Laptop in classic library with books in background series
This is the first of a three-part series by Richard Bortnick, a senior counsel at Traub Lieberman Straus & Shrewsberry, who litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CPT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.
An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is essential that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media or otherwise. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.
Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information, personal health information and/or confidential commercial information. It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).
In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.
In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do not possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.
Needless to say, an attorney’s reputation and goodwill can be as valuable as, if not more valuable than, his and her tangible assets. When there is a material change in circumstances such as an asset sale, merger and/or acquisition, the seller’s goodwill (i.e., reputation) is valued.
Not surprisingly, the buyer and seller are not the only professionals involved in a transaction such as a merger. Far from it. Professionals value the seller’s tangible and intangible assets. Other professionals provide objective, independent analyses of the transaction and valuations. Still another cadre of professionals, including attorneys, negotiate and close the deals. If there are technical assets, forensics professional may be needed. And if electronics are involved, cybersecurity is critical. To all of the multiple professional constituencies who touch any aspect of the transaction.
In other words, to the extent something goes wrong, including with respect to a client’s privacy and technology infrastructures, any of the various professionals (or non-professionals) involved could be sued, even if their professional services were only tangentially related to security or technology.
Among other professional requirements, attorneys must attend law school and pass the state Bar exam in order to gain state licensure. But the key to the front-door doesn’t necessarily mean that the attorney is welcome into the Club for time immemorial. To the contrary, virtually all states mandate that attorneys satisfy continuing legal education requirements in order to maintain their licenses (although there is no corresponding testing). The test is when the attorney engages in his and her area of expertise for clients. Achieve a favorable result and you pass. Don’t, you may or may not pass.
In the best of circumstances, bad things can happen. They just can. And almost inevitably, clients will want to blame (and sue) someone for “causing” the bad thing. Even if the person being blamed had nothing to do with the cause or the outcome. For that reason, among others, state regulators require attorneys to maintain errors and omissions (“E&O”) liability insurance.
But E&O insurance may not protect or indemnify an attorney for reputational damage or lost income. The attorney could be financially responsible for such risks. Hence, it is incumbent on attorneys to take all prudent steps to safeguard their professional reputations and livelihoods. They own it, so they must protect it.
There is no “one size fits all” to CPT security. Both the nature and the potential magnitude of a CPT event are unique to every profession, although the crisis management tools designed to avoid, mitigate and remediate a loss of personally identifiable information, personal health information and confidential commercial information are relatively standard.
Perhaps as or more important, the risks vary with who presents the threat – there are casual hackers, people carrying out vendettas, and major cybercrime groups; all have different goals, strategies and methods. Indeed, some don’t have “goals” in the same sense as other criminals, and do not care what they do to systems they penetrate.
Former Defense Secretary Leon E. Panetta has warned that the U.S. is facing the possibility of a “Cyber-Pearl Harbor” and is increasingly vulnerable to non-U.S. hackers who could dismantle the nation’s financial networks, power grid, transportation systems, and government. The term “cyber tsunami” also has been thrown around.
FBI Director Robert Muller anticipates that in the near future, cyber threats could surpass terrorism as the FBI’s top priority. “There are only two types of companies, those that have been hacked and those that will be. Even that is merging into one category. Those that have been hacked and those that will be hacked again.”
Many, indeed more than many, attorneys fail to focus on the fact that they hold third parties’ personally identifiable information, personal health information and other sensitive data. Attorneys also frequently maintain clients’ and others’ confidential commercial information. It is not that they ignore the associated risks and exposures. Rather, it is simply a function of the fact that they typically are too busy to think about it. But they should. Whether it comes down to questions of blissful ignorance, penny-wise, pound foolishness, neglect or hypocrisy, many attorneys are not taking the steps necessary to protect themselves – or their clients.[1]
Most states’ privacy breach laws mandate breach notification to affected persons if two pieces of personally identifiable information are compromised. Such information can include name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; disability information; and zip codes.
It is common knowledge that personal health information is governed by The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security and Breach Notification Rules and The Health Information Technology for Economic and Clinical Health (‘HITECH’) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. Both laws apply to “covered entities”, i.e., healthcare clearinghouses, health plans, and healthcare providers that conduct certain functions in electronic form. What is less well known is that under newly enacted legislation, HIPAA and HITECH also apply to “business associates” that provide services involving the use or disclosure of personal health information held on behalf of a covered entity. Such entities typically create, receive, maintain or transmit personal health information on behalf of a business associate. Examples include companies that provide data transmission services or store documents and data as well as personal health record vendors and financial institutions lending to the health care industry. And attorneys.
