It seems like every morning Americans wake up to the news of major date breach. First Target then Home Depot and now mid-size to small companies. It appears this is the new wave of liability for all businesses including law firms. There is yet to be much case law in terms of liability damages against law firms, but what most business owners do not realize is how to appropriately respond to a breach and the costs associated with the notification and monitoring of a particular breach. Each State has their own definition of “Personal Information”. Furthermore, each State, has its own requirements as to whether notification is required to the Attorney General or State Agency and a timeline associated with it. There are many states that have an Encryption Safe Harbor, as well as, a couple that permit a private cause of action to be brought against the breached party. One additional difference from State to State is how the Statute is triggered in terms of the breach being Electronic and/or Paper Records.
I think it is safe to say at this point, the risk and exposure is imminent. So the next question