There's a very familiar phrase in the cybersecurity world that is rapidly becoming of critical importance to lawyers as well. You can be cyber-compliant and not be cyber-secure. You can be cyber-secure and not be cyber-compliant.

The first half of that equation should be pretty self-evident to everyone. Anyone, including lawyers in the United States, can be fully compliant with every single type of regulation and law that attempts to protect personal or private data, and it can still leak out and be seen by unauthorized persons.

It's the second half of that equation that can surprise people. How is it possible that a computer system can be so well locked-down that no hacker can successfully gain access, and yet the entity in charge of protecting that data be considered out-of-compliance?

The answer is that compliance isn't just about whether critical data is successfully protected, but how it is protected. If such protection is not in the manner required by cybersecurity laws and regulations, the entity required to follows these rules can be subjected to substantial penalties and fines even though not a single piece of data intended to be protected was leaked due to any fault of that entity.

Why should lawyers care? They should because the law is increasingly evolving to require holders of critical personal data who provide services to certain types of businesses to follow specific cybersecurity procedures or else face such financial consequences.

This trend started in the United States in 2009, with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act by Congress. This Act was created to fill many of the enforcement gaps that had existed in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

One of the breakthrough concepts of the HITECH Act was the creation of the requirement that “Business Associates” (BA) which provide certain types of services to the “Covered Entities” (CE) governed by HIPAA must comply with the same cybersecurity rules mandated of CEs. This was done to respond to a way utilized by CEs to minimize their exposure to HIPAA's requirements.

Prior to the HITECH Act, if a CE (in the HIPAA-regulated environment, think of doctors, dentists, hospitals, clinics, health insurance providers, etc.) outsourced functions to a third-party service provider, and the provider lost any of the CE's information regarding an identifiable patient's designated medical information (basically, any diagnosis, prognosis, treatment or payment for such), neither the CE nor the third-party provider suffered any HIPAA violation consequences. That would occur because the CE didn't cause the loss of any protected data, and the third-party provider was, by statutory definition, not a CE and, hence, not covered by HIPAA.

Congress ended this version of three-card monte by extending HIPAA's requirements to a CE's downstream of providers, defined as BAs under the HITECH Act. 45 CFR §164.502(a)(3). Significantly, the definition of BA was not spelled out by way of profession but by manner of service, and “legal services” were specifically included. 45 CFR §160.103(1)(i)(B)(ii). Hence, it would appear that not only are lawyers considered BAs of a HIPAA CE, but anyone who provides legal service.

No more dramatic example of how dangerous this symbiotic relationship can become when cybersecurity violations committed by a third-party service provider generates regulatory headaches for the provider's upstream client than is demonstrated by the story of Accretive Health, a Chicago-based hospital revenue cycle management company, acting as a BA to its CE, North Memorial Health Care of Minnesota. (In January 2017, Accretive changed its name to R1 RCM, Inc.)

On July 25, 2011, an unencrypted laptop in the possession of an Accretive employee was stolen out of a car rented by the employee. It was ultimately determined that the theft resulted in the loss of Protected Health Information (PHI) of 9,497 North Memorial patients. PHI of another health care provider that was also lost as a result of this laptop theft is not the subject of this article.

One of the several amendments created by the HITECH Act now permits state attorneys general to institute HIPAA actions. Minnesota Attorney General initiated a civil complaint against Accretive in January 2012, alleging violations of HIPAA and other provisions of state and federal law. In July 2012, Accretive and the Attorney General settled the action for $2.5 million, with an agreement that Accretive not operate again in Minnesota for at least two years and as many as six years, at the discretion of the Attorney General.

In March 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the federal agency that oversees HIPAA/HITECH compliance, entered into a $1.55 million settlement with North Memorial over the Accretive incident. Healthitsecurity News, op. cit. OCR alleged no involvement by North Memorial over the loss of its patients' protected data. Instead, it found that the hospital had not entered into a valid BA written agreement, spelling out all of Accretive's duties and responsibilities with respect to the hospital's PHI, nor had the hospital shown adequate supervision over Accretive's handling of its data. For example, it had not conducted a risk analysis of Accretive's cybersecurity procedures, a HIPAA requirement.

The Accretive/North Memorial hospital story should be setting of major alarms to all law firms that handle a healthcare providers PHI. As a BA to a CE, every law firm is required to follow the same cybersecurity requirements for protecting PHI that are required of the firm's clients.

These requirements can be extremely daunting. They include, inter alia: written internal policies and procedures over handling protected data such as data protection and destruction, written agreements with clients and the law firm's subcontractors about the handling of the PHI, incident response plans and assignment of duties when breaches occur, data mapping (to determine the location of protected data), encryption of sensitive data (or protection of equal security), employee training, internal auditing of compliance, internal testing of employees and procedures to ensure compliance, yearly review of all processes, maintaining updated systems and software.

And although the health care industry paved the way for the concept of shared responsibility for the protection of sensitive data, the information highways governments and regulators are insisting being protected by CEs and their downstreams are only increasing, with no likelihood of abating any time in the future. Granted, President Donald J. Trump has advocated at some length about the need to roll back the tide of government regulation, but those pertaining to cybersecurity do not yet appear to be on his radar screen.

While the president has strongly advocated for healthcare reform, he has only directed his attention so far toward the Affordable Care Act of 2009. The HITECH Act is, instead, part of the American Recovery and Reinvestment Act of 2009. Moreover, his newly appointed OCR Director, has expressed an interest in aggressively pursuing HIPAA actions as evidenced by his $2.5 settlement this April with CardioNet, the first ever assessment made against a wireless health services provider.

Even should President Trump demonstrate a willingness to pull back on HIPAA/HITECH laws and regulations, other cybersecurity provisions of equal or greater strength are beyond his control. New York recently enacted what are considered to be among the harshest data protection requirements to date of any financial institutions that come within the purview of New York's Banking Law, Insurance Law or Financial Services Law. In that New York is the center of many of the world's financial institutions, these new regulations, which went into effect just prior to Labor Day, should have a broad effect throughout the worldwide community.

Entitled “Cybersecurity Requirements for Financial Services Companies,” at 23 NYCRR 500, it empowers the New York Department of Financial Services (DFS) to impose virtually all the cybersecurity requirements found in the HIPAA/HITECH arena, along with a few additional onerous duties. For example, every financial service provider (likewise called a “Covered Entity”) must appoint a Chief Information Security Officer who must report to the entity's Board of Directors so that it can certify every year that it is in compliance with the DFS regulations. Furthermore, the rules applicable to all CEs are to be equally enforced against all “Third-Party Service Providers.” While the DFP regulations do not specifically mention legal services in this definition, the clause is so broadly worded that law firms with financial service clients must be considered covered by these regulations as well.

Lastly, the European Union's General Data Protection Regulations (GDPR) take effect in May, 2018. Unlike data regulations in the United States, the GDPR will apply to all personal data in any company's possession, regardless of the entity's function or business. And unlike the current regulatory structure, which only applies to businesses with a physical presence in an EU member state, the GDPR will apply to any entity “doing business” there. This will easily expand those protections to American law firms with EU clients.

This continuing trend toward greater security of personal information data must mean only one thing to the legal profession. The only available recourse is to begin instituting recognized cybersecurity protocols as soon as possible, whether accomplished in-house or outsourced. There is no reasonable basis to believe this evolution will be reversing itself any time in the future.

Stephen Treglia is the former head of the cyber crime unit at the Nassau County district attorney's office and currently consults with data protection companies and law firms.