Since its enactment in 1996, HIPAA has been enforced by the Department of Health and Human Services’ Office of Civil Rights. Between 1996 and December 31, 2012, the Office of Civil Rights investigated and resolved more than 18,122 cases. In the vast majority, the Office of Civil Rights has required healthcare providers to make changes to their HIPAA compliance practices.
In 2009, HITECH was enacted to promote the adoption and meaningful use of health information technology. Among other things, HITECH amended HIPAA by adding a breach notification rule that increases the penalties for HIPAA violations. It also provided state Attorneys General with enforcement authority.
As a result, Attorneys General are empowered to bring civil actions on behalf of state residents for violations of HIPAA. Under HITECH, they also are authorized to obtain damages on behalf of state residents and/or enjoin further HIPAA violations. And some state Attorneys General have done so.
In January 2012, Minnesota’s Attorney General filed a federal court lawsuit against a consulting firm that had been retained by two hospitals to evaluate the relationship between a patient’s physical condition and the likelihood that the person would be hospitalized. An employee of the business associate left an unencrypted laptop containing personal health information in a rental car. The laptop was stolen along with patient data records on 23,500 patients.
Seven months after suit was filed, the parties settled with the consultancy agreeing to pay $2.5 million to compensate patients affected by the breach. The consultancy also agreed to a ban barring it from operating in Minnesota for at least two years (with its ability to resume operations dependent on the Attorney General’s consent). The business associate also was required to return to the client hospitals all data about their Minnesota patients.
Now, consider the impact of the business associate extension on attorneys. It’s easy to see how it could apply. Indeed, attorneys likely would fall within HITECH’s definition of business associate to the extent they “[p]rovide[], other than in the capacity of a member of the workforce of such covered entity, legal … services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.”
In other words, if an attorney obtains personal health information in order to provide professional services such as prosecuting or defending a malpractice claim or other types of healthcare representation, Business Associate status attaches, regardless of whether the law firm has signed a business associate agreement.
Commentary to the HITECH final rule adds a fine point, stating that “a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.” (emphasis supplied).
In turn, if an attorney has entered into a business associate agreement with a health care client, the attorney is – or should be – well aware of the limitations placed on business associates relative to the use or disclosure of personal health information. And, under HITECH, lawyers (and other professionals) will need to have in place appropriate security policies and procedures. In other words, best practices.
Lest you conclude that the above concerns don’t apply to you and are unfounded rhetoric designed to lead an attorney to create and deploy unneeded cyber security strategies (including by retaining an expert to counsel on best practices), think again. Small- and medium-sized companies and professional entities are as much, if not more, at risk as Fortune 500 companies. According to Jake Kouns of Risk Based Security, “[l]arge data breaches typically get a great deal of media attention and it leads many people to believe that all breaches are substantial in size. While nine incidents so far in the first half of 2013 have exposed more than one million records, 91.9% of data breaches have exposed less than 10,000 records.”
Think of it this way. If you were planning to rob a bank, would you rob one in the middle of a big city that likely has implemented best practices for both physical and cyber security? Or would you choose a small local branch in a remote suburb or exurb. The likelihood of a clean get-away is far greater than in the urban environment.
What if you could accomplish the same successful result tens or hundreds of times over without leaving your desk? You could pick small targets and get in and out of their computer systems before anyone realizes what has occurred. Small pickings are only small until they are multiplied through methods the cyber age makes easy for suitably motivated attackers.
To the point, absent a political or social agenda, most cyber intruders choose not to waste their time trying to penetrate a sophisticated, state of the art security system. It’s far easier to compromise a small or mid-size company that has little to no cybersecurity protection beyond, at most, an off-the-shelf software program.
Regrettably, small and mid-size companies typically do not have (and many cannot afford) sophisticated and/or updated security procedures and policies, have not adequately trained their employees on data security, do not maintain dedicated information technology specialists, and may outsource security to unqualified contractors or systems administrators. It’s a question of asset deployment. And where assets are limited, so too are the security protections and procedures in place.
A 2012 study conducted by Symantec found that 31 percent of cyber attacks were aimed at businesses with 250 employees or fewer, compared to 18 percent in 2011. Symantec further reported that 40% of nearly 1.4 billion known global cyber attacks in the first quarter of 2012 were targeted at companies with 500 or fewer employees. In turn, the Ponemon Institute reported that over 50 percent of small to medium-sized enterprises (SMEs) experienced a data breach in 2012.
This dynamic is not unique to the United States. The U.K. government’s Department for Business, Innovation and Skills’ 2013 Information Security Breaches Survey reveals that 87 percent of small businesses across all sectors of the U.K. economy experienced a breach in 2012. This is an increase of 10 percent over 2011 and has cost small businesses up to six percent of their turnover.
