On Thursday, January 15th the Allegheny County Bar Association hosted a seminar to discuss data security and privacy risks for law firms presented by Lisa K. Jaffee of CNA Insurance and Alicia Slade of Plummer Slade, Inc.
Jaffee opened with an overview of cyber threats, where they stem from and potential consequences of such breaches, as well as explained the sources of obligation by firms to protect client data. Slade followed up with information security best practices, citing both her personal and professional experience with data security.
Most people are familiar with the large scale breach incidents that targeted large retail chains and their customers but these large retail companies are not the only targets or victims of these cybercrimes. It is estimated that eighty percent of the top 100 law firms in the country had been breached in 2011. Law firms deal with sensitive and valuable client data and “cybercriminals are targeting law firms because law firms have a wealth of information about companies such as intellectual property, trade secrets, information on mergers and acquisitions and other deals that are very valuable to them.” said Jaffee, “They would like to get the information from the corporations themselves but are finding security is much higher for those corporations than law firms.”
Much of the time, firms are not jumping to publicize the fact that they have had a major security breach, either because they do not know or because of the fear that their reputation may be damaged because of an incident. With the cybersecurity landscape ever changing, it may no longer be up to the business or firm whether or not a breach is made known to the public, or at the very least, the effected parties. There are currently 47 states, including Pennsylvania (Title 73 §§2301-2329), that have passed legislation requiring private and public entities to notify individuals of data breaches involving personal identifying information.
Not only do lawyers need to be familiar with the cyber security laws of the state in which they practice, but also the states in which their clients reside. In addition to each state’s data breach notification requirements, firms that deal with client’s health information are subject to additional regulations such as the Health Information Portability and Accountability Act (HIPAA). According to Slade “anyone who touches a medical record should be HIPAA compliant”. Many potential clients within industries that possess sensitive information are asking that firms prove their information is secure before they will consider being represented.
President Obama has recently announced a new cybersecurity legislative proposal that aims to simplify and regulate the existing laws passed by individual states under one federal statute. According to the White House press release, the proposal would require “private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection.”
Some measures are as easy as finally giving up the password you have been using since you first logged into your undergraduate email account, while others may be more technical. Installing firewalls, encrypting email and hard drives, and staying on top of patches and updates are just a few ways to protect yourself and your clients. Slade states that “eventually we are going to start seeing these best practices become tighter and it’s going to become an obligation.” Taking steps to protect your data could be what stands between you and a malpractice case in the unfortunate event that your data is breached.
It is no longer enough to simply not reveal sensitive client information; firms must educate themselves about both the threats and safeguards and take the appropriate actions to protect their client’s data. In securing your information you are protecting, yourself, the reputation of your firm and fulfilling your obligation to protect your clients. If you have any questions or would like assistance with implementing data security policies and safeguards at your firm, contact Plummer Slade at 412-261-5600.