IT Security and Policy: Why All Lawyers Must Care About It
Several years ago, my insurance broker suggested I get cybersecurity insurance for my firm. It seemed a cybersecurity insurance policy was unnecessary, not much different from having an undercoating for a new car.
March 21, 2019 at 12:53 PM
8 minute read
Several years ago, my insurance broker suggested I get cybersecurity insurance for my firm. It seemed a cybersecurity insurance policy was unnecessary, not much different from having an undercoating for a new car. That was then. Now, the benefits of having a cybersecurity insurance policy are not reasonably in dispute these days. In addition to having the security of insurance, another (and more important) benefit of getting a cybersecurity insurance policy was the requirement that I have an IT security and breach policy that deals with how to prevent a security breach and what to do if there is a security breach. While getting a cybersecurity insurance policy may still remain an option for many, having an IT security policy describing detailed procedures to protect against a cybersecurity attack (and what to do when the system is breached) is a must.
|Need for Cybersecurity Measures
As our lives become increasingly digitized, it becomes especially important to consider how to protect confidential information stored electronically from cybercriminal hacking. Law firms, with their access to large quantities of confidential client information, represent a prime target for security threats. Lawyers must recognize the need to protect their data against security threats, and to consider what steps to take in the unfortunate event that they do become the victim of a security breach, particularly in notifying their clients and preventing future breaches.
|Cybersecurity Threats to Lawyers and Their Clients
There have been many well-known security breaches among some of the biggest names, including Yahoo, Equifax, Target, JP Morgan Chase and the Home Depot. Some breaches involved adult dating websites, implicating not just users' financial information but also highly personal, intimate information.
Businesses are not the only entity vulnerable to security breaches: law firms, with their access to a wealth of sensitive information from their clients, often find themselves the target of hackers. Security breaches in law firms appear to be on the rise—the American Bar Association, in its 2017 TechReport, revealed that 22 percent of respondents to their Legal Technology Survey Report had ever experienced a data breach, an increase of 8 percent from the year before. The figure was highest for firms with 10-49 attorneys, where 35 percent, more than one-third, had experienced a security breach, see David G. Ries, 2017 Security, TechReport 2017, (Dec. 1, 2017). Even more concerning, however, was that another report, from the Law Firm Cybersecurity Scorecard, showed that 40 percent of surveyed law firms had experienced a data breach in 2016, and did not even know it, see Dan Steiner, “Hackers are aggressively targeting law firms' data,” (Aug. 3, 2017).
The prevalence of such security breaches involving law firms has been the source of national news. In 2016, 2.6 terabytes of information consisting of 11.5 million files, referred to as the Panama Papers, were leaked from the internal databases of the world's fourth biggest offshore law firm, Mossack Fonseca. In 2017, DLA Piper reported that it had been the target of a cyberattack via the NotPetya virus, which shut down communications at the firm for two days, see Daniel R. Stoller and Rebekah Mintzer, “Foley & Lardner Hit With Cybersecurity Incident (1)” (Oct. 26, 2018).
|Security Breach Notification Law
In response to increasing cybersecurity attacks and devastating consequences, which involve many victims who do not even know that their confidential information has been stolen, new laws have been enacted addressing the notice requirement in the event of a cybersecurity breach. Specifically, security breach notification laws have been enacted in all 50 states, governing the people covered, the content being breached, the timing of the notification and the penalties for violating the notification statutes. Pennsylvania law, 73 P.S. Sections 2301, for instance, defines “breach of the security of the system” as “unauthorized access and acquisition of computerized data,” which stands to compromise the security or confidentiality of, or could cause loss or injury to, any resident of the commonwealth. The act requires that any entity that maintains, stores, or manages computerized data—whether they be state agencies, businesses, vendors, or individuals—notify the victims of a security breach “without unreasonable delay” after discovery of the breach, see Baker Hostetler, “State Data Breach Law Summary,” (July 2018).