In short, no company, regardless of its size, is safe. This view is borne out by a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology. The subject report found that nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Even more troublesome, roughly 60% of small businesses closed within six months of a cyber attack. Whether the cessation flows from reputational damage and/or the business’s inability to afford the high cost of loss mitigation, the result is real and palpable
To the extent an attorney still discounts the likelihood that his or her firm might suffer a CPT event, the statistics reveal otherwise. Indeed, there are a growing number of reports of CPT breaches at law firms and other professional organizations. Even the FBI cautions attorneys on the threatened risks and exposures, having pointedly advised that hackers view them as a backdoor to their commercial clients’ confidential information.
Mandiant estimates that 80 major U.S. law firms were hacked in 2011. Perhaps the most well-known law firm breach occurred in 2010, when China-based hackers, looking to scuttle a $40 billion corporate takeover of the world’s largest potash producer by an Australian mining company, infiltrated the secure computer networks of at least seven Toronto-based law firms connected to the deal. Canada’s Finance Ministry and its Treasury Board also were hacked. The acquisition ultimately fell through, albeit reportedly for unrelated reasons.
Privacy-related litigation can take many forms, whether or not a breach has occurred. For example, in May 2014, a Pennsylvania collections attorney was sued in a putative class action lawsuit alleging that he and his client had included in a public court filing the named plaintiff’s full Social Security number rather than just the last four numbers. The complaint alleges violation of the common law tort of invasion of privacy.
Even absent litigation, the financial and reputational costs of a privacy incident can be incalculable. In March 2014, a significant international law firm notified the Maryland Insurance Attorney General’s office that hundreds of employees’ W-2 and other information had been stolen when a vendor’s database was compromised allowing the hackers access to the law firm’s servers. As a remedial measure, the firm provided free credit monitoring to all affected persons, numbering in the hundreds.
Entities holding client trust funds in particular appear be a favored target of cyber fraudsters. For example, two Canadian law firms were victimized in December 2012 when their trust accounts were accessed by malfeasants. In the first case, $90,000 was stolen from an attorney who succumbed to the widely-known bad check collection scam where the attorney sent a firm check to a purported client posing as a foreign national seeking assistance in collecting on a fraudulent debt. Needless to say, there was no E&O coverage for the resulting loss
The second case is more troublesome. There, an Ontario firm suffered a six-figure loss from its trust account when its system was infected by a Trojan Horse virus which tracked a computer user’s keystrokes. Through this mechanism, the fraudsters were able to gain access to confidential passwords when the firm’s bookkeeper logged onto its trust account. Trust funds were then serially wire transferred to an overseas account and never recovered.
One of the best known law firm breaches occurred in 2010, when China-based hackers, looking to scuttle a $40 billion corporate takeover of the world’s largest potash producer by an Australian mining company, infiltrated the secure computer networks of at least seven Toronto-based law firms connected to the deal. Canada’s Finance Ministry and its Treasury Board also were hacked. The acquisition ultimately fell through, albeit reportedly for unrelated reasons.
Law firm decision-makers should be particularly mindful of the fate that befell a California escrow services that had been breached by cyber criminals who stole roughly $1.5 million from over 100 of the firm’s escrow accounts. Like the Canadian law firm, the escrow service had been the subject of rogue Trojan Horse malware. The stolen capital was then wired to Russia and China.
The unauthorized accesses began in December 2012 and continued into January 2013. They were reported to regulators in February 2013. An investigation pursued pursuant to which the company was order to replace the stolen funds within three days from the date of the order.
The escrow firm was unable to meet its financial obligations. As a result, the California Department of Corporations filed a Petition in state court and subsequently appointed a Receiver. In the end, the company was forced to shut down and lay off its entire staff.
Then there is the risk (and almost daily real-life occurrence) of improper document disposal. There have been a number of instances were attorneys were found to have disposed of unshredded client records in dumpsters.
In another case, a Texas law firm’s laptops were found in a pawnshop, notwithstanding the firm’s policy of donating only those computers that have been professionally scrubbed of client information. In yet another, an employee stole 200 laptops from a Palo Alto law firm. And we all have heard the myriad stories or had first hand experience involving the negligent loss of a laptop, cellphones, smartphones, etc.
It bears repeating that bad things happen. Sometimes by accident, sometimes by negligence, and sometimes as the result of malicious conduct. But they happen.
From one lawyer to others: cyber, privacy and technology best practices (Part II)
From one lawyer to others: cyber, privacy and technology best practices (Part III)
Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.
