it happened because of some type of incident and not negligence or inadequate security practices. There is no difference between this and having files on your local computer and then “losing” the computer or phone of where sensitive files reside on. Now, you can understand the importance as to why Data Policiesare essential in protecting client data. are essential in protecting client data.

    So great, you have decided to go ahead and get a cloud storage device, you may have some initial questions, such as, “What is the best practice to set things up” or, “how do you handle existing data?” While there are many ways to accomplish this, the following is the best practice that will work well for anyone looking to get organized. It’s also setup to encourage collaboration and sharing with clients and other lawyers. collaboration and sharing with clients and other lawyers.

    Setup a folder structure in your Cloud Drive­­­

    • 2016 ­ Current
    • Case File 1
    • Shared_file
    • 2015
    • 2014 ­­ Files are encrypted
    • 2013 ­­ Files are encrypted
    • 2012 ­­ Files are encrypted
    • 2011 ­­ Files are encrypted ­­> Get moved to a external hard drive for archiving While working with active files, just like you would move a paper file into a locked cabinet for long term storage, the best practice on the cloud is to encrypt and archive the file. So, for our example, the files that are in the year 2014 and older, we would add an additional level of local file encryption. This would be similar to a bank which would already be secured with an ID badge scanner, a hallway with a biometric scanner to enter and a combination lock vault.

    In our example, we are using a six year retention policy, so, in this example, we are removing any ‘active’ level of unencrypted copies and will bring anything from 2011 offline. It’s recommended to do this yearly for closed case files in order to minimize administrative burden. Depending on your retention needs, you may elect to not move the files to an external hard drive and instead just delete them. hard drive and instead just delete them.

    In closing, now that you have created a password policy, why not consider creating a data retention policy to formalize how long you keep things and in what order? This goes a long way when formalizing how you handle your clients data. While on the topic, e­mail, in truth, should not live on forever. You and your clients should have some type of email retention policy and scan them onto the cloud in order to keep up with the ever changing demand of document storage. Identify your documents, make sure that the cloud storage your choosing is certified to handle those types of documents, and finally, create a policy.

    If you need assistance getting started, please email me at pselby@bcmadvisorygroup.com, and I’ll send you a one page template.

    Posted in business, IT on Feb 01, 2016

    Industry News