The Risk Manager, Summer 2013

Background

The scope of hacking of computer systems and Internet devices such as a Smart Phone is increasing exponentially worldwide. The legal profession is no exception to this development and, unfortunately, carries an even heavier burden for computer system security than the typical business. This is true because of a lawyer’s fiduciary duty of preserving client confidentiality and the sensitive nature of the information in electronic client files vulnerable to being hacked. Hacked financial information concerning business deals, settlements, and divorce negotiations are just a few examples of how compromised client files can harm clients and expose a firm to a large liability claim.

According to the National Conference of State Legislatures, 46 states have enacted laws to protect the general public from this kind of injury by requiring those who maintain personal information of others to secure it and upon being hacked to notify all persons whose personal information is compromised. To date Kentucky has not passed such a law, but the Kentucky Legislature by resolution in its 2013 session recognized that "Kentucky is one of only four states without a security breach law requiring notification to consumers by government and private data custodians of security breaches involving personal information." The resolution directed the Interim Joint Committee on State Government of the Legislative Research Commission to study issues related to cyber security and provide a report by November 27, 2013.

Since in Kentucky the Supreme Court issues the rules governing the practice of law, it may be that any Kentucky security breach law passed by the Legislature will not be applicable to Kentucky lawyers. This point, however, does not overcome a lawyer’s existing professional responsibility to protect client confidentiality and the duty to reasonably inform a client of the status of a matter and of errors in its handling. For this reason, it is recommended that lawyers risk manage computer security breaches as if any new law will apply as well as existing professional responsibility duties.

Other State Laws

There is considerable uniformity among the state laws on security breaches suggesting that any Kentucky law will be similar. The following extracts from West Virginia’s law (W.V. Code §§ 46A- 2A-101 et seq.) provide a good overview of what you may see in a Kentucky Law:

  • "Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state.
  • "Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit.
  • "Personal information" means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:
    1. Social security number;
    2. Driver’s license number or state identification card number issued in lieu of a driver’s license; or
    3. Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident’s financial accounts.

      The term does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully
  • Notice of breach of security of computerized personal information.
    1. An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. (emphasis added)
    2. The notice shall include:
      1. To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver’s licenses or state identification numbers and financial data;
      2. A telephone number or website address that the individual may use to contact the entity or the agent of the entity ....

Computer Security Breach Risk Management

There are a number of good sources for developing a security breach risk management plan on the Internet. We recommend the following sites to begin research for determination of what is best for your practice:

  • For a short review of the issues and general risk management guidance read the article "Law Firms’ Obligations When Personal Information in Their Control Is Hacked — Data Breach Legislation" in the September 5, 2012 issue of Hinshaw & Culberston’s The Lawyers Lawyer Newsletter at http://www. hinshawlaw.com/. (Click on Publications, Newsletters, and View All Newsletters) (last viewed on 6/18/13)
  • For a comprehensive treatment of risk managing security breaches read "Managing the Security and Privacy of the Electronic Data in a Law Office;" a publication of Lawyers’ Professional Indemnity Company at http://www.lawpro.ca/). (Search for the article with words "security breach") (last viewed on 6/18/13). The section headings for this article are:

#1 install latest updates to eliminate security vulnerabilities
#2 make full and proper use of passwords
#3 antivirus software is essential
#4 avoid spyware and adware
#5 install a firewall on your Internet connection
#6 be aware of and avoid the dangers of e-mail
#7 beware the dangers of metadata
#8 lockdown and protect your data, wherever it is
#9 harden your wireless connections
#10 learn how to safely surf the Web
#11 change key default settings
#12 implement a technology use policy
#13 a backup can save your practice

Unresolved Issues

Opposing Parties and Third Parties: Fiduciary duties applicable to clients do not apply to opposing parties and third parties. Thus, it is an open question what responsibility Kentucky lawyers may have to notify them of a security breach. Kentucky Rule of Professional Conduct 4.4, Respect for the Rights of Others, can be read broadly to require notification of third parties, but that is arguable. Also consider that notification may not be in your client’s best interest even though future law or rules could require you do so. Should you face this ethical issue, call the KBA Ethics Hotline for guidance.

Out-of-State Clients, Opposing Parties, and Third Parties: Note that the West Virginia law protects residents of West Virginia. If you maintain electronic files of persons in West Virginia you may have a legal requirement to notify them of a security breach regardless of Kentucky law or rules. The point is that if you currently maintain files of persons in states outside of Kentucky, you need to know now the law in those states on security breaches.