In the March 21, 2019 edition of The Legal Intelligencer, Edward Kang, Managing Member of KHF wrote “IT Security and Policy: Why All Lawyers Must Care About It.”
Several years ago, my insurance broker suggested I get cybersecurity insurance for my firm. It seemed a cybersecurity insurance policy was unnecessary, not much different from having an undercoating for a new car. That was then. Now, the benefits of having a cybersecurity insurance policy are not reasonably in dispute these days. In addition to having the security of insurance, another (and more important) benefit of getting a cybersecurity insurance policy was the requirement that I have an IT security and breach policy that deals with how to prevent a security breach and what to do if there is a security breach. While getting a cybersecurity insurance policy may still remain an option for many, having an IT security policy describing detailed procedures to protect against a cybersecurity attack (and what to do when the system is breached) is a must.
Need for Cybersecurity Measures
As our lives become increasingly digitized, it becomes especially important to consider how to protect confidential information stored electronically from cybercriminal hacking. Law firms, with their access to large quantities of confidential client information, represent a prime target for security threats. Lawyers must recognize the need to protect their data against security threats, and to consider what steps to take in the unfortunate event that they do become the victim of a security breach, particularly in notifying their clients and preventing future breaches.
Cybersecurity Threats to Lawyers and Their Clients
There have been many well-known security breaches among some of the biggest names, including Yahoo, Equifax, Target, JP Morgan Chase and the Home Depot. Some breaches involved adult dating websites, implicating not just users’ financial information but also highly personal, intimate information.
Businesses are not the only entity vulnerable to security breaches: law firms, with their access to a wealth of sensitive information from their clients, often find themselves the target of hackers. Security breaches in law firms appear to be on the rise—the American Bar Association, in its 2017 TechReport, revealed that 22 percent of respondents to their Legal Technology Survey Report had ever experienced a data breach, an increase of 8 percent from the year before. The figure was highest for firms with 10-49 attorneys, where 35 percent, more than one-third, had experienced a security breach, see David G. Ries, 2017 Security, TechReport 2017, (Dec. 1, 2017). Even more concerning, however, was that another report, from the Law Firm Cybersecurity Scorecard, showed that 40 percent of surveyed law firms had experienced a data breach in 2016, and did not even know it, see Dan Steiner, “Hackers are aggressively targeting law firms’ data,” (Aug. 3, 2017).
The prevalence of such security breaches involving law firms has been the source of national news. In 2016, 2.6 terabytes of information consisting of 11.5 million files, referred to as the Panama Papers, were leaked from the internal databases of the world’s fourth biggest offshore law firm, Mossack Fonseca. In 2017, DLA Piper reported that it had been the target of a cyberattack via the NotPetya virus, which shut down communications at the firm for two days, see Daniel R. Stoller and Rebekah Mintzer, “Foley & Lardner Hit With Cybersecurity Incident (1)” (Oct. 26, 2018).
Security Breach Notification Law
In response to increasing cybersecurity attacks and devastating consequences, which involve many victims who do not even know that their confidential information has been stolen, new laws have been enacted addressing the notice requirement in the event of a cybersecurity breach. Specifically, security breach notification laws have been enacted in all 50 states, governing the people covered, the content being breached, the timing of the notification and the penalties for violating the notification statutes. Pennsylvania law, 73 P.S. Sections 2301, for instance, defines “breach of the security of the system” as “unauthorized access and acquisition of computerized data,” which stands to compromise the security or confidentiality of, or could cause loss or injury to, any resident of the commonwealth. The act requires that any entity that maintains, stores, or manages computerized data—whether they be state agencies, businesses, vendors, or individuals—notify the victims of a security breach “without unreasonable delay” after discovery of the breach, see Baker Hostetler, “State Data Breach Law Summary,” (July 2018).
Lawyers have a greater duty than the one imposed by Pennsylvania’s data breaching notification law. On Oct. 17, 2018, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility released a formal opinion, outlining the obligations of lawyers toward their clients in the event of a data breach, see Formal Opinion 483, ABA Standing Committee on Ethics and Professional Responsibility. The opinion builds off of the Model Rules of Professional Conduct to more specifically delineate the steps lawyers should take and what constitutes an ethical violation as far as their clients’ privacy is concerned. The applicable Model Rules include 1.1 (competence), 1.4 (communications), 1.6 (confidentiality of information), 1.15 (safekeeping property), 5.1 (responsibilities of a partner or supervisory lawyer), and 5.3 (responsibilities regarding nonlawyer assistants).
First, lawyers are obligated to “employ reasonable efforts” to monitor for a data breach; without such a requirement, “a lawyer’s recognition of any data breach could be relegated to happenstance.” Not every breach is an ethical violation on the lawyers’ part, however, as cyber criminals may successfully hide their activities even with reasonable preparation from the lawyers, see David Hricik, “ABA Issues Opinion on Lawyers’ Obligations after Electronic Data Breach,” (Oct. 17, 2018).
The exact nature of a breach varies—it could be the theft of confidential client information, or ransomware that blocks access to the information until a ransom is paid, or an attack on the lawyers’ systems that “incapacitates the attorney’s ability to use that infrastructure to perform legal services.” Once a lawyer has become aware of a data breach, they are then obligated to stop it and mitigate damage. The Opinion provides three examples of this—restoring the technology systems, implementing new technology systems, or the use of no technology at all, if applicable. The lawyer must also determine what files were accessed or lost.
As for notifying the client whose data was breached, the opinion builds on Model Rule 1.4, which states that lawyers must keep clients “reasonably informed about the status of the matter,” to also provide that they are obligated to communicate with current clients about a data breach. The same obligation is not present where former clients are concerned, however, as the committee was “unwilling to require notice to a former client as a matter of legal ethics.” Instead, attorneys were encouraged to work out with their clients an agreement as to how to handle their information before the conclusion of their working relationship, in accordance with security breach notification laws as applicable.
Finally, the opinion provides that, should notification be necessary, the lawyer must give the client sufficient information to make an informed decision on how to proceed. Under Rule 1.4, the minimum disclosure is that unauthorized access or disclosure has or is reasonably suspected of having occurred, but as a matter of best practices, a lawyer should also inform the client of the extent to which their information was affected, if known, and of the lawyer’s plan to respond, whether that be data recovery to increasing future data security.
With the continued danger of security breaches, the question remains of how law firms can reduce their risk. Providing training to law firm employees on data and cybersecurity, and familiarizing them with ransomware, phishing, and malware, is just one such way to reduce one’s risk. Improving one’s security solutions through the use of spam filters, firewalls, and antivirus software, and monitoring network traffic is another. Organizing data storage and systematizing information, e.g. compiling digital information into a single system, can further help law firms in reducing the threat of security breaches. Jared Campos, “How Law Firms can Protect Highly Sensitive Data,” (Feb. 19).
Law firms are host to a wide range of sensitive information, making it especially important to take steps to protect against security breaches. As the opinion notes, however, even with reasonable, or even extraordinary efforts, a cybersecurity breach can still happen. That means lawyers must implement a reasonable IT security system to help prevent a cybersecurity breach. Lawyers must also implement a policy relating to how to deal with a cybersecurity breach, including notification to their clients. And, yes, lawyers should get cybersecurity insurance coverage.
Edward T. Kang is the managing member of Kang Haggerty & Fetbroyt. He devotes the majority of his practice to business litigation and other litigation involving business entities.
Reprinted with permission from the March 21, 2019 edition of “The Legal Intelligencer” © 2019 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or firstname.lastname@example.org.