WILMIC News & Risk Management Articles

Give TLC to Clients: Respond ASAP to Security Breaches

Security Breach Hack

Lawyers always have had an obligation to keep client information confidential. But now, in addition to information being stored electronically more than ever before, two changes have increased that obligation. The first is that storage of client information is much more portable, for example, on laptops and smartphones; and the second is a statutory obligation in almost all states to protect personally identifiable information (PII), not only that of clients but that of other people as well.

What would you do if you lost sensitive client information? Whether because of a data breach due to hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers need to consider how they are protecting client and employee information. Experts say law firms have become a prime target because of all the sensitive and confidential PII stored in law firm databases.

Eight Steps Lawyers Can Take
to Prevent a Future Breach

  1. Train employees. Criminals are experts at exploiting people who do not know how to adequately protect PII.
  2. Encrypt the corporate network and any mobile devices, making PII accessible only by the user.
  3. Store paper records in a locked file cabinet or room; back up electronic data and store the backups both on site and off site.
  4. Maintain firewalls on any computer device connected to the internet.
  5. Use antivirus software and update it no less than every 30 days.
  6. Use strong passwords.
  7. Do not click on links or open attachments in suspicious emails. If you know the sender, but think the email looks strange, call the sender to ask whether the message is genuine.
  8. Dispose of unnecessary or outdated paper and electronic PII. Erase data from printers, cell phones, copiers, and computers. Shred paper documents.

The consequences of a breach or lost data can be monumental, especially for solo practitioners. Sandy Hauserman, a Vermont lawyer and founder and managing member of Digital Risk Resources (“DRe”), an insurance-product development company, says there are cyber exposures that arise from a law firm’s dependence on computers and the internet and from collecting clients’ personal information. He says cyber exposures can significantly affect law firms – and he expects those exposures to grow. “Every law firm is now dependent on technology and the internet,” he says. “This dependency creates business risk not covered in standard errors and omissions or property-casualty policies.”

Client records and credit and debit card processing make up a significant portion of the overall risk profile. Law firms gather and transmit PII of clients, employees, vendors, and others. Law firms collect a lot of very sensitive information that, if made public, could severely damage a client’s reputation.

In addition, some cyber criminals want to steal data or damage IT systems. They often plant harmful software (viruses, malware, and so on) on one computer and hope it will be accidentally transmitted to others.

Protect File Documents

In addition to all the client information lawyers have in their computer system, many, if not most, lawyers also store file documents electronically. The file is the property of the client, and as the lawyer you are obligated to safeguard the file’s documents. That means you must use reasonable care to ensure the confidentiality of electronically stored client files and ensure that any security measures are reviewed periodically so that such measures stay current.

If you back up your files with a third-party internet service provider (ISP) or in the “cloud,” as many like to refer to it, you should make sure the third party understands your obligation as a lawyer to keep the information confidential, the third party is itself obligated to keep the information confidential, and reasonable measures are used to preserve the confidentiality of the files.

What is the best way to do these things? First, find out how the ISP protects the data. For example, some providers split up the data, encrypt it, and keep it in separate servers, adding a few layers of security. But the best way to understand what a third-party vendor does with your data is to ask. If your vendor isn’t responsive, you may consider switching to another vendor.

Second, look at your contract with that vendor. What kind of security does it promise?

Many technology experts believe the cloud or a third-party ISP is more secure than the server you have at your law firm. They caution, however, to make sure you know what you are purchasing when you go to that third party. Sometimes, it’s a matter of getting what you pay for. The cheapest is not always best.

Hauserman says, “In general, the problem with the cloud, or other electronic storage options, is that the contracts the law firms have to sign push back liability for any losses due to a breach to the law firm. This is especially true of cloud providers. Also, when information is lost or stolen, attorney-client confidentiality can and almost surely will be lost. In any case, data storage contracts need to be closely scrutinized.”

