Law Office Management
Jan. 2, 2015
Get Ready for a Data Breach
Cybersecurity goes beyond firewalls and encryption, encompassing education, incident-response plans, and separate insurance coverage.
The ABA admonishes: "All organizations, regardless of size, should consider themselves at risk" of data theft. Cybersecurity now goes well beyond questions of firewalls and updated software, encompassing policy, procedures, education, incident-response plans, and responses to audits, says Flournoy. The ILTA encourages firms to align with the information security standard known as ISO 27001, which, she says, "gives the firm and its business partners a solid understanding of what it has in place for security mitigation and controls." Security audits are a fact of life for many large firms, now that clients commonly request annual or even quarterly reviews of their outside counsel's technology and practices. In some cases, a breach can create serious secondary problems, as in an exposure of medical data that violates the federal Health Insurance Portability and Accountability Act of 1996. (See "HIPAA Liability," MCLE, in the May 2010 California Lawyer.) Though some firms initially saw audits as costly, time-consuming, and adversarial, in general that thinking has changed. Now, law firms see security audits as a mutually beneficial partnership between client and firm. "You can't do it on your own, because the issues and threats are so complex," says Flournoy. Vendor Security
Law firms should, in turn, vet the security of their vendors as well, especially those providing cloud-based services, according to Sam Swenson, managing attorney of the Swenson Law Firm in Orangevale. "Ask your vendors to provide proof of cybersecurity and any measures that will be used to safeguard your business's sensitive information," he advises. Not that security is always under the vendor's control: Swenson notes that cloud software providers often host their clients' data on servers owned and managed by a third party, such as Amazon. (In addition to the security challenges it entails, third-party storage can be troubling in the context of litigation because a litigant could directly subpoena the third party. "Normally ... I would have the opportunity to put forth all the appropriate objections and identify confidential information. But with a third party, I don't get the opportunity to take the first look," Swenson says.) Choosing appropriate means of backing up information is another important piece of the security effort. Many firms back up data and archive it on magnetic tapes but don't manage the tapes properly, says Justin Moore, CEO of Axcient, a Mountain View-based provider of cloud-based data backup and recovery services. For example, they may ship them to storage via unsecured trucks, and anyone who gains physical access to tapes could crack encryption, Moore says. Mitigating Risks
Hardware and software failures and human error are the major causes of data loss or outages, according to the Disaster Recovery Preparedness Council. Information security has come a long way from concerns about floods and fire, but traditional insurance policies for business interruption may not cover tangible losses caused by technical failures or human error, says Glen Olson, a partner with Long & Levit in San Francisco and co-chair of the State Bar's committee on professional liability insurance. "Products are changing fast in the insurance world; I buy the insurance for our firm, and I have a hard time staying ahead," Olson says. "Whenever I make the decision, I look at what a full suite of cybersecurity and first-party policies would cover." Increasing Liability
Olson advises law firms to go over hypothetical situations with their insurance brokers to guard against gaps in coverage: What if an attorney has client files on a laptop that gets stolen from her car? Will a regular errors-and-omissions policy cover it? "My view is, it probably does," says Olson. "But the insurer might say, 'That's not the rendering of professional services; that's an auto theft loss.' " The professional liability insurance that the State Bar sponsors includes an endorsement to cover a small amount of damages for a data breach and to help insured lawyers comply with California's notification regulations, says Richard O'Regan, who runs the program. O'Regan, also a principal in Mercer Health & Benefits Insurance Services in San Francisco, characterizes the bar's data-breach coverage as a stopgap measure appropriate for smaller firms and sole practitioners. "Bigger law firms are definitely looking at stand-alone cyber-liability policies that would provide coverage in the event of a data breach," he says. The extent of professional liability from data loss or security breaches remains somewhat hypothetical. But maybe not for long. "We live in a very different world than we've ever lived in," says Flournoy. "The financial gains that a malicious actor can get by breaching a company are potentially tremendous." Susan Kuchinskas covers business and the business of technology for publications that include Scientific American, Portada, and Telematics Update.
Kari Santos
For reprint rights or to order a copy of your photo:
Email
jeremy@reprintpros.com
for prices.
Direct dial: 949-702-5390
Send a letter to the editor:
Email: letters@dailyjournal.com