The Risk Manager, Winter 2016
Beginning in 2009, state and federal law enforcement agencies have warned larger United States law firms that their computer files are targets for cyber spies and thieves looking for valuable information about potential corporate mergers, patent and trademark secrets, litigation plans, and financial data of corporate clients. A trade dispute for a maker of solar panels recently subjected a Washington, D.C. law firm to Chinese military hackers. A client’s computer breach resulted in a hack of a New York law firm that infiltrated not only its client base, but also resulted in the loss of its own employees’ social security numbers. “If you are a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim...”2
Solo practitioners and smaller law firms should not think they are immune to cyber attacks. As a partner in a three-attorney law firm reported last year, his firm was a victim of a new Cryptolocker-type virus, a ransomware used to encrypt his client files so they were unreadable. The hackers demanded money to restore the data. “Dear Clients”, Attorney Robert Ziprick wrote in the letter the law firm mailed out giving notice to its clients, “It is almost a daily occurrence that we read about cyber attacks in the news. Unfortunately, our firm was the victim of a single cyber attack....”3 The point is that all law firms are at a higher risk for cyber-intrusions than ever before. Attorneys must assess how their vulnerability to third party attacks can make them liable for failing to protect client information.
This article is intended to provide an overview of what these developments mean to Kentucky lawyers and offer cyber security risk management considerations to assist you in protecting your firm from professional responsibility violations and malpractice claims.
Kentucky’s Consumer Protection Data Breach Notification Law KRS 365.732
The Kentucky General Assembly joined 40 other states when it enacted a consumer protection data breach notification law in 2014. KRS 365.732 requires written notice to persons affected by a computer security ‘breach’ involving their unencrypted ‘personally identifiable information.’ Breach is defined as the unauthorized acquisition of unencrypted and unredacted computerized data that can compromise the security and confidentiality of an individual.4 An individual’s first name or first initial, in combination with a social security number, driver’s license number or an account number or credit card with the required password, constitutes personally identifiable information under the statute. The ‘information holder,’ in our case the attorney, is required to disclose any breach to the client, in an ‘expedient time’ and ‘without reasonable delay.’ The only exception for not notifying clients quickly is if there is a pending criminal investigation by a law enforcement agency.
The notification required under the statute is to be in written form, or, may be sent electronically if the client has agreed to accept such notices.5 If the cost of providing individual notices exceeds $250,000, or the class of persons affected exceeds 500,000 people, then a ‘substitute notice’ by email posted on the information holder’s website, coupled with statewide media notification suffices. If more than 1,000 persons are impacted at any one time, the statute mandates that the information holder notify all consumer reporting agencies and credit bureaus that maintain consumer files on a nation wide basis. The timing, distribution and content of those notices are prescribed by federal law.6
The data breach notification statute establishes no new cause of action. Nor does it authorize fines or penalties for non-compliance. However, KRS 446.070 allows a person injured by the violation of any Kentucky statute to recover damages sustained by reason of the violation.
The greatest harm inflicted to a law firm by a data breach is the violation of the attorney’s duty to keep and preserve a client’s confidential information.7 However, from the business aspect of the law firm, reputational damage and loss of client confidence can have a significant impact on the firm’s bottom line. Thus, cyber security oversight and management for law practices is essential.
Data Breach Cyber Security Risk Management
Cyber Security Assessment and Plan: Efforts to protect your law firm from data breaches begin with a law firm discussion on cyber security issues and the development of a plan to detect intrusions, respond to those intrusions, and mitigate their impact with an effective response. Discussion should first focus on an assessment of all cyber security risks associated with the law firm’s use of technology, including email communications, e-filings with state and federal courts, the exchange of discovery in litigation, and maintenance and storage of digital client information and files. Have you appropriately assessed all of your law firm’s cyber security risks? What steps have been taken to evaluate those risks?
- In the event of a breach, does your law firm have an effective response plan?
- Who is responsible for the implementation of the plan?
- Are employees of the law firm aware of the plan and trained in the role they play?
- Has the plan been tested to make sure it works?
- How are communications with clients, the court, and third parties to be handled?
- Do you have the resources to make the notifications required by Kentucky law to your clients?
Evaluate Your Law Firm’s Computer Practices:
- Do you have a written computer and information system policies and procedures?
- Do you require employees to follow those policies and procedures?
- Do you use commercially available firewall protection?
- Do you use commercially available anti-virus protection?
- Do you install updates to those protections in a timely manner?
- Do you have alternative controls to prevent unauthorized access or intrusion to your systems?
- Do you have and enforce policies concerning the encryption of internal and external communications?
- How is the use of portable computers or portable media devices affected by these policies?
Consider Your Law Firm’s Operational Practices:
- How are passwords established, recorded, and updated?
- When an employee leaves do you terminate all computer access and user accounts, change pass codes and use authorizations?
- When you obtain a client or a third party vendor, do you verify security information and privacy controls and then monitor or audit them?
- When you terminate a client or a third party vendor, do you terminate its computer access and user accounts, as well as email authorization?
- What format do you utilize for backing up and storing computer system data?
- Do you have the competency to evaluate your IT system or is a third party the appropriate entity to make that evaluation?
Cyber Security Liability Insurance
Cyber security liability insurance emerged at the end of the 1990’s to cover losses of revenue and data restoration costs from corporation cyber attacks. It was not until California passed the world’s first data breach notification law that demand for commercial coverage for law firms began. Insurers now provide cyber security liability insurance coverage to pay for expenses associated with notification to clients, credit monitoring for the affected clients, IT forensics, public relations fees, defense costs and civil fines from privacy regulation actions, and civil litigation. Some policies also extend coverage to address loss of income as a consequence of the network’s downtime and for property damage to the firm’s physical assets. Theft of the law firm’s own intellectual property, however, remains uninsurable as insurance companies have struggled to understand what is the intrinsic loss value if the system is compromised.
Despite an attorney’s best efforts to minimize exposure to data breaches of client information by evaluating its policies and procedures, realistically breaches will occur and law firms can experience significant financial losses associated with the breach. In today’s technological world, cyber security risks affect solo practitioners and law firms of all sizes. Attorneys are placed in an unenviable position of maintaining professional responsibility to their clients, while guarding against a variety of cyber security threats, aware that despite their efforts, no defense can provide perfect protection of their valuable client information. Only by having an effective strategy to analyze those risks, mitigate their impact on your law firm, and maximize protection against data breaches, can attorneys feel confident they are doing all that they can to reasonably protect against cyber security risks.
- This topic will be explored in greater detail at the 2016 Kentucky Bar Association Convention on Friday, May 13, 2016, in a panel discussion on “Cyber Liability Issues for Attorneys” at 9:00 a.m.
- Chad Pinson, managing director Stroz Friedberg, a New York-based cybersecurity firm reported in Bloomberg Newsweek on March 19, 2015.
- January 25, 2015, letter from Ziprick & Cramer Law Firm, Redlands, California.
- KRS 365.732(1)
- KRS 365.732 (5)
- See 15 U.S.C. Section 1681a.
- SCR 3.130 (1.6)