By Daniel J. Solove
Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.
This is not time for firms to keep calm and carry on. The proper response is to freak out.
Data Security Threats
In 2009, the FBI issued an advisory that hackers were targeting law firms. In 2011, the FBI began organizing meetings with the managing partners of top law firms to highlight the risks. In 2013, the FBI repeated its warning: “We have hundreds of law firms that we see increasingly being targeted by hackers.”
As attorney Simone McCormick notes, recent incidents in the past few years have included ones where “hackers stole all client files of a New York law firm, attacked Canadian law firms for industrial espionage and launched a sophisticated phishing attack against a California firm.”
Law firms are great targets. For fraudsters, law firms offer a gourmet data feast. Law firms have lots of personal data on employees and clients; they often have health data and protected health information (PHI) under HIPAA; they have tons of financial data; and they have very sensitive information about the corporate strategies, trade secrets, and business transactions of their clients.
Law firms also face mounting privacy threats, as the data they maintain about employees and clients is increasingly regulated. State common law torts, such as breach of confidentiality, public disclosure of private facts, and negligence impose legal duties on attorneys to maintain confidentiality.
After the HITECH Act of 2009, HIPAA now enables direct enforcement by the U.S. Department of Health and Human Services (HHS) over business associates of covered entities under HIPAA. What this means is that if a law firm receives patient data from a client healthcare provider, such as a hospital, the law firm is a business associate and will be subject to many of HIPAA’s privacy and security requirements. The firm can face fines and audits by HHS and state attorneys general. These fines can be up to $1.5 million per provision of HIPAA violated, and often HHS finds quite a number of provisions violated. State health privacy laws might also apply, such as Texas’s very broad and potent health privacy statute.
At law firms, many individuals may have access to sensitive data beyond partners and associates, such as contract attorneys, paralegals, secretaries, proofreaders, and others. A privacy incident could occur even when an employee of the firm accesses data improperly or when an employee mentions something to friends or family or on social media sites.
Why Are Incidents So Disastrous for Law Firms?
A privacy or security incident can cause an organization massive pain – a blizzard of lawsuits, negative publicity, reputational damage, regulatory fines, and disgruntled clients. Then there’s the cost of any forensic investigation and breach notification. Tremendous amount of time may be lost, and this will likely be the time of several attorneys at the firm.
Incidents could also give rise to ethical complaints, as inadequate data security or protection of privacy can constitute a failure to abide by the duty of confidentiality. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Not too long ago, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” Additionally, a few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).
A major harm is reputation – no law firm wants to go to a huge client and inform the client that it has lost the client’s sensitive data. Imagine the call to the CEO: “Oops, we had a breach and lost a bunch of your trade secrets, a lot of personal data, and some very dicey documents. Remember that really bad incident we helped keep out of the news – all our files about it are out there now. Oh, and that rather embarrassing matter that we cleared up for you personally last year . . . one of our secretaries wrote about it on Facebook to 492 friends. But hey, to make it up to you, we have some great seats at the opera for you tonight.”
When there’s a breach or incident at a law firm involving a client’s data, the client can be liable too via vicarious liability. Additionally, the client can be directly liable for failure to exercise due diligence in vetting the firm prior to sharing personal data with the firm. Indeed, a recent FTC case, In the Matter of GMR Transcription Services, Inc. (Jan. 31, 2014), involved the FTC bringing an action under Section 5 of the FTC Act (“unfair or deceptive acts or practices in or affecting commerce”) for a company that failed to “adequately verify that their service provider . . . implemented reasonable and appropriate security measures to protect personal information.” Additionally, the FTC found fault with the contract with the service provider and the steps the company took to verify that the service provider was adequately protecting data.
So imagine the call with the CEO now: “By the way, as your attorney, I must inform you that your company, too, might be liable for the breach we had. Yes, I admit, our data protection here wasn’t up to par – we totally botched things up. But you didn’t probe our privacy and security practices when you retained us, so you’re on the hook. Not only might you face a number of lawsuits, but the FTC might come after you too. Don’t worry though – FTC consent decrees only involve 20 years of auditing. You’ll probably have retired before that period is over. Anyway, are you up for some golf this afternoon?”
