Our reliance on technology to improve our daily lives and our profession comes at a price. With all the information and data that we store and send virtually, we are more than ever susceptible to infiltrations and breaches. In this new millennium, we’ve experienced personal data breaches from several large companies including, Equifax, Facebook, Marriott, and Twitter.[i] Unfortunately, the legal profession has not been immune. As hackers realize the vast amount of personal and corporate information housed by law firms, they have become a lucrative target for data theft or piracy.[ii] Adding to the dilemma is the legal profession’s slow-paced acceptance and adaptation to technology and cyber security. Most recently, high-profile law firms have reported data breaches or had their data held for ransom in 2020. [iii] This is only a fraction of what is to come.
Regulations are nothing new to the legal profession. However, complying with technology related regulations has not been the legal profession’s strong suit. Although legal professionals understand that data protections must be enacted as a course of business, they may not be fully aware of all the applicable federally mandated cyber security measures. Take for example the following federal regulations that apply to law firms:
- Health Insurance Portability and Availability (HIPAA) rule considers law firms “business associates” because they engage with personal health information (PHI) as part of personal injury claims
- Gramm-Leach-Bliley Act (GLBA) incorporates law firms, albeit indirectly, as business partners to the extent that they maintain a client’s financial information
- Payment Card Industry Data Security Standard (PCI DSS) applies to law firms since they accept, store, and transmit cardholder data (CD), defined as personally identifiable information (PII) such as primary account number (PAN) in conjunction with any of the following: cardholder name, expiration date, or service code
- Federal Reserve System considers law firms a service provider since they manage financial information for clients and connect to banks
- Federal Deposit Insurance Corporation (FDIC) also considers law firms as service providers for maintaining and distributing funds[iv]
Similarly, the American Bar Association (ABA), state bar associations, and national paralegal associations have established ethical guidelines regarding cyber security and technological proficiency. For example, ABA Formal Opinion 483[v] describes obligations in the event of a data breach or cyber-attack. Whereas ABA Formal Opinion 477R[vi] and the National Federation of Paralegal Associations (NFPA) Informal Opinion 96-1[vii] both focus on securing confidential client e-communication. One thing that is clear, is that Attorneys and Paralegals both have a duty and responsible to ensure client data is secure and protected. Are you thinking, what can I do? I don’t own the firm, I’m not IT, etc.
Now, just because we don’t control or implement most, if not any, of the cybersecurity polices at a law firm or in-house legal department, doesn’t mean we don’t play a significant role in securing client data. In fact, many of the breaches at the law firms mentioned above happened when front-line employees made mistakes that jeopardized the firm’s data. As to whether it was negligence, a mistake, or lack of training is not important to us now. What is important, is that we learn from those events and ensure that we are educated in the nuances of this challenging new world of e-security. Although we can’t control every aspect, we can learn some basics so that we can minimize human error.