By Robert W. Wilkins
The old adage “the Cobbler’s children have no shoes” highlights the fact that, as lawyers, we are often too busy helping others that we fail to take the time to help ourselves. All too often law firms fail to conduct data breach risk assessments concerning their own data, and more importantly, client data entrusted to them. As a result, the policies and procedures required to implement data breach response plans, including procedures to comply with data breach notification rules, are not in place. Solo and small firms may consider themselves too small to be targeted. Even some mid-sized firms fail to comply with the basic legal requirements governing data breaches. Many assume their outside IT vendor, in addition to providing their cybersecurity, is also preparing and implementing the policies and procedures necessary to meet the data breach compliance requirements. All too often, both assume cyber insurance will protect them from the costs and substantial damages, including the reputational consequences of data breaches.
Data breaches are increasing exponentially with growing financial consequences. Every year since 2015 the FBI has issued an annual report based on data collected from its Internet Crime Complaint Center (IC3). The report summarizes internet-related crime incidents. In 2017, the number of reported complaints was 301,580. In 2019, only two years later, that number increased to 3.5 billion! Florida ranked second highest among all states in both the number of victims of internet crime and the dollar amount of losses. The vast majority of the incidents resulted from phishing/vishing/smishing and pharming attacks on individuals and businesses.
Your law firm is already being targeted by internet bots and other malicious actors. It is not a question of if your law firm will suffer a breach, it is only a question of when. Perfection is not possible or required, you are only required to take reasonable measures to protect the data in your possession. What is reasonable depends on a number of factors, all of which should be evaluated as part of your risk assessment. If you haven’t already performed a risk assessment and implemented policies and procedures, including an incident response plan, the following highlights how you can begin the process.
1. Develop and Maintain Knowledge of Legal and Regulatory Requirements.
Obviously, lawyers must know the law and maintain knowledge of the statutes, regulations, rules and all other aspects of the practice of law in general. The same is true concerning the more specialized area of law governing data privacy and security. Keeping abreast of the rapidly changing legal and technological requirements relating to data privacy is essential. Larger firms develop entire practice groups related to data privacy. Regardless of the size of your law firm, the requirement remains the same. Your ethical requirements demand no less. If you don’t have the time or resources to do so, retain outside counsel with specialized knowledge to assist you.
2. Prepare a Comprehensive Risk Assessment
Clients entrust their most sensitive data to their attorneys, including their financial and health related private and confidential information. Lawyers have an obligation to maintain that information in the strictest of confidence. It is essential that law firms “map” the data in their possession, custody or control. Tangible data (paper, photos, videos etc.) is typically located in the office in file cabinets or similar storage locations. Digital data is more dispersed, it can reside on servers, hard drives, and in the cloud to name a few. When mapping the data, it is important to include all third party vendors the firm uses—IT vendors, court reporters, experts, etc.
Once the data has been mapped, it is important to identify the legal and contractual obligations that apply to the data. There may be regulatory requirements concerning certain data, such as HIPAA, and there may be contractual requirements governing other data, such as trade secrets and other confidential information. Essentially, review, understand, and apply the requirements identified in the Data Privacy Primer cited in footnote two. Outside vendors specializing in preparing data risk assessments are an excellent resource to assist you with your risk assessment and data mapping obligations. Some will also assist in drafting the policies and procedures required by the statutes, rules and regulations. However, you are ultimately responsible for compliance, and you can’t delegate your ethical responsibility to maintain confidentiality to your third party vendor or your legal obligation to know whether those policies and procedures comply with the law. Vendor contracts may contain exculpatory language and most likely won’t indemnify you from liability for data breaches. And, they can’t protect you from potential legal malpractice claims associated with the data breach.
3. Prepare an Incident Response Plan
Once you have mapped the data and determined the compliance requirements that govern that data, you need to prepare and implement an incident response plan (IRP). The IRP details all aspects of responding to an incident. An effective IRP will begin with an initial assessment of the incident and determine whether the incident response team needs to be activated. The IRP also details the levels of response required, including when the incident rises to the level that legal counsel needs to be engaged. Legal counsel will determine the required notifications to legal authorities, insurance carriers, and related contractual notice obligations. For a detailed explanation of the requirements of an incident response plan and a model form, the Sedona Conference Incident Response Guide is an excellent resource.
Hopefully, the resources identified in this article will assist you in navigating the many laws, regulations and rules governing your data privacy obligations and data breach notification requirements.