Written and recorded by Robert Edwards, Law Hound
welcome to this data protection training session from Data Law. My name is Robert Edwards. I'm a consultant at Low Hand Limited. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government. I then moved on to lecturing Andi providing legal training data protection, a practical approach to i t. Security. The session is intended as an overview under reminder to those working in legal practices to help ensure that you comply with the law on your professional obligations, taking into account advice and guidance provided by the solicitor's regulation authority, the S R A. Protecting data is vital within any business breaches will mean not only a failure to comply with the legislation, but there are also professional ramifications on an adverse impact on your relationship with those with whom you do business. Data protection changes. Data protection is currently undergoing one of the biggest changes in 20 years since the Data Protection Act in 1998 at the time of recording this session. Whilst we know that in spite of Brexit, we will be implementing GDP are we've only recently seen the introduction of the data protection bill. We do know that the main data protection principles remain primarily unchanged. But there is added accountability in that not only with a data controller be responsible for complying with the principles following GDP are the data controller must be able to demonstrate that compliance. There should be no revelations here, but there should be some good housekeeping reminders and Cem explanations that will help to make some information security terminology a little clearer. Risk management Assessing the Risks to data. First of all, what data data is one of the main assets in your business, But unfortunately, it's also something that we often take for granted. Whenever someone reviews the measures required to protect data, there is always a logical starting point. That's the nature of the data that needs to be protected. This means being clear about all of the data that you hold in a busy office. It's all too easy to forget, for example, archive data, particularly data such as old case files stored on paper. But just because you don't use them, it doesn't mean they're not regarded as a part of your data system. After that, there are some questions to be asked. How valuable is our data to us as a business. How valuable would our day to be in the hands of someone else? How costly would it be if all of our data were to be compromised? Costly in both financial Andi reputation terms? Can our data be categorized into different value levels? How can we structure our data so that the most valuable is afforded the most protection? What contingency measures do we need to build in these questions? And many more will be the result of the need to be legally compliant. Comply with your professional duties on the impact of breach will have on your business. So protect everything. It's sometimes the case that at this stage someone decides that there's too much work involved in data segregation into different categories of value. Everything is given the same value on protected equally. This is completely understandable because it's a tough job. Requires input from others who will not want to make a mistake on a global solution, takes care of the problem. It either becomes more expensive to implement, or there are compromises on the quality of the method of protection. Because most of the administrative data isn't very valuable, a total it also creates its own set of problems. When all the information is afforded the same value. The monthly station reorder is as worthy of protection as a client's plans to acquire another local business GDP. Are is the ideal time to examine all of the data that you hold both physically and Elektronik Lee know and understand the risks. Keep aware of current risks. Be particularly vigilant if any of your clients are the victims off data breaches and or cybercrime. Learn from the experiments and experiences of others. Carry out a formal assessment off your information security requirements on a regular basis. Or did it carry out a full audit on all of your assets, particularly with regards to management, storage and access that are potentially at risk, including critical financial information I T services you rely on, particularly relating to financial matters. I t equipment, including all mobile and personal I T devices and management, storage and access, and sure that you have a clear policy on data security, which is implemented and regularly reviewed. Topics to be particularly aware off include using the business Internet for personal matters, social media employees bringing their own devices into the business. Let's look at some of the practical steps, which you should be taking and why. In the cloud. It's little wonder that so many businesses opt for a cloud based solution to their data management, where client data is encrypted and the systems or I s 0 27 001 compliant. Not that any cloud service provider will guarantee that locally stored data, even though encrypted will be a safe is it is on their service without control of the human element. Any guarantees against the security problem have to be put aside because it's the human element that is most likely to be at the core of a data bridge encryption. This is an essential element of data protection and Campbell. You can be implemented at local server level on for individual machines. While encryption alone won't protect your data from being stolen, it will make it much more difficult to read and to use. On the flip side, it's essential to ensure that encrypted data is regularly backed up at least daily, but preferably by means of synchronous disk mirroring to enable continuity of business in the event of a drive failure users and passwords you probably have internal I. D and password mechanisms that enable partners to see details of matters that are shielded from junior Fiona's, who, in turn are able to access information denied to their administrative support. Team Junior's probably will be able to see who takes sugar on what type of cake they prefer to the outside world. Things are different. Anyone investigating your system will conclude that either all of your data is valuable and worth having a run at or you don't really know how to protect that which is really worth protecting. So then maybe weaknesses to be exploited. Specialist considerations Legal practices are different from most businesses. Most practices rely on specialist software providers to facilitate data management on the move to cloud service provision has been a tidal surges. Internet speeds have increased, while cloud based service have layers of protection. There remains the question of compliance with the S R. A Code of Conduct rules 7 10 which requires the ability to provide physical access to any location where client data is stored. It's incumbent on the buyer to ensure that the service provider can guarantee compliance with their sorry rules as they apply to data on access to it. It's not the responsibility of the provider to answer questions a potential client hasn't asked. Software is the service providers matter. Management case management and CRM systems are complex software packages that offer not only the functionality needed for managing tasks and workflow, but also the ability toe have data stored in an encrypted form. It's worth noting that the encryption process takes place when the data arrives at the host servers, so anything you store locally, Onda outside of the system will be unencrypted unless you apply encryption directly to it. Providers also maintained firewalls and other protective measures to ensure that information is stored and processed as safely as it needs to be. One of the selling points for cloud computing is the ability to quickly return to operations after a local power outage or in the event of a telephone exchange failure by relocating and operating from elsewhere until repairs have been completed. The actuality is that you can work from anywhere with confidence, confidence in the system, but that mobility and confidence could bring new problems. For example, being able to dictate a letter anywhere brings a recognizable productivity advantage But being able to doesn't always mean that you should. In times where everyone carries a video camera, woe betide the lawyer who is recorded dictating a client letter. All mistakes eventually end up on YouTube. Practical local implementation. Ensure that your firewall is up to the job facing it. If your office has expanded, there will be an increase in network traffic on the firewall. Has to check everything as data moves through your system. Have robust anti virus onda anti malware packages properly installed and configured and set to update automatically. Anti virus software will detect on block some malware, but it makes sense to use something designed specifically for one job. Spyware is the generic name given to programs that can be embedded into downloaded files or programs on which monitor computer activity, usually with malicious intent. Spyware may be able to identify and record passwords banking activities on D Internet browsing habits, and this information is transmitted to remote recipients. Consider anti spyware software. Remembering also that there may also be spyware being carried around in mobile devices without the owners. Knowledge. With that in mind, introduce a policy for managing what uses are permitted to do with any mobile or portable devices. Your business has provided compartmentalization compartmentalized information so that people have access to only that which they need to do their jobs. Passwords managing passwords is a simple administrative function, and passwords should be issued to users not chosen by individuals. In this way, you can ensure the strength of passwords and also that you have full control of them. Ensure that passwords are not shared or stuck to desk drawers with tape or department wide passwords. Shared passwords make it impossible to identify who did what with your system. Introduce a program of password change and be prepared to make additional changes in the event of a suspected breach of password confidentiality. It's also wise to block users from being able to alter their own passwords at local machine level. That will at least prevent an exiting employees from disconnecting a desktop machine from the network and changing the password and inconvenience, but want to be avoided. System updates, updates to operating systems on software are commonplace on Do you probably have your system configured to automatically updates so that you can forget about having to do it manually. Updates will usually be set to take place at night. Remember to switch off automatic updates if your software provider notifies you of an impending change to your system. Murphy's law says that the two updates will sometimes coincide, which could cause significant problems when disposing of hardware containing data storage devices. Bear in mind that it's not sufficient to delete files and folders. Deletion by this method means that only the first character of each file or folder is changed to make them invisible to the operating system. Andi, therefore, to any software application examination of the hard drive's contents outside of the operating system will permit data recovery with a little intelligent guesswork and deduction. True deletion requires the use of an electronic data shredder, which deletes on overwrites dis contents many times. It's also worth noting that solid state drives SS D's often found in laptops usually have greater storage capacity than their specifications will indicate there are additional chips, which enable an SSD to spread the load of data running through each chip so that the drive has more durability and all of the chips degrade at roughly the same rate, rather in the manner of a farmer allowing a field to lie fallow for a year before replanting. While redundant data will not be visible through the device, removal and interrogation of individual chips on a recovered SSDI could yield a quantity of useful data. SST is should be removed and smashed before disposal off the device. This may be the only time anyone will tell you that a hammer could be used as a data protection measure. E Mail Protocols Key Encryption Some clients will be extremely sensitive about data security on May. Wish to have information transmitted only using public private key key protection In case this is something you haven't encountered, it's a secure information transfer technique whereby information is encrypted and transmitted using a key for all. But only the intended recipient has the ability to decrypt the package using a key, but only they possess address similarities because of the limitation of free email services such as Gmail, MSN's live Andi tutor Notre. Similarly, named users will sometimes have very similar email addresses. It's essential that names are meticulously checked and properly matched to the correct address when a simple mistake could create potential catastrophe for reputation on and for client retention. Blind carbon copy or carbon copy. The terminology seems ancient, but the difference between B, C, C and C C addressing could cause friction or, at the very least, embarrassment. If the sender chooses the wrong option group addressing before sending a group email check that everyone in the group needs to see what you're sending. All it always bear in mind that if someone doesn't need to see information, they shouldn't. Your business culture data protection needs to become a part of your business culture. That means awareness, training and involving every member of staff and any outsourced contract stuff to ensure that they understand what data protection is its importance on the ramifications of breaches on that they are trained so that these practical steps are taken as a matter of course. You may decide that you need expert advice. The S. R A also recommends the government endorsed Cyber Essentials, which provides helpful advice on downloadable guidance. The link is on screen and in your notes that completes this session. Thank you for joining me, Robert Edwards, on this session from Data law
00:18:50
