Table of Contents of this Article:
By Susan Kuchinskas. She covers business and the business of technology for publications that include Scientific American, Portada, and Telematics Update.
Attorneys may know that ethics rules require them to maintain the confidences of their clients “at every peril” to themselves. But with most communication now in digital form, it can be hard to feel sure what constitutes adequate cybersecurity.
“As an industry, we’re just as vulnerable as the other companies and institutions that have been in the news recently. We just haven’t had a breach that’s been as public, but that doesn’t mean we can’t ultimately end up in the same situation,” says Judith Flournoy, chair of the security working group of the International Legal Technology Association (ILTA) and CIO for Kelley Drye & Warren. (She splits her time between Los Angeles and New York.)
The American Bar Association’s cybersecurity resolution adopted last August notes there’s a busy black market for sensitive data, including personal health and financial records, confidential and proprietary business data, intellectual property and trade secrets, research, privileged legal documents, and classified information.
An Expanding Front
The ABA admonishes: “All organizations, regardless of size, should consider themselves at risk” of data theft.
Cybersecurity now goes well beyond questions of firewalls and updated software, encompassing policy, procedures, education, incident-response plans, and responses to audits, says Flournoy. The ILTA encourages firms to align with the information security standard known as ISO 27001, which, she says, “gives the firm and its business partners a solid understanding of what it has in place for security mitigation and controls.”
Security audits are a fact of life for many large firms, now that clients commonly request annual or even quarterly reviews of their outside counsel’s technology and practices. In some cases, a breach can create serious secondary problems, as in an exposure of medical data that violates the federal Health Insurance Portability and Accountability Act of 1996. (See “HIPAA Liability,” MCLE, in the May 2010 California Lawyer.) Though some firms initially saw audits as costly, time-consuming, and adversarial, in general that thinking has changed. Now, law firms see security audits as a mutually beneficial partnership between client and firm. “You can’t do it on your own, because the issues and threats are so complex,” says Flournoy.
Law firms should, in turn, vet the security of their vendors as well, especially those providing cloud-based services, according to Sam Swenson, managing attorney of the Swenson Law Firm in Orangevale. “Ask your vendors to provide proof of cybersecurity and any measures that will be used to safeguard your business’s sensitive information,” he advises.
Not that security is always under the vendor’s control: Swenson notes that cloud software providers often host their clients’ data on servers owned and managed by a third party, such as Amazon.
(In addition to the security challenges it entails, third-party storage can be troubling in the context of litigation because a litigant could directly subpoena the third party. “Normally … I would have the opportunity to put forth all the appropriate objections and identify confidential information. But with a third party, I don’t get the opportunity to take the first look,” Swenson says.)
Choosing appropriate means of backing up information is another important piece of the security effort. Many firms back up data and archive it on magnetic tapes but don’t manage the tapes properly, says Justin Moore, CEO of Axcient, a Mountain View-based provider of cloud-based data backup and recovery services. For example, they may ship them to storage via unsecured trucks, and anyone who gains physical access to tapes could crack encryption, Moore says.
Hardware and software failures and human error are the major causes of data loss or outages, according to the Disaster Recovery Preparedness Council. Information security has come a long way from concerns about floods and fire, but traditional insurance policies for business interruption may not cover tangible losses caused by technical failures or human error, says Glen Olson, a partner with Long & Levit in San Francisco and co-chair of the State Bar’s committee on professional liability insurance.
“Products are changing fast in the insurance world; I buy the insurance for our firm, and I have a hard time staying ahead,” Olson says. “Whenever I make the decision, I look at what a full suite of cybersecurity and first-party policies would cover.”
Olson advises law firms to go over hypothetical situations with their insurance brokers to guard against gaps in coverage: What if an attorney has client files on a laptop that gets stolen from her car? Will a regular errors-and-omissions policy cover it? “My view is, it probably does,” says Olson. “But the insurer might say, ‘That’s not the rendering of professional services; that’s an auto theft loss.’ ”
The professional liability insurance that the State Bar sponsors includes an endorsement to cover a small amount of damages for a data breach and to help insured lawyers comply with California’s notification regulations, says Richard O’Regan, who runs the program. O’Regan, also a principal in Mercer Health & Benefits Insurance Services in San Francisco, characterizes the bar’s data-breach coverage as a stopgap measure appropriate for smaller firms and sole practitioners.
“Bigger law firms are definitely looking at stand-alone cyber-liability policies that would provide coverage in the event of a data breach,” he says.
The extent of professional liability from data loss or security breaches remains somewhat hypothetical. But maybe not for long. “We live in a very different world than we’ve ever lived in,” says Flournoy. “The financial gains that a malicious actor can get by breaching a company are potentially tremendous.”