12 steps for top-notch security . . .

With everything on computer networks, law firms must be vigilant in taking steps to protect their information assets


With work product, financial information, employee records and other essential data residing on computer networks, law firms are becoming ever more vigilant in protecting their information assets.

What should the prudent firm do? Here are 12 tips to help you move in the right direction.

The 12 steps

1. Set up your system so users must change their passwords every month or so (this option is available in many network operating systems). Hackers find it more difficult to hit a moving target.

2. Establish an electronic records retention policy. Decisions about when to delete information should be based on firm requirements rather than happenstance. There are many examples of litigants being embarrassed by the content of old electronic-mail messages that are still on the system or were discovered on a back-up tape.

3. Back up network data regularly - and test back-ups to confirm they have the information they should. A small San Francisco firm found, much to its chagrin, that the latest billing-system upgrade had changed the location of essential control files. When billing data was inadvertently destroyed, the information required for recovery was not on the back-up tape, so the billing data had to be re-created.

Recovery plan

4. Prepare a disaster recovery plan. Make sure all management personnel have a copy of the plan in the office and at home - you never know when and where disaster will strike.

5. Run virus-protection software on network servers and PC work stations. Subscribe to vendors' virus update services so you can catch and eliminate new viruses as they develop.

6. Use appropriate security - passwords, call-back or electronic ID cards - to control remote access to your system. One of California's largest firms had a problem with lawyers giving their remote access codes to other firm personnel. This firm solved the problem with a microprocessor-controlled, credit card-sized device that is tied to the user's computer account. The user assigns a PIN, just as for a bank automated teller card. The only way to get into the firm's system remotely is with a valid card and the right PIN.


7. Encrypt confidential information that will be traveling over the Internet. E-mail software developers are beginning to integrate encryption into their products, making it easier to use.

8. If you have a permanent Internet connection, use a firewall (a combination of hardware and software) to keep outsiders at bay. Test the firewall regularly so you can plug any leaks.

9. Put appropriate security provisions in contracts with outside providers of products and services. Vendors should promise that their activities will not breach security and they should agree to pay for fixing any problems they cause.

Security policies

10. Distribute security policies and procedures in writing to all firm personnel. Better yet, have them sign a statement that they have read, understand and agree to adhere to the policies and procedures.

11. Audit network user information and access rights on a regular basis. Don't just eliminate access that compromises security - figure out how the problem occurred so you can make sure it never happens again.

12. Set up a management-level team responsible for evaluating security requirements and procedures to ensure that all security issues come to the team's attention for quick, appropriate resolution. Effective security requires commitment and oversight; a one-time push will not get the job done.

The tips in this article are important, but they are only the beginning. There is much more that any firm can - and should - do to protect its own interests and those of its clients.

Dana H. Shultz is an Oakland-based lawyer, certified management consultant and speaker specializing in office technology and online marketing. He may be reached by e-mail at and on the World Wide Web at