You can not secure your data once and think you're done — the rules of information security change on
darn near a daily basis — certainly someone in the firm needs to keep up with changes on a regular basis or the firm needs to engage an security consultant to do periodic reviews — the standard advice is that security assessments need to be done twice a year.