Law firms are a hot target for cyber-attacks due to the nature of data in their possession. It is estimated that about 80 percent of the largest 100 law firms have had some sort of data breach. Breaches can happen to firms of any size and can take countless forms, from phishing to cloud compromise. The stakes are high and frequently require technical protocols that can seem overwhelming to many lawyers. Beyond the jargon, here are some of the things that lawyers need to understand to help mitigate any risk of an attack:
- Lawyers’ Ethical Duties Are Triggered When Breach Occurs
Lawyers have a duty to protect the confidentiality of their clients’ information regardless of where or how it is stored. Any type of breach that would compromise confidential client information may become the basis for a disciplinary action under the Rule 1.6 of the Model Rules of Professional Responsibility. Lawyers must take a reasonable standard of care when selecting or utilizing technology vendors, such as cloud providers.
The specific professional obligations in this context can vary dramatically depending on the state where the attorney is licensed. For example, nineteen states currently have issued advisory opinions on the use of cloud technology. Here are some examples of those requirements:
- Practical Ways to Mitigate the Breach
Cyber-attacks invariably happen without warning, but the impact of the attack does not have to result in firm or client devastation. There are a number of technical and sophisticated approaches aimed at preventing the attacks. Lawyers typically engage IT or IG professionals to implement the nuanced aspects of such an initiative.
Lawyers need to understand and develop protocols for their firm in order to facilitate the overall implementation. This includes the development of internal protocols to mitigate exposure on the front-end by seeking outcomes, such as:
- Implement a company like firewall to prevent unauthorized remote access.
- Establish minimum requirements for passwords for all devices that require multiple characters, symbols, and case variations.
- Provide cyber-training to all employees to cover risks, treatment of unknown emails, and unknown client inquiries.
- Implement encryption protocols. In certain jurisdictions, a firm may not be liable for the lost or stolen data if the data was encrypted.
- Create a written response plan to implement when a breach is discovered. The plan must be tailored to anticipated types of breaches and back-up protocols. For example, if your firm does business in China, a response plan should be tailored toward attacks coming internationally.
- Purchase cyber-liability insurance or only utilize technology vendors who carry cyber insurance.
Installing and planning these protocols may seem too time-consuming or costly. However, that cost pales in comparison to the potential malpractice claims, licensure issues, or notice requirements, if malicious outsiders succeed in the breach.
- Notice Requirements When the Unthinkable Happens
Financial institutions are already federally mandated to give notice to victims of a data breach. Congress is currently debating a bill that would expand the federal notification requirements to include any business that uses, accesses, transmits, or stores personal information. Until that bill is passed, consumers must rely upon and the law firms should be knowledgeable about, the 47 different state notification.
Each state has a different rule regarding when, what type, and how soon notification is needed after a data breach occurs. In every state with a notification requirement, companies are required to notify affected customers, clients, or employees as expediently as possible without undue delay. There may be additional requirements if the data breached is of a particularly sensitive nature, such as personal health information or that requiring ITAR compliance. Examples of the spectrum of state notice requirements include:
|State||Other Duties, Responsibilities, or Triggers Requiring Notification|
|New York||Other Notification Allowed: TelephoneNotice to the State: Notice to the NY Attorney General, Consumer Protection Board, and the state Office of Cyber Security and Critical Infrastructureis required for any breach.Encryption Safe Harbor: No duty to notify if personal information is encrypted and encryption key has not been compromised.|
|California||Notice to the State: Notice to Californiamust be given if more than 500 Californian residentsare affected by a breach.Private Cause of Action: A business may be liable for a civil action for violating breach notification statute.|
|Nevada||Risk of Harm: Notification is only required if a breach materially compromises the security or confidentiality of personal information.Private Cause of Action: Only permitted for data collector to bring suit against person who unlawfully obtained or profited from personal information.Encryption Safe Harbor: No notice is required if data is encrypted.|
There is considerable cost in providing this level of notice. Complying with these obligations may be challenging if the firm’s tech provider fails to provide sufficient notice when the breach happens. Lawyers should consider how to best allocate this cost and risk when negotiating and documenting contracts with their technology providers.
Law firms and corporations of all sizes face the unknown threats and potentially devastating impacts of a cyber-attack. Clients and the demands of practice can make it challenging for any lawyer to worry about the uncertainty of potential cyber-attack. Your firm’s problems may grow exponentially after a breach happens. Lawyers have ethical duties that vary across states to reasonably act to protect their client’s information against these unknown threats. Knowing how to respond and proactively considering safety measures can make the difference in the scope of damage done when a cyber-attack happens. Companies like Tower Legal Solutions can help manage this risk while allowing you to focus on representing your clients.
By: JACOB CRAWFORD
ABOUT TOWER AND THE AUTHOR
TOWER LEGAL SOLUTIONS AND TOWER CONSULTING SERVICES HAVE SPECIALIZED KNOWLEDGE AND EXPERTISE THAT HAS PROVE TO HELP LAW FIRMS AND CORPORATIONS IDENTIFY AND HIRE HIGHLY SKILLED CANDIDATES. TOWER HAS A NATIONAL PRESENCE WITH OFFICES IN NEW YORK, WASHINGTON, D.C., ATLANTA, CHARLOTTE, DALLAS, MINNEAPOLIS AND LOS ANGELES. JACOB IS A STUDENT AT WILLIAM MITCHELL COLLEGE OF LAW AND EXPECTED TO GRADUATE MAY OF 2016. HE CURRENTLY IS AN EXTERN AT THE MINNEAPOLIS OFFICE OF TOWER.
Learn more about Tower Legal Solutions: www.towerls.com