There is a potential conflict of interest if the firm represents the client in any FTC investigation, any other regulatory action, or any lawsuits emerging from such an incident. For example, the client might want to emphasize how the law firm didn’t accurately represent its practices when the company conducted due diligence of the firm’s data protection capabilities. The firm might be reluctant to fall on its sword to protect the client’s reputation because it could implicate the firm’s reputation.
So now the client has to go to a competitor law firm to represent it in connection with this incident.
How Well Are Law Firms Handling These Risks?
Law firms have lagged behind other industries when it comes to data protection. Although a number of firms have developed great programs, other law firm privacy and security programs lack all the elements of the programs that many companies in other industries have.
A few years ago, the head of the cyber division in the New York City office of the FBI stated: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” Also as cybersecurity law expert Vincent Polley has noted, many law firms might not even realize that they’ve been hacked.
Many law firms now have a CIO and/or a CISO, but there are still quite a few firms that lack a complete privacy and security program. Such a program, for example, involves privacy and data security training. (Full disclosure: I founded a company that provides such training, so pardon any bias about the importance of training.) As an industry, law has been slow to adopt training around data protection.
One of the difficulties in implementing training is that lawyer time is so valuable. Time spent training is time not spent on billables. But training is an essential component of good privacy and security protection. According to IT executives quoted in an ABA Journal article [link no longer available], untrained lawyers and office personnel are often the Number 1 weakness in a law firm’s defense.
Law firms are beginning to realize that privacy and data security are important. According to Marsh’s 2014 Global Law Firm Cyber Survey, “almost 80% of respondents consider cyber/privacy security to be one of their firm’s top 10 risks, while more than 40% of those surveyed would place it even higher — as one of their top five risks.” That’s the good news.
But now for the bad news. According to the survey, law firms are underestimating the severity of the cost of a breach:
“[A] majority of firms surveyed have not taken into account what kind of financial impact their organization could experience following a cyber incident. For example, more than 60% said their firms had not calculated the effective revenue that could be lost following a denial-of-service attack. Even more (72%) said their firm has not assessed how much a data breach would cost them due to the kind of information it retains.”
Also, fewer than half said that their law firms insured for cyber risks.
Mounting Pressure to Take Significant Action
With many recent breaches stemming from third party vulnerabilities, big banks and other clients are demanding that their law firms do more to protect sensitive information. According to the New York Times, “[s]ome financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.”
I believe that the next 5 years will see a revolution in the way that law firms protect data. Law firms are sensitive to risk, and they have the resources to deal with it. They face risk that are higher and more devastating than other organizations.
What Should Law Firms Do?
1. Assess the risks. Do an assessment of the risks. Identify the vulnerabilities and what needs to be done to better protect against them. A data inventory should be done so the firm knows the various types of data that it is maintaining.
2. Assign responsibility. Someone at the firm should be responsible for handling privacy issues. There should be a person responsible for data security. Every collection of data should have a person responsible for it (called a “data steward”). Everyone at the firm should know whom to call with any questions about privacy or security.
3. Develop policies and procedures. Develop or improve policies and procedures for how various types of data are to be handled and protected. What are the policies regarding placing data on portable devices? Employee access to data? Encryption? BYOD? Social media use? How is any PHI identified and handled?
4. Implement workforce training. Develop an annual training program to ensure that everyone knows how to handle and protect data properly, the importance of privacy and security, and whom to call if there are any questions or concerns.
5. Develop an incident response plan. Develop a plan for responding to privacy and security incidents. This plan involves how to handle the investigation, who is responsible for which tasks, what laws and regulatory requirements need to be followed, what third party vendors are best to hire to help with certain tasks (forensic investigations, breach notification, etc.). The plan should also involve how to handle PR. Time will be very scare during an incident; it is best to be ready in advance rather than scrambling frantically after a breach. There should also be a plan for how to handle clients whose data is implicated.
6. Look into cyber insurance. Law firms should look into insuring against the risks and understand what things are covered and what things are not covered by various policies.
There are a number of law firms that could improve on one or more of these things. Indeed, when firms advise their clients, they likely provide the above advice. But as the saying goes, the shoemaker’s children have no shoes.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 890,000 followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.