For Law Firms, Implementing Reasonable Measures to Protect Sensitive Client Data is Vitally Important to Reducing the Risk of Liability from a Cyber-Breach
In a previous blog, we noted that hackers choose their mark indiscriminately, seeking only a vulnerable network to penetrate that maintains information they can monetize. Law firms, which electronically store clients’ personal identifying information, personal health information and confidences and secrets, possess such desirable information and, indeed, are no less vulnerable to cyber-attacks than any other organization connected to the internet. As a law firm data breach can result in potential liability through class action lawsuits, disciplinary proceedings and regulatory enforcement actions, law firms must recognize, assess and address their risk in the event of a breach that causes the unauthorized acquisition of unencrypted sensitive data belonging to one or more of their clients.
Like other organizations possessing sensitive information, law firms are subject to applicable state and federal laws and regulations to safeguard and protect data, as well as specific ethical rules governing their profession. For example, ABA Model Rules 1.1 and 1.6 require attorneys to take competent and reasonable measures to safeguard information relating to their clients. In the 2015 ABA Tech Report, it was noted that:
law firm “[i]nformation security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment  to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are ‘the sensitivity of the information’ and ‘the likelihood of disclosure if additional safeguards are not employed.’ This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others in the legal profession…. The next factors in the risk analysis cover available safeguards. Comment  to Model Rule 1.6 includes [considering] …the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). Comment  uses a standard risk-based approach.
Separate and apart from lawyers’ ethical obligations to protect sensitive information, law firms may possess client information that is subject to federal and/or state law. For example, under the Gramm-Leach-Bliley Act, financial institutions must notify their customers of a breach; the Sarbanes-Oxley Act and implementing regulations promulgated by the SEC imposes reporting requirements on publicly traded companies in which they must notify their customers of a data breach; health care providers, related entities and business associates (which includes law firms that perform legal services for a “covered entity”) are subject to reporting requirements under the Health Insurance Portability and Accountability Act (as well as other applicable statutes and regulations) and the “unfairness doctrine under the Federal Trade Commission Act has been applied to companies that have failed to install reasonable security measures as unfair and deceptive practices that harm consumers, irrespective of any misrepresentations as to security measures implemented by the company (See D-Link post here for a discussion of a recent expansive application of the unfairness doctrine in which the FTC initiated an enforcement action due to D-Link’s alleged failure to implement reasonable safeguards to protect consumer data without any accompanying data breach or unauthorized acquisition of data by third parties). States, too, are quickly enacting laws and regulations covering all organizations, plus additional rules and regulations that cover target rich, vulnerable and susceptible to attack industries.
In the absence of a controlling national data breach notification statute, 47 states have enacted their own notification statutes that are, generally, triggered if personal identifying information of a state’s residence is disclosed as a result of a cyber-breach. Although they vary from state to state, the state notification statutes generally apply when there is a breach that results in the unauthorized acquisition of unencrypted personal identifying information or health information. For national organizations that means they are required to comply with 47 separate state-enacted breach notification statutes. Regional organizations, as well as mid-size and small organizations are required to comply with the breach notification statutes in those states in which that theirs customers reside. By extension, law firms in possession of their clients’ personal identifying information may be subject to the notification statutes as well and/or federal law.
Importantly, just like their clients may face class action lawsuits stemming from data breaches and claims of, among other things, breach of privacy based on their failure to protect its customers’ data, law firms may be sued by their clients and/or their clients’ customers due to their failure to implement reasonable measures to protect their sensitive and/or confidential information, subjecting them to costly litigation while defending issues such as standing, liability and damages. For many law firms, a data breach that results in litigation can have catastrophic consequences.
Law firms, irrespective of size, are increasingly the subject of attempts by hackers to infiltrate their data. Law firms are viewed by hackers as easy targets, because of the common perception that they fail to implement basic measures to protect personal identifying information. In that regard, although the use of firewalls and encryption of emails containing personal identifying information should be common place, an inordinate number of law firms still fail to take reasonable measures to ensure that such emails are encrypted. Similarly, according to a 2014 Verizon study cited in the 2015 ABA Tech Report, only 35% of respondents indicated they encrypted smart phones and laptop computers, calling into question whether the failure to do so constitutes reasonable efforts to protect client data.
If successful, the unauthorized acquisition of unencrypted personal identifying information by third parties can expose law firms to potential liability, litigation costs, reputational harm and damages. Accordingly, it is imperative that law firms undertake reasonable efforts to comply with the governing ethical rules and federal and state statutes by implementing written information security programs and data policies that address, among other things, the following:
- risk and vulnerability assessments,
- penetration testing,
- identification and classification of sensitive data,
- written data security policies,
- third-party vendor agreements that protect law firm data, to the extent that such vendors have access to sensitive data on the firm’s network,
- protection of sensitive data through effective employee training regarding the firm’s polices, the use of anti-spam, anti-virus, malware software,
- the purchase of cyber insurance, which should be considered an important part of any firm’s risk assessment,
- an action-ready incident response plan and a
- disaster recovery plan.
By adopting reasonable and competent measures to protect client and employee data, through cost effective means that are consistent with the risk and resources of their particular firm, law firms can minimize, if not eliminate their risk of liability from lawsuits and administrative enforcement actions. What a law firm does before a breach is as important as what it does after one occurs.