|Ethical Obligations
Lawyers have a greater duty than the one imposed by Pennsylvania's data breaching notification law. On Oct. 17, 2018, the American Bar Association's Standing Committee on Ethics and Professional Responsibility released a formal opinion, outlining the obligations of lawyers toward their clients in the event of a data breach, see Formal Opinion 483, ABA Standing Committee on Ethics and Professional Responsibility. The opinion builds off of the Model Rules of Professional Conduct to more specifically delineate the steps lawyers should take and what constitutes an ethical violation as far as their clients' privacy is concerned. The applicable Model Rules include 1.1 (competence), 1.4 (communications), 1.6 (confidentiality of information), 1.15 (safekeeping property), 5.1 (responsibilities of a partner or supervisory lawyer), and 5.3 (responsibilities regarding nonlawyer assistants).
First, lawyers are obligated to “employ reasonable efforts” to monitor for a data breach; without such a requirement, “a lawyer's recognition of any data breach could be relegated to happenstance.” Not every breach is an ethical violation on the lawyers' part, however, as cyber criminals may successfully hide their activities even with reasonable preparation from the lawyers, see David Hricik, “ABA Issues Opinion on Lawyers' Obligations after Electronic Data Breach,” (Oct. 17, 2018).
The exact nature of a breach varies—it could be the theft of confidential client information, or ransomware that blocks access to the information until a ransom is paid, or an attack on the lawyers' systems that “incapacitates the attorney's ability to use that infrastructure to perform legal services.” Once a lawyer has become aware of a data breach, they are then obligated to stop it and mitigate damage. The Opinion provides three examples of this—restoring the technology systems, implementing new technology systems, or the use of no technology at all, if applicable. The lawyer must also determine what files were accessed or lost.
As for notifying the client whose data was breached, the opinion builds on Model Rule 1.4, which states that lawyers must keep clients “reasonably informed about the status of the matter,” to also provide that they are obligated to communicate with current clients about a data breach. The same obligation is not present where former clients are concerned, however, as the committee was “unwilling to require notice to a former client as a matter of legal ethics.” Instead, attorneys were encouraged to work out with their clients an agreement as to how to handle their information before the conclusion of their working relationship, in accordance with security breach notification laws as applicable.
Finally, the opinion provides that, should notification be necessary, the lawyer must give the client sufficient information to make an informed decision on how to proceed. Under Rule 1.4, the minimum disclosure is that unauthorized access or disclosure has or is reasonably suspected of having occurred, but as a matter of best practices, a lawyer should also inform the client of the extent to which their information was affected, if known, and of the lawyer's plan to respond, whether that be data recovery to increasing future data security.
With the continued danger of security breaches, the question remains of how law firms can reduce their risk. Providing training to law firm employees on data and cybersecurity, and familiarizing them with ransomware, phishing, and malware, is just one such way to reduce one's risk. Improving one's security solutions through the use of spam filters, firewalls, and antivirus software, and monitoring network traffic is another. Organizing data storage and systematizing information, e.g. compiling digital information into a single system, can further help law firms in reducing the threat of security breaches. Jared Campos, “How Law Firms can Protect Highly Sensitive Data,” (Feb. 19).
|Conclusion
Law firms are host to a wide range of sensitive information, making it especially important to take steps to protect against security breaches. As the opinion notes, however, even with reasonable, or even extraordinary efforts, a cybersecurity breach can still happen. That means lawyers must implement a reasonable IT security system to help prevent a cybersecurity breach. Lawyers must also implement a policy relating to how to deal with a cybersecurity breach, including notification to their clients. And, yes, lawyers should get cybersecurity insurance coverage.
Edward T. Kang is the managing member of Kang, Haggerty & Fetbroyt. He devotes the majority of his practice to business litigation and other litigation involving business entities.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPa. Federal District Courts Reach Full Complement Following Latest Confirmation
The Defense Bar Is Feeling the Strain: Busy Med Mal Trial Schedules Might Be Phila.'s 'New Normal'
7 minute readFederal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute readJudge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250