Continued from page 1
on an ongoing basis, or encrypt documents and communications. In addition, like other businesses, laptops and cellphones are lost, and paper documents remain at risk.
"A criminal who understands the value of the stolen information in his hands is likely to attempt to sell it for financial gain. After that, the information could be used for a variety of purposes depending on other factors [including] seeking tax refunds, illegal immigration, issuance of counterfeit documents, identity theft, or even economic espionage or blackmailing," said Francoise Gilbert, a partner at law firm Greenberg Traurig, in an interview.
What to Do About It
Attorneys are obligated to make "reasonable efforts" to safeguard their clients' information, according to the ABA Rules of Professional Conduct, which leave a lot open to interpretation. Don't take your law firm's security policies and practices for granted. Instead, endeavor to understand them and make sure security is built into the relationship.
"The comments provided in ABA Model Rule 1.6 state that a lawyer must make reasonable efforts to protect inadvertent or unauthorized disclosure of information related to the representation of [a] client. These factors include adding safeguards, [such as] special security measures to transmit and store data," said Graham Jackson, general counsel at IT security education and certification consortium (ISC)2, in an interview. "If the data exposed includes [personally identifying information], healthcare, or financial information, law firms must review the relevant federal and state statutes, including any data breach notification laws, to determine whether the data loss requires notification."
Another rule, ABA Model Rule 1.4, may require a lawyer to notify his or her client even if the data loss does not trigger a data breach notification, Jackson said. That particular rule governs communication. It requires lawyers to keep their clients reasonably informed about the status of their case.
[Learn more about handling data security: 4 Data Security Tips for CIOs.]
Whether or not a law firm has a legal duty to disclose that fact to anyone other than the clients affected "probably depends on their own contractual obligations with their clients and state laws," said BitSight Technologies' Olcott. "I would expect that most corporate clients would require their law firm to notify them of any potential data loss or breaches."
John Cooney, a partner at law firm Ruskin Moscou Faltischek, said in an interview that, in addition to complying with federal and state breach notification laws and filing regulatory responses, law firms' legal obligations include assessing potential litigation, including shareholder derivative and class actions.
"The respective laws and obligations are complicated. Which ones a law firm has to comply with depend on the type of information that was accessed, as well as the state in which the client resides or does business," said Cooney.
There's also the issue of cyber-security insurance. At the present time, lawyers and law firms are not required to have it, but, in some cases, it can make the difference between a law firm being solvent or insolvent. Only 11% of respondents participating in the ABA's 2015 Legal Technology Survey Report said their firms had cyber-security insurance.
"When a potential client is evaluating law firms, one of the first questions concerning cyber-security should be whether the law firm has cyber-security insurance," said Cooney. "If not, that law firm should be eliminated from consideration."
Law firms that get cyber-security insurance are typically subjected to a rigorous evaluation and underwriting process prior to being insured. What that means to clients is that a third party has evaluated the firm's security practices, and that the firm has properly evaluated different cyber risks, Cooney said.
Depending on the policy, insurance may cover first-party costs, including forensic investigation, breach notification, cyber-extortion payments, credit monitoring of affected parties, crisis management and public relations expenses, and third-party expenses. There is also coverage for the fines and penalties proposed by various regulatory bodies or the payment card industry, according to Daniel Lazarz, a broker at insurance company Swett and Crawford, in an interview.
"Law firm clients should not only ask about the firm's cyber-security measures, but also what means they have to bear the cost of a breach," said Lazarz. "Without proper coverage or financial means, services and damages that would be provided to the client might not be available, leaving the client to bear the cost."
In other words, it's wise to understand how a law firm protects its clients' information, and to determine whether the policies and practices complement or diverge from your own.
Law firms are attractive targets because they handle a lot of sensitive information that has monetary value on Wall Street, on the black market, and in the political arena. While law firms have an ethical duty to protect their clients' information in a "reasonable" fashion, the definition of "reasonable" varies from firm to firm.
Clearly, no law firm wants to suffer the fallout of a breach, but their methods of effectively keeping data safe and dealing with a breach can vary significantly. Rather than leaving the matter to chance, it's wise to understand the details of how a law firm will protect your data and, in the event of a breach, how they'll handle it.