Clients need to know their lawyers will properly safeguard confidential information and have procedures in place to assure continuity of service in the event of a cyber incident or other disruption. Our information security program meets the highest industry standards and continually evolves to address new threats and technologies.

Ballard Spahr places a priority on information governance and security. Our Director of Information Security—in a role that is independent of network operations management—has executive-level authority to implement policies, protocols, and technologies to ensure that client data are safe and secure. On an ongoing basis, the Director of Information Security conducts an independent evaluation of all technology applications, initiatives, and processes from a security perspective. This system of checks and balances allows us to deliver technology solutions without compromising security.

Our technology professionals regularly interact with clients—through information security compliance audits and questionnaires, requests for proposal, and other consultations—to gain an in-depth understanding of their security concerns and requirements and decide how best to address them.

Our information security team regularly consults with the attorneys in the firm’s Privacy and Data Security practice—national leaders in providing strategic guidance to companies on cybersecurity issues, including regulatory compliance. Together, our technology and legal professionals work with clients to assess needs and objectives and deliver 360-degree security solutions covering technical, legal, regulatory, and client-service issues.

The firm adheres to stringent standards of conduct when transmitting and hosting sensitive client information. We use best-in-breed hardware and software applications to keep data secure. Data Loss Prevention systems and policies are continually upgraded and strengthened to stay ahead of ever-evolving threats.

The Ballard Spahr Information Security Management System has been assessed by the Professional Evaluation and Certification Board (PECB) and is certified under ISO 27001, the premier global security standard. ISO27001 includes a framework of processes and control specifications designed to protect the confidentiality, integrity, and availability of client and firm information assets. The firm is continually assessed by PECB to ensure that our information security system conforms to the board’s strict requirements.

Secure Communications and Data Transfer

We use encryption solutions for secure email and file transfer to reinforce the integrity of our electronic client communications and information exchange. This includes policies and technology for encryption of removable media to safeguard data on CDs, DVDs, USB drives, and laptop hard drives. Our mobile device management solution ensures password protection, encryption, and remote-wipe capabilities in the event that a device is lost or stolen.

Network and Data Access Controls

Because most data security incidents begin with action by an individual, the firm requires all personnel to complete comprehensive data security training. Training programs include a feedback module to ensure user participation and understanding of topics covered.

Best-of-breed document management technology protects our data and documents and enables us to maintain ethical walls as needed to restrict and control access to confidential client data. We require dual-factor authentication for remote access to our network and desktop applications.

For added security, we use the latest firewall technology that includes network intrusion prevention at all internet access points. All web browsing is routed through a filter to protect against malware, and all inbound email is channeled through three levels of virus scanning—including "sandboxing" technology to pre-screen attachments and quarantine and remove any harmful content before it can affect our systems and data.

Business Continuity

All of our critical systems are housed in two secure off-site data centers—one located in Denver, and the other in Philadelphia. Multiple layers of backup and redundancy, including 99% virtual server resources, assure continuity of service in the event of a cyber incident, natural disaster, or other disruption. Our technology team maintains prioritized recovery protocols to ensure that systems most critical to our operations are restored as quickly as possible in order to mitigate the risk of disruption in client service.