December 20, 2017 Articles

Privacy and Technology Best Practices and Reputational Harm

Why lawyers should be concerned and what they can do to protect themselves

by Richard J. Bortnick

Many law firms and lawyers fail to focus on the fact that they hold clients’ personal, financial and personal health information, among other sensitive data. Oftentimes, firms also maintain clients’ confidential business information. Yet some do little, if anything, to ensure that such details are protected from theft by cyber criminals and/or rogue employees, or even simple staff negligence. It is not that they ignore the associated risks and exposures. Rather, it is simply a function of the fact that they typically are too busy to think about it. But they should. Whether it comes down to questions of blissful ignorance, penny-wise, pound foolishness, neglect or hypocrisy, many attorneys are not taking the steps necessary to protect themselves—or their clients.

Small- and medium-size firms are not insulated from experiencing the theft or loss of clients’ confidential information; they are as much, if not more, at risk than larger firms that hold a greater degree of client’s (and their own) sensitive information. Indeed, cyber thieves know that small and medium firms are far easier targets than larger firms that use the latest state of the art security processes and procedures. In other words, small and medium firms are low-hanging fruit. According to Chairman Steve Chabot of the House of Representatives Small Business Committee, 71 percent of cyber-attacks occur at businesses with fewer than 100 employees.

An October 2017 study from VIPRE Security adds a fine point to the problem. VIPRE reported that 66 percent of small- to medium-size businesses indicated that they would either go out of business completely, or be forced to shut down for at least a day following a cyber breach.

 In turn, the Ponemon Institute found that most small businesses have had to pay an average of $690,000 to mitigate the damage caused by a cyber attack. The figure increases to over $1 million for mid-market companies.

Regrettably, many small- to medium-sized law firms do not have (and many cannot afford) sophisticated and/or updated security procedures and policies, have not adequately trained their employees on data security, do not maintain dedicated information technology specialists, and/or may outsource information security to unqualified contractors or systems administrators. It’s a question of asset deployment. And where assets are limited, so too are the security protections and procedures in place.

Still, attorneys must always be mindful that they have a basic ethical obligation to protect clients’ confidential information. As technology has evolved, so too the Rules of Professional Conduct have been updated, obligating attorneys to keep up.

For example, the ABA’s Model Rules, Rule 1.6 in particular, impose a duty on lawyers to use reasonable efforts to prevent unauthorized access to client data and have incorporated provisions and added comments that address the advances of technology. The ABA has also published a Cybersecurity Handbook to help lawyers and law firms improve their information security programs.

Yet, many law firms still do not give cybersecurity its due. In this rapidly changing interconnected world, their failures to do so are a significant, perhaps practice-threatening, mistake.

At a minimum, law firms should consider adopting the following basic practices and procedures to protect their clients’ confidential information, much less the vitality of their practices:

(1) Allocate a portion of your firm’s budget to IT and data security. In doing so, you should take into account the firm’s financial, human, and technical resources so that they can be deployed wisely.

(2) Appoint a knowledgeable firm attorney and/or retain outside counsel to assist your firm in developing cyber incident avoidance, loss mitigation and breach response plans, provide updates on legal developments, and report on significant and specific threats, risks and loss events affecting the legal sector.

(4) Retain and work with a computer forensic consultant to evaluate and, if necessary, assist your firm in ensuring that its technology-based security solutions are reasonable and appropriate to the nature and scope of its practice.

 (5) Work with your firm’s advisors and human resources personnel to develop written cybersecurity policies and procedures, then train your attorneys and staff in their use and application. Law firms in particular have been the targets of phishing, ransomware, and email fraud.

(6) Perform periodic analyses of your firm’s security plans, procedures and systems to ensure that they are current and appropriate for your firm’s business and business sector.

(7) Periodically audit your firm’s administrative, technical and physical infrastructure, among other assets, to reaffirm that they are properly protected.

(8) Implement a protocol that requires senior management to receive and meaningfully review periodic reports on your firm’s current information and technical plans and procedures, security issues, and related matters.

(9) Work with counsel to develop templates and information security tools for use with vendors and third-party business partners, among others. Such documents could include non-disclosure agreements, business associate agreements under HIPAA, indemnity and insurance agreements, and other legal instruments intended to mitigate or avoid economic loss. These documents should be disseminated to all personnel with contracting authority, who also should receive training.

(10) Treat your firm’s clients’ and your own confidential personal and commercial information, “big data,” and other critical proprietary data with the same level of care and attention your firm devotes to the preservation and growth of other core assets.

These recommendations are simply the first steps to properly secure your firm’s clients’, employees’ and its own sensitive information. Still, they will go a long way to protecting your firm from lawsuits and maintaining its reputation as one that clients can trust to safeguard their most critical resources.

Richard J. Bortnick is with Traub Lieberman Straus & Shrewsberry LLP, New Jersey.

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).