Dealing With a Security Breach

Hauserman says it is important to act quickly if your or your firm’s computers are hacked. “Disconnect from the internet and seek help. Hire a security service provider who can 1) arrange for a forensic investigation to determine the extent of the loss of PII, 2) help with reporting to the proper state and federal law enforcement authorities or agencies, 3) arrange for proper notification to victims whose PII has been lost or stolen, and 4) provide the victims with identity theft remediation and credit monitoring.”

Notifying Clients. Most states have enacted breach notice laws that require a business suffering a security breach or losing PII to notify victims. This allows the victims to take action to protect themselves from identity theft. Wisconsin lawyers must comply with Wisconsin’s breach-notice law ( Wis. Stat. § 134.98) and potentially other state laws. In addition, any law firm storing medical information is subject to the notification rules of HIPAA.

Notification costs can grow rapidly. The average cost is between $50 and $100 for each affected person. Even a modest-sized breach can result in a huge legal liability that could potentially bankrupt a small law firm. At the very least, notification of a security breach will be expensive and will disrupt your practice.

If an individual who has been notified actually suffers a monetary loss, or, more important, if financial or medical information collected by the law firm gets in the wrong hands, the law firm might be sued.

Post-notice Response Plan. After you have notified potential victims, Hauserman recommends that you activate your response plan. If you don’t have a plan, develop one now so you are ready in case you need it.

What should the plan contain? First, establish priorities. The top priority is often protecting the confidentiality of client information. Identify and rank your priorities (including the need to notify your clients, malpractice carrier, and cyber risk insurer).

Second, be ready to investigate. To respond appropriately, you must understand the nature and extent of the cyber attack or breach. Your IT consultant or department, if you have one, should have sufficient knowledge of forensic investigation to isolate the problem. If you do not have an IT department or consultant, you should identify the provider you would contact to investigate the breach.

It is important to remember that non-IT staff may be the first to discover a cyber incident. Encourage staff to report indications of trouble immediately.

Third, have a communication plan. Effective internal communication with your staff is crucial to a good response plan. External communication is equally important, including with outside IT consultants and other service providers.

Fourth, be prepared to make decisions about containing the damage. Certain staff members should have the authority to lock down accounts, change passwords, and determine which parts of your computer system should be shut down or isolated and when it is safe to restore operations.

Fifth, you should be prepared to resolve the incident by identifying and correcting all the breach points and eliminating any malware or other intrusion mechanisms.

Finally, analyze the incident and the effectiveness of your response.

Prevention

Of course, preventing a breach in the first place is the best way to avoid potential trouble. Hauserman says, “If you don’t plug up the cracks in your system now, you may find yourself in the same situation down the road.” He suggests eight steps lawyers can take to prevent a future breach. They are the following:

  1. Train employees. Criminals are experts at exploiting people who do not know how to adequately protect PII.
  2. Encrypt the corporate network and any mobile devices, making PII accessible only by the user.
  3. Store paper records in a locked file cabinet or room; back up electronic data and store the backups both on site and off site.
  4. Maintain firewalls on any computer device connected to the internet.
  5. Use antivirus software and update it no less than every 30 days.
  6. Use strong passwords.
  7. Do not click on links or open attachments in suspicious emails. If you know the sender, but think the email looks strange, call the sender to ask whether the message is genuine.
  8. Dispose of unnecessary or outdated paper and electronic PII. Erase data from printers, cell phones, copiers, and computers. Shred paper documents.

Conclusion

Law firms depend on technology and the internet. This dependency creates a business risk. Inadvertent disclosure of the PII law firms gather and transmit, such as names, addresses, birth dates, Social Security numbers, credit card information, and medical information, creates the possibility of identity theft.

Be sure you are ready with a plan in case you experience a breach. In addition to the plan, finding the right expertise to begin a forensic investigation to determine the extent of the loss and complying with the notification laws are absolutely necessary to getting back on your feet. And Hauserman says having cyber liability insurance coverage can help you sleep at night. “Buying liability insurance coverage for law suits involving an information breach, whether they have merit or not, is the easiest and most efficient way to arrange for legal help and other assistance and to help pay for damages inflicted on others.”