Lea Remigio

I am certainly no expert on data security. I read alarming articles about what a dangerous place the web can be for confidential client data. I admit that I find all of it overwhelming and a little bewildering. Everything seems to change so quickly. It’s challenging to stay on top of all the new threats.

Now that I’ve inspired you with confidence in my subject matter expertise, allow me to continue and give you my thoughts on data security policies for web-based information systems.

Web-based systems are both awesome and a little scary. When a user enters information into a form/page and clicks the Save button, the information is blasted out into the ether  to its database destination. This is awesome because if you have your user credentials, you can log in to the system and recall this information from any device with an internet connection. For all of the systems I’ve used, encryption occurs during submission which is keeping your data safe in transfer and in storage. Insert here a lot of trust (or ignorance) and what seems like magic and voilà! We’re using a web-based information system and loving it.

But people get complacent when it comes to data security and privacy of information. We all get a little bit lazy and take things for granted. The truth is that the highest risk of breach comes from human error and misplacement of information. While there is certainly a risk involved in transmitting data over the Information Superhighway (which I understand is a series of tubes), the probability that a transmittal or database compromise type of breach will occur is very slim, assuming you’re using a well-developed system that employs SSL encryption. Humans, however, are not computers. We get busy and preoccupied. We get stuck in routines and bad habits. This is why every time I train a group of end users, I start the session with Privacy Best Practices. Every time, even though they may hate me for it…or at least yawn openly at me.

Write a Data Privacy Policy and Procedures guide for staff and use it as a presentation resource. If you are in the process of implementing a new web-based information system, it’s an especially good time to revisit and revise your existing Data Policies guide. Consider asking each staff member to sign an agreement to abide by the policies provided. This was a standard practice in the HMIS programs I worked with, but far less common in legal services communities. I suspect the reason for its absence among legal services providers is the assumption that the users are primarily well-educated and professional attorneys. While it is worthwhile to acknowledge this and tailor your policies and presentations accordingly, attorneys are humans, too.

The Data Policy and Procedures guide should be written to cover your file server, email systems, desktop computers, laptops and mobile devices, and any specific requirements for the web-based systems  you use. When it comes to your web-based information systems, be as specific as possible. The policies and procedures may be slightly different for each system.

Some seriously simple things that we included in our Florida statewide case management system Best Practices Guide are:

1. Make a policy against logging in to the system from a shared or public computer. (The LegalServer case management system platform used in Florida contains tools that will restrict IP addresses, which can also prevent your users from logging in outside of the office walls or unauthorized locations.)
2. Never allow your browser to remember your password for you, especially if you are using a laptop, which have been known to grow legs and walk off when you aren’t looking.
3. Never write your password on a sticky note and stick it to your desk or computer monitor. If you absolutely must write your password down, keep it in a locked desk drawer.
4. Site administrators should never distribute user log-in credentials via email. Consider emailing the user name and sending the password by text message.
5. Don’t use the same password as you do for other online accounts.
6. Never share your log-in credentials with other staff members. Seek out an information system that prevents concurrent user logins.
7. Reset your password periodically. Many systems provide tools that allow the site admins to force this for all users on a predetermined basis, such as every 6 months.
8. Practice strong password creation. The software application itself should really enforce this, but it’s worth mentioning and including in your policies document.
9. When a staff member leaves employment or you sever a contractual relationship with someone who has access to your systems, the site admin must disable their login credentials immediately. 
10. Set up an idle time screen lock on desktop and laptop computers which requires a user name and password to view the desktop.
11. Treat exported reports or other aggregate data files printed from the information system with care.  After printing or exporting information, your client data is no longer secured behind the user credentials safeguard. Consider password protection for Excel or Word docs.
12. Use screenshots with caution. While screenshots are helpful training tools and helpdesk request material, do not take screenshots of specific client data that could be used for identity theft (such as Name, DOB and SSN). Especially do not attach such screenshots to emails. Instead of capturing a screenshot that contains confidential client data, copy and paste the URL/page address for sharing.

For my own password management, I use LastPass. Here’s an article I like about the importance of using a password manager.