Professional Liability Concerns
In addition to compliance with the rules of professional conduct, there are also professional liability issues inasmuch as a disgruntled client could bring a claim that its confidential information was insufficiently safeguarded, or that it was not timely notified of the breach. In such cases, adverse publicity could be generated by the mere filing of a public complaint.
For example, in March 2020, a lawsuit was filed by Hiscox Insurance against law firm Warden Grier for breach of contract, breach of fiduciary duty, and malpractice. Hiscox accuses the law firm of failing to notify it of a major data breach in 2016, in the course of which client confidential information was penetrated by an intruder, posted on the dark web, and held for ransom, which the firm paid. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP (2020). According to the complaint, the law firm learned of the data breach in December 2016, but did not notify clients for over 16 months that their personal identifying information (PII) had been accessed by the “Dark Overlord” intruder and posted to the dark web. Julia Weng, Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid, Data Breaches.net, July 25, 2020. In July 2020, a federal district court denied Warden Grier’s motion to dismiss Hiscox’s complaint, ruling that the complaint provides a cause of action for breach of contract and breach of implied contract, reasoning that the carrier’s litigation management guidelines constituted a binding contract that required the law firm to take specified precautions to protect the security of clients’ PII. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. Jul. 23, 2020). The law firm did not move to dismiss the negligence cause of action, which remains intact.
In 2016, a former client of Chicago law firm Johnson & Bell filed a class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity. The class action alleged that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security by failing to properly encrypt an online attorney time-tracking system and by the use of a virtual private network. The purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration.
Regulatory Issues
In addition to professional liability concerns, law firms should be mindful of statutory obligations imposed on all businesses. For example, Massachusetts enacted a pioneering data-protection law in 2010 known as Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls to protect sensitive consumer information. The Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that is written in one or more readily accessible parts.” It also contains safeguards to protect and encrypt confidential consumer information.
Lawyers who represent insurance companies in particular should take note of cybersecurity regulations promulgated in 2017 by the New York Department of Financial Services (DFS), which regulates the insurance industry. These new cybersecurity rules, which apply to all entities under DFS jurisdiction, including insurance companies, insurance agents, and banks, require encryption of all nonpublic information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer, who must report directly to the board of directors and issue an annual report setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.
Of particular interest to law firms that represent financial institutions or are retained by insurance companies is section 500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” See . Thus, insurance companies that provide access to PII to third-party vendors must certify not only that their own information systems are adequate, but also that the information security systems of vendors, presumably including law firms with whom they do business, are also secure and protected. In other words, law firms who do business with regulated financial service companies are expected to comply with the cybersecurity standards of their represented clients.
Conclusion
As explained above, the rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has about the breach, and the materiality of the improperly accessed data. The consensus of the organized bar, as exemplified in the ethics opinions discussed above, recommends client notification of a data breach affecting clients’ confidential data that are material and reasonably suspected to have been accessed, disclosed, or lost.
The materiality of the data and their importance to the client are fact-specific. For example, if the intruder accessed the first draft of a brief filed 18 months ago in a closed case, ABA Ethics Opinion 483 probably would not require notice. On the other hand, a nonpublic client’s private financial statement, current merger plans, misconduct by the client’s CFO, or a nonpublic sexual harassment complaint would probably be the sort of information that a corporate client would reasonably consider material and expect to be notified about in the event of a breach. However, lawyers should ensure that they comply with clients’ litigation management guidelines, which may require notifications in situations broader than those required in bar association ethics opinions.
Law firms should proactively prepare for a future cyber intrusion and mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, undertaking a prompt and thorough investigation, and employing third-party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.
Jennifer Goldsmith is vice president, professional liability claims, at Ironshore Insurance, an attorney at law, and a graduate of The George Washington University Law School. David Standish is a graduate of New York Law School, at attorney admitted in New York, and an assistant vice president and cyber/tech claims manager at Ironshore Insurance. Barry Temkin is a partner at Mound Cotton Wollan & Greengrass in New York, an adjunct professor at Fordham University School of Law, and immediate past chair of the New York County Lawyers’ Association Committee on Professional Ethics. The views expressed in this article are the authors’ alone and do not reflect the views of Ironshore Insurance, Fordham University, or the New York County Lawyers’ Association.