Firms should consider and document the risks to all types of data they hold. This should be reviewed regularly – for most businesses, at least annually.
Data breaches can happen in many ways, including:
Many data breaches are caused by employees. Make sure your staff are trained to keep data secure by focusing on topics such as:
Keep a record of how you process and store information. Consider how you keep records of communications on all platforms that your organisation uses, such as email, social media, etc.
If you use suppliers to process information, conduct appropriate due diligence to ensure they handle information with care and keep it secure. Contracts with suppliers should include assurances that they will conform to all relevant national data-protection legislation and have appropriate controls in place to keep data safe. For UK and EU firms there are also mandated contractual clauses that must be added into supplier contracts. The UK Information Commissioner’s Office’s Contracts and liabilities between controllers and processors provides guidance on these contractual terms.
If you (and/or any of your suppliers) use cloud storage, the following is important.
Someone within the firm should be responsible for overseeing data-handling enquiries and controls. Staff should know who this person is, and they should be encouraged to seek advice from them on matters relating to the processing of personal and confidential information.
All staff should also be given regular training on your processes for data handling and the relevant legislation in your jurisdiction.
Document the processes and rights for individuals to:
In many jurisdictions, these are legal rights, and there may be set time limits to respond to requests. It is important to train staff on how to recognise and handle these requests.
You should also have processes in place to identify, rectify, report and keep records of data breaches. These should be clear about:
The individual in your firm who is responsible for information-handling should oversee these decisions.
It is important that you handle breaches in a way that does not discourage staff from reporting them. Try to avoid individual blame. The aim of the process should be to:
Only keep data for as long as it is necessary to do so. Firms usually have a retention policy that sets out how long different types of data should be kept for. This is linked to the purpose for processing data and varies for different types of data.
Firms may need information to respond to claims made against them, so retention policies may be based on this. To do this, you need to know if there are any time limits on starting legal claims in your jurisdiction. This can be a complex question. For example, in England and Wales the limitation period may be:
More details are given in the current edition of Risk, liability and insurance, RICS guidance note. Members and firms may need to take advice on the jurisdictions they work in.
Firms may also be asked to transfer their file to a new firm that the client has instructed, or directly to the client. But not all documents on a working file necessarily belong to the client; what does depends on:
In England and Wales, there is some law about what documents on a solicitor’s file belong to a client. Broadly, documents that were provided by your client or that your client has paid for belong to them, but your internal notes, emails and copy correspondence may not. However, remember that the client may also have a right to access the personal data you hold about them in those documents. If you are unsure about what should be provided, you may need to take legal advice.
Firms globally are being targeted by frequent cyber-attacks. Advice on this can change frequently. Government agencies provide advice about the steps that businesses can take to keep safe, such as:
‘Cyber security’ includes the technology, policies and procedures that you have in place to protect data against cyber-crimes such as hacking or ransom attacks.
Consider appropriate strategies such as:
Regularly review user privileges and, where practical, keep logs/audit trails of access to systems that hold data. Protect against data loss with regular backups to appropriate offsite storage.
With the increase in hybrid working, with many employees now working from home either partly or wholly, consider the use of additional tools such as virtual private networks (VPNs), and define policies and rules about the use of devices, including printers, in a home office setting.
Where appropriate and practical, consider and enforce the separation of functions that represent high levels of data risks (e.g. payments). Authenticate the initial setup and updating of payment details through a second method of communication to prevent fraud and cyberattacks. For example, if you are sent bank account details by email, have a process that requires a phone call to a known telephone number for that client to authenticate the details in the email. RICS has seen examples where internal email systems have been compromised so that an email that appeared to be from a colleague providing a change of bank account details was actually from a fraudster. A process that always required a double check with the client may have prevented the loss of funds that resulted.
Phishing emails are becoming increasingly sophisticated. They can look almost identical to a legitimate notice from a company/organisation.
Don’t forget that, if you have physical data in hard-copy files, this also needs to be kept secure in locked storage. Have processes for staff around the handling of physical data within office locations, when travelling, when working at external locations and in home-office settings.
Confidential data and information are usually protected by confidentiality clauses or non-disclosure agreements. These are fundamental to protecting a company's vital confidential and proprietary information, whether disclosed internally or while engaging with other business parties. These agreements are commonly referred to as:
NDAs are essential tools for managing the disclosure of sensitive business information both internally and to other parties. They set out:
The most effective agreements are those that are:
In addition to safeguarding its own confidential information, a firm is often contractually responsible for protecting information that another party discloses to it. As well as imposing protective restrictions and obligations on parties that receive its confidential information, a firm should also seek to minimise its administrative burden and potential liability for managing and protecting confidential information that it receives from others.