The Risk of Data Breaches in Law Firms by Jett Hanna
A lawyer produces information containing personally identifiable information about a client’s employees to another law firm. One of the lawyers at the other law firm downloads a copy of that file and stores it, unencrypted, on their laptop. The laptop is then stolen at the airport. Does anyone have to notify the employees that their information was compromised? Will general liability or professional liability insurance cover the costs, or is another type of insurance necessary?
The cost of data breaches has risen significantly in the past few years, for many reasons. Computerization of health and financial records combined with more stringent privacy laws has created large potential liabilities for any business having certain types of information. Law firms have always had heightened responsibility for maintaining the confidentiality of client information because of their professional ethical requirements. This article will consider the nature of law firm liability for data breaches, and suggest some key loss prevention points. The insurance available for potential losses will also be considered.
The Nature of the Risk
Matthew Meade, in an excellent article on lawyers and data security, identifies 3 major categories of reported data breaches involving lawyers and law firms to date: careless disposal of client records, theft of mobile devices, and misuse of internal security protocols. These are not, of course, all of the issues that might result in data breaches or arise for computer operations. In January, Bloomberg reported that China based hackers targeted specific law firms in Toronto to seek information about a $40 billion takeover deal. In a case known to TLIE, a Texas lawyer had paper files stolen out of his car with vital client information, and provided credit monitoring services to those clients. Some “cyber” risks may create liability by exposing data maintained by others, such as the transmission of viruses and Trojans. To date, however, the most significant problems for lawyers have arisen in these three areas.
Improper document disposal is the most frequently reported type of data breach in law firms. In Texas, three publicly reported incidents illustrate the problem. Cases reported in San Antonio and Houston alleged that attorneys put client records in dumpsters, where they were found intact. In another Texas case, computers from a law firm were found in a pawn shop. One computer had a flash drive attached with personally identifiable information about 627 clients. This occurred despite the law firm’s policy to have any donated computers professionally scrubbed of all client information.
Thieves have stolen many lawyer laptops and tablets. In a case known to TLIE, a solo immigration lawyer who used their laptop as their only means of computer work had their laptop stolen with critical client information. In one of the most egregious cases, an employee stole 200 laptops from a Palo Alto, California law firm.
The third area identified by Meade is the bypassing of internal security protocols. These data breaches arise when despite the existence of good procedures, protection systems were erroneously or intentionally circumvented. For example, Experian, the credit reporting agency, reported to New Hampshire authorities that credentials issued to a law firm were used in an unauthorized matter to download numerous credit reports with sensitive information. In another situation, a law firm produced documents with customer sensitive information to the Alabama Securities Commission, with the understanding that the sensitive data would be kept confidential. The lawyers for the authorities filed pleadings with redactions of the sensitive information, but kept an unredacted version as well. When another law firm could not access the redacted version available online, a Commission employee provided an unredacted version.
The Consequences of a Data Breach
Lawyers have a duty to protect confidential client information. This duty is not limited to privileged information, but includes “all information relating to a client or furnished by the client…acquired by the lawyer during the course of or by reason of the representation of the client.” Texas Disciplinary Rules of Professional Conduct Rule 1.05(a). To the extent that a client is damaged by a data breach occasioned by a lawyer’s revelation of confidences, disciplinary action is possible. Malpractice claims, invocation of state laws requiring certain actions, and suits seeking preventative actions and damages resulting from a breach are far more likely to affect lawyers, however. An example of the potential type of claims as a result of a data breach involving personal information is demonstrated by In re Heartland Payment Systems, Inc., Customer Data Sec. Breach Litigation, 851 F.Supp.2d 1040 (S.D.Tex. 2012). Heartland involved a credit card issuer settling with a class of consumers whose personally identifiable information was breached by a hacker.
Many state laws now mandate how business records must be destroyed if they contain personally identifiable information. Texas Business & Commerce Code §35.48(d) requires that a business disposing of a record with personally identifiable information must modify the record by shredding, erasing or encrypting the information to make it unreadable. Contracting with a person in the business of disposing of records meets the requirement of the statute. Failure to dispose of records as required exposes the business to a fine of $500 per record. Please keep in mind that this article only addresses the issue of how to dispose of records once a decision to destroy them has been made; many other federal and state laws may affect whether or not records must be maintained.
If a computerized record with personal identifying information or sensitive information has not been actually destroyed, and the information in that record might have been made available to unauthorized persons, Texas law mandates that businesses give notice to the individuals affected in writing or by email. Email is permitted only if the individual has consented to notice by email. If the cost of such notice would exceed $250,000, would affect more than 500,000 individuals, or insufficient information exists to contact all affected parties, the notice can be given by email, posting on the business website, or by state wide media publication. If 10,000 individuals or more must be notified, notification must also be given to credit reporting agencies. Failure to give required notice can result in significant fines that can be enforced by the Texas Attorney General.
Lawyers should keep in mind that clients and others whose information they may have could live in other states, and that other state laws may apply. The provisions of state laws vary widely. A good rundown of state privacy laws is here.
A complete rundown of federal laws with data privacy provisions will not be attempted here, but a few of the ones most likely to affect lawyers are noted below. The Fair Credit Reporting Act restricts the disclosure and use of credit reports. The Health Information Portability and Accountability Act (HIPAA) restricts access to and use of health care information. The Employee Retirement and Income Security Act includes privacy provisions applicable to employee health and benefit plans. These laws can include civil and criminal penalties.
Whether or not notice of a data breach is appropriately given, it is certainly conceivable that a person whose information has been revealed may be damaged directly by misuse of the information. Identity theft, the use of another person’s information to obtain credit, can occur. When account numbers are compromised, unauthorized purchases charged to the victim may occur or funds may be stolen from financial accounts. In addition to common law negligence claims, state and federal law may entitle victims to sue businesses who failed to maintain proper safeguards on important information. In Texas, the Attorney General has negotiated settlements requiring businesses to improve their records destruction procedures under the DTPA, suggesting that the DTPA may offer remedies for the consequences of identity theft.
To prevent the worst consequences of data breaches, many businesses have offered credit monitoring to victims. Some states require such protection, and federal legislation is proposed that would require credit monitoring for victims in certain situations. Texas does not require credit monitoring by statute. As a practical matter, if the likelihood of misuse of compromised information is high, providing credit monitoring may be a minor cost compared to the cost of identity theft.
Two more costs arising from data breaches deserve mention. Any business can experience loss of earnings if operations must be slowed or stopped in order to deal with a data breach. A firm’s reputation may be damaged by a data breach. It is not uncommon for businesses affected by a data breach to need public relations advice in order to minimize the effect of compromised information on their reputation.
Traditional general liability and property insurance does not consistently provide coverage for data breaches and their consequences. In some states, Commercial General Liability (CGL) policies have been construed to provide coverage under personal injury coverage for disclosure of customer information, on the theory that the information was “published.” Other states have rejected such arguments. No Texas cases have addressed the insurance issues under CGL policies to date. Note also that some general liability policy exclusions more specifically attempt to negate coverage for data breach liabilities. Property coverages relating to crime may have some applicability when data is stolen, though a number of courts have questioned whether data can be considered “intangible,” and may not cover consequential damages not affecting property value. An article outlining the few cases considering the possible application of general liability and property coverages is here. It should be noted that professional liability is ordinarily excluded from general liability policies, and this may further limit certain types of claims.
Lawyers’ professional liability (LPL) insurance may apply to certain types of data breach claims. LPL policies typically insure professional legal services, which include services performed for others in the conduct of the practice of law. LPL policies probably include some coverage for the consequence of a data breach in most situations a lawyer may face. However, it may not cover the costs of notice, credit monitoring or penalties under laws and statutes. Credit monitoring may be demanded by an affected third party, but when no specific claim has been made by a third party LPL coverage does not apply. Penalties are generally excluded from LPL coverage.
Insurers reacted to the perception of a gap in coverage for data breaches with the introduction of cyber liability and data breach coverages. The nature of this type of coverage is developing. In some cases, the coverage is available as part of a commercial package. A few LPL insurers have added coverage to their policies, typically with sublimits for the coverages added. Stand-alone policies also exist.
Coverages available under cyber liability and data breach insurance vary widely, and may overlap with professional liability coverages or general liability coverages in some cases. Most include first party coverages, coverages that do not require a third party claimaint, such as credit monitoring and notice costs. Coverage for a forensic examination to determine the cause of the breach, third party claims of violation of rights of privacy, and liability for the effects on third parties of viruses and other malware may be included. A few policies include coverages for penalties and consultation with a public relations firm. Business interruption or loss of earnings coverage is available in a few policies.
Drawing from a variety of sources, here are some specific actions lawyers can take to avoid possible cyber and data breach liability.
- Develop a comprehensive security and data breach plan for your law firm.
- Train attorneys and support staff on security and data issues frequently.
- Monitor changes in technology that affect security considerations.
- Physically secure computer equipment and file rooms.
- Secure internal computer networks with the use of anti-virus software, malware protection, firewalls, and strong passwords. Consider configuration of software to prohibit use of portable storage for most users.
- Understand security issues that may arise in any cloud computing services used by your firm. Cloud services frequently used by lawyers include email and contacts, storage (such as Google Drive and Dropbox), collaboration software (such as Google Apps), and law firm management pplications.
- Minimize production of personal information where possible.
- When production is unavoidable, make an agreement regarding treatment of the personal information. Include an agreement on how and when documents produced are to be destroyed, and the format in which such production must be maintained.
- Encrypt information as much as possible, whether produced to others or stored on your computers. Encryption can result in slower computation, so the cost and benefit should be considered. Mobile devices, such as cellphones and portable storage, and data produced are even better subjects for encryption.
- Have a proper file and data destruction policy. Using certified vendors for file and data destruction can provide a safe harbor for file and destruction under certain laws.
- Ask clients if any of their data warrants special protection and discuss how that data should be protected.
- Make sure vendor and expert contracts include provisions for security and confidentiality