Kevin@corridanlaw.com | (P) 617-981-3995

W.I.S.P.

Corridan Law, LLC Written Information Security Policy (W.I.S.P.)

May 17, 2014

Purpose

Corridan Law, LLC is a general practice law firm providing legal services to clients in a broad range of practice areas.  The firm is located at the Village Shoppes at Cobbs Corner in Canton, Massachusetts where it shares office space with three other unaffiliated lawyers in a suite of offices located within a retail mall.

As a law firm, we acquire and retain many types of personal information in connection with the representation of our clients, which may include financial information, criminal histories, social security numbers, or other personal identifying data.  As required by law, we are also required to retain various tax records, bank account information, health records and health information, as well as other sensitive information.

The purpose of this Written Information Security Policy, or WISP, is to establish internal practices to administratively, technologically, and physically ensure the protection and confidentiality of all client personal information.  The objective of this policy is to protect against threats to client personal information that can be reasonably anticipated and from any hazards to the security and integrity of such information.  This policy is also aimed at preventing any unauthorized access to client personal information or use of such information in a manner that creates a substantial risk of identity theft or other fraud.

Scope

As part of this assessment, we have reviewed the types of records and the degree of their sensitivity.  Corridan Law, LLC has assessed the types of client personal information and records that it currently maintains or will retain in the future and has also assessed reasonably foreseeable risks or threats to that data and has developed this WISP in order to minimize those risk on behalf of our clients, consistently with the requirements of 201 CMR 17.00.  We regularly check the effectiveness of these policies and make improvements as needed.

 Information Security Manager

Corridan Law, LLC, through its powers identified in its operating agreement, has designated its managing member, Kevin Corridan, as its Information Security Manager who is responsible for the following relevant duties.

a)      Implementing this WISP and updating its provisions to meet the needs of our individual clients and the regulatory requirements of our institutional clients;

b)      Ensuring that administrative staff, employees, associates, and vendors of Corridan Law, LLC receive copies of this policy and agree to comply and otherwise acknowledge its provisions and are appropriately trained in its implementation;

c)      Reviewing the scope of the provisions of this policy to ensure that it evolves to meet the needs of any change in the business practices of Corridan Law, LLC that may require adaptation in order to ensure the ongoing protection of sensitive client personal information;

Protection and Disposal of Paper Records Containing Personal Information

Corridan Law, LLC maintains all of its hard copy paper client files and records in locked file cabinets within the office space dedicated to and secured solely by the firm.  As part of our form engagement letter and fee agreement, clients agree to allow us to dispose of hard copy and paper files after a period of seven years or other period of time appropriate for the type of matter for which the client engaged our services.  Some files, depending on volume and the type of matter, may be stored off site at a location secured according to the provisions of this policy for longer duration.  The Information Security Manager maintains a proper chain of custody and to implement appropriate transportation methods when relocating any client files from the office to any off-site storage facility.  Any hard copy paper files that are disposed of after seven years or any other approved period are destroyed using an office grade shredder on site or by an approved third party vendor that has agreed to this policy.

Protection of Electronic Records, Email, and Internal Computer Networks

Corridan Law, LLC maintains updated firewall protection and antivirus software on its networks and website.  All client electronic files are autonomously stored on our strong password protected system and backed up regularly.  We do not email sensitive personal client information unless it is encrypted and only if it is absolutely necessary.  No employee or agent of the firm is able to remove any client file without the express permission and knowledge of the Information Security Manager, which is only necessary in rare circumstances.

Operational Protocol

Corridan Law, LLC adheres to a “Clean Desk” policy in its daily operation.  No files or personal client information are left out in the open or are accessible by non-employees or unauthorized agents and vendors of the firm.  This includes any physical access to files or the electronic network.  All files are maintained in locked file cabinets and are kept out of the view of unauthorized personnel and all of the firms computers are strong password protected.  No employee or authorized vendor leaves files or personal client information unattended and all such files are secured at the end of each day.  Should any employee or authorized third party vendor become aware of potential unauthorized breach of this policy, they are required to automatically inform the Information Security Manager who will subsequently notify the affected clients and the Massachusetts Office of Consumer Affairs and Regulation as well as the Massachusetts Attorney General’s Office.

Employees and Vendor Compliance

All staff and employees of Corridan Law, LLC are required to adhere to this policy.  We require current employees to become trained and familiar with managing personal client information appropriately.  Past employees and vendors are immediately denied access to sensitive data and the firm’s network upon termination of the respective relationship.  The Information Security Manager regularly tests the integrity of this policy and its implementation.