Best Practices – Policies and Procedures – Privacy and Information Security
Document a privacy and information security program to help ensure Law Office of David Carney maintains written protocols for the protection of data and Non-public Personal Information (NPI).
These policies and procedures are for all of Law Office of David Carney’s locations including all satellite offices. These procedures are to be followed by all employees and independent contractors where applicable.
The Company policies associated with the privacy and information security program are given to all employees and the employees must acknowledge in writing that they have read and understand such policies. It is the responsibility of David J. Carney, Esq. to help ensure the office has received all employee acknowledgements.
The Company makes a yearly assessment of the standards and requirements affiliated with The Company’s information security program, including those set out in this policy and procedure document. This assessment is conducted by David J. Carney, Esq..
a. Physical Security
Removable media devices, including but not limited to external hard drives, compact discs, magnetic tapes and USB/flash drives are issued by the Law Office of David Carney with the approval of David J. Carney, Esq.. The use of removable media devices is prohibited unless David J. Carney, Esq. has authorized such use. Removable media is kept in a secure area when not in use.
b. Network Security
At the direction of David J. Carney, Esq., the firm’s designated Network Administrator grants appropriate access to The law office’s various computer technology applications. The Company’s file server(s) or main central processing unit is housed in Windham, NH at Admininternet office. The Law Office of David Carney’s computer network utilizes up-to-date anti-virus, anti-spyware and data encryption software applications. The Network Administrator is responsible for such software maintenance.
Access to The Company’s information technology computers and network is secured by individual and unique passwords. The Company utilizes a computer application that prompts employees to change passwords in regular 90 day intervals All the firm’s computers no matter, desktop or laptop run a “screen timeout” application causing automatic system sign off when the system detects no activity for a period of two minutes.
The Company has defined and communicated to employees the types of data/information that falls into the privileged and privacy category. All such data is disposed of accordingly. Paper records by shredding. Large, secure shredding bins provided by DS Data Shredder can also be found in the office. When disposing of computers and portable storage devices, The Company uses a software application to erase/wipe clean the device.
d. Disaster Management Plan
The Company has a documented disaster management plan to help ensure adequate back-up, recovery and business continuation procedures. The plan also includes required procedures for notification and response to security incidents and breaches. The disaster management plan is reviewed on an annual basis by David J. Carney, Esq. and updated as appropriate.
e. Security Practices of Independent Service Providers
If independent service providers for the Law Office of David Carney receive NPI from the law Office, the Law Office of David Carney shares this policy document with the service provider and/or conducts appropriate due diligence of the NPI security measures of the service provider before transmitting any NPI data. Service providers are aware they must notify the Law Office of David Carney regarding NPI security breaches of NPI data that has been transmitted.
If security breaches occur, proper notification is provided to consumers and law enforcement in accordance with The Company’s privacy and information security program and disaster management plan.