When law firms implement measures to protect client data, they usually focus on threats from the outside. They install security systems in the building, lock files in secure fireproof file cabinets, encrypt and password-protect data on their servers, and take other steps to protect client files. But what about threats from within?
A law firm in California discovered the hard way that the greatest threat to client data sometimes comes from the firm's own employees. Law firm employee Chev Chan was among several people indicted in an identity theft ring that allegedly stole the identities of 20 people, many of whom were clients of the law firm. The information was used to open fraudulent credit cards and bank accounts, resulting in the theft of approximately $170,000.
Similarly, the former manager of a law office in Raleigh, North Carolina, was sentenced to two years in prison for stealing the identities of two members of the law firm. She used their information to open credit cards online and made approximately $12,000 in unauthorized purchases.
How can a law office protect itself from it's own employees? Here are a few suggestions:-
Limit and Monitor File Access
Does everyone in the office really need access to all client files? Consider implementing a file control system limiting who is able to put their hands on a client's file. A file clerk who controls and tracks who has your client's file will reduce the likelihood of someone misusing that client's private information, and make it easier to identify the guilty party if someone does. While this may be excessive in a solo practice or very small law firm where there are only a few employees, this is almost a necessity in a midsize or large law firm. If there could ever be any uncertainty as to who has accessed a client's file, you need a better file control system.
-
Limit Server Access
As more and more client data moves onto servers, the importance of monitoring who accesses that data continues to grow. In addition to using encrypted storage and password-protected files, law firms should restrict and monitor who has authority to access those files on the server. If your firm does not have a system for tracking who views your client's data, it is time to upgrade your software.
-
Review Access Logs
Keeping records of who accesses physical files and server data is great for identifying who may have made unauthorized use of a client's information, but waiting until the client's identity has been stolen is not the best preventative measure. Review the records of who is accessing client files on a frequent basis. If any unusual behavior shows up, such as employees accessing files they are not directly involved in handling, find out why they were looking at the files. Additionally, if employees know their handling of files is being closely monitored, they will be less likely to try to do something inappropriate.
-
Lie Detector Tests
All employees should be informed that a condition of their employment is that they submit to polygraph examination at any time, and that failing or refusing the lie detector test may be grounds for termination of employment. While lie detector tests are notoriously unreliable, they provide a great deterrent to theft and a strong tool for extracting confessions from guilty employees. Notify employees that if a client or employee of the firm becomes the victim of identity theft, employees will be required to take a polygraph exam. The consequences of failing the polygraph exam may include firing and/or being reported to law enforcement.
-
Security of Closed Files
Remember that it is not just current clients who are at risk of identity theft. Maintaining security over your current client files has little value if all of the old files are sitting in the storage room next to the office supplies. Closed files need to be secured as strongly as any current client file, including keeping track of who can access those files.
-
Background Checks
Passing a background check does not necessarily mean a new employee is honest. Nonetheless, a starting point in any hiring decision should be whether this person has done anything in the past that could create a risk in the future. Many people with criminal backgrounds try to get jobs in law firms, and as custodian of private data it is your job to protect your client's files from them. This is not a situation for giving people second chances or for excusing past conduct. Think like a lawyer when hiring an employee. Consider how much higher your firm's liability will be if an employee steals a client's data and you either (a) hired a person with a record without running a criminal background check, or (b) knew the person has a criminal record and hired them anyway. Careless hiring procedures can subject a firm to increased liability in a lawsuit as well as get you in trouble with your state bar association.
-
Drug Tests
Some lawyers are opposed to the current drug laws in this country, and would never think of imposing random drug tests on employees. Others find such testing to be an invasion of an employee's privacy. Those attorneys may change their minds on that issue if they have an employee who gets addicted to drugs and starts stealing from clients or from the firm's trust account. If a drug addict is working in your office, in most cases it is only a matter of time before that employee does something that creates a risk of harm to a client. Consider requiring periodic drug tests of employees to screen out problems before they happen.
While this list does not cover every possible way to deter the theft of client data by your own employees, implementing some of these policies can be a great starting point for protecting your clients.
Has your firm come up with some creative ways to protect your client data from your own staff? Share your methods in the comments section or discuss it in our forum.