March 23, 2015 Articles

Managing Cybersecurity Risk for Experts and Consultants

Data breaches can be costly, but most are preventable with modest cybersecurity efforts.

By Matthew F. Prewitt

By the nature of their work, expert witnesses and litigation consultants regularly accept custody of data that must be protected from unauthorized disclosure. Documents submitted to the expert for analysis may include private personal information, trade secrets, or confidential business information of the client, an opposing party, or nonparty consumers or employees. The expert may also receive extensive attorney work product and privileged communications, and the expert's own work product may be confidential. In any single case of even modest complexity, an expert witness may be bound by multiple confidentiality obligations arising from numerous distinct sources—the data privacy laws of multiple states, federal statutes and regulations, a protective order issued by the court hearing the case, a joint defense agreement among codefendants, the common law of privilege, and a confidentiality agreement in the expert's retention agreement with the client. In the context of work that is inherently adversarial—after all, the expert is being retained for litigation—and that often includes frequent exchanges of information among multiple participants in separate organizations, expert witnesses face substantial risk of a cyberbreach dispute. Even if the expert witness is ultimately proven not to be at fault, the expert's firm may still face a burdensome process to investigate and respond to the breach and demonstrate the firm's compliance.

The term "cybersecurity" conjures images of cutting-edge technology deployed in an arms race against highly sophisticated hackers. This perception sometimes prompts firms to despair of ever implementing adequate cybersecurity. The reality, however, is that most breaches happen because of basic human error and failure to comply with relatively simple, low-cost solutions. Hardening a secure corporate network to withstand penetration by a foreign intelligence service is not a realistic goal for most firms, but thankfully, most breaches can be prevented with much more modest efforts.

The starting point for effective cybersecurity is the human element and building a firm culture that values and promotes data security. The firm must communicate forcefully and repeatedly to its professionals and employees a three-part message:

  • First, that cybersecurity is mission-critical risk management for protecting the reputation and profitability of the firm.

  • Second, that the firm is providing simple, accessible security solutions that actually meet the experts' needs.

  • Third, that maintaining effective cybersecurity requires all the firm's professionals and staff to comply with these measures.

For many firms, the most important part of this message is persuading professionals and their staff that cybersecurity can be relatively painless. Some may scoff at the notion that cybersecurity can be simple and inexpensive, but for many litigation consulting firms, this is an increasingly realistic goal. As more businesses outsource essential functions to the cloud and demand secure, cloud-based corporate solutions, there are increasing opportunities for small and midsized firms to outsource data security to reliable vendors. Although the cloud was once treated as synonymous with low security, there is a big difference between using minimally secure consumer applications for sharing photos and music and using professional-grade solutions designed for sophisticated businesses. Cloud-based business solutions offer security resources that would be almost impossible for small and midsized litigation services firms to replicate cost effectively on an in-house basis. This is especially true for expert witnesses who require tools for mobile connectivity, remote access, and collaboration with professionals in other firms. Although it may seem counterintuitive to entrust these services to external vendors, outsourcing may provide both more secure and less expensive solutions.

Of course, some of the most important safeguards remain the simplest and easiest to implement. Precautions as basic as installing encryption software on all firm laptops and prohibiting use of personal webmail and cloud storage accounts can prevent some of the most common data breaches.

Why then are routine security failures still so common? The answer in part is human psychology; people in general are very bad at conceptualizing and internalizing risk. Users overestimate their own competence and underestimate the risk of a breach. Consider something as simple as a seat belt and the massive public information campaign required over many years to bring about widespread use. Many experts are highly skilled computer users and autonomous professionals who may chafe at being told how they must manage their work. They may simply ignore security measures for which a minor but immediate inconvenience seems to outweigh the remote, though catastrophic, risk of a data breach. Instilling a culture of data security compliance in a firm of highly educated professionals can be a daunting task and will be achieved only through consistent enforcement and persistent messaging.

This consistency and persistence require a data security champion who is part of the firm's senior leadership and who is charged with continuous oversight of the firm's compliance. Litigation consulting firms experience the same changes as any other business. There are technology upgrades, new hires, expansion into new markets and sectors, and mergers with acquired practice teams and firms. Someone with broad visibility on the growth and evolution of the business must be mindful of how these changes impact the firm's data security needs and have sufficient voice within the firm to insist that data security be addressed.

For a litigation consulting firm, one of the best ways to ensure continuous attention to cybersecurity is to include data security as part of the intake process for new engagements. A discussion with the client about data security should be one of the first steps for a new engagement and should be memorialized in the project file:

  • What is the general nature of the data the client expects the expert to receive over the course of the engagement?

  • What are the client's needs and expectations for data security?

  • Will the client provide the IT resources for secure data sharing and collaboration, such as a secure virtual case room?

  • Which member of the litigation team is primarily responsible for overseeing compliance with the case protective order and other privacy and confidentiality restrictions?

Both the expert witness and trial counsel benefit from an early conversation that focuses attention on data security and clearly defines needs, roles, and expectations. When a law firm is unprepared or resistant to addressing these issues, that should be a red flag to the litigation consulting firm that it is accepting a potentially high-risk engagement. Increased vigilance is in order.

The other critical part of the intake process is addressing the scope of the consulting firm's indemnification by the client and contractual limitations of liability. A typical engagement agreement incorporates an indemnification clause that was drafted long before data breach investigation and response costs were a significant issue. A suspected data breach can impose significant costs even if the expert witness receives no subpoena or any sort of formal demand or claim. In addition, when one party is responsible for providing shared IT resources, such as a secure virtual case room or a hosted litigation database, a "standard" indemnification and limitation of liability clause may not adequately allocate risk of data disclosure or destruction or system failure.

Finally, a litigation consulting firm should periodically evaluate the adequacy of its insurance coverage. As cyber breaches become an increasing concern, insurers are tightening up policy language to exclude most cyber breach–related claims from coverage under commercial general liability and professional liability insurance. Instead, cyber insurance must be underwritten and purchased as a separate rider or policy. The cyber insurance market is still very much in transition because there is not yet any single standardized industry form, making it difficult to compare policies and leaving insureds uncertain what claims are actually covered.

Cyber insurance also falls short as protection from bet-the-company liabilities. Although cyber insurance can cushion the financial burden of investigating and responding to a breach or dealing with a temporary business disruption, the largest potential liabilities are still uninsurable. A cyber breach that destroys the economic value of a client's trade secrets or that results in a massive loss of project-critical work product may present a potential financial loss that is too large and too uncertain to be underwritten by any insurer in the current market. For such risks, contractual limitations on liability and indemnification, along with strong internal controls, remain the best protections for a litigation consulting firm.

Keywords: litigation, expert witnesses, confidential information, data breach, cybersecurity, indemnification, cyber insurance

Matthew F. Prewitt is with Schiff Hardin LLP in Chicago, Illinois. 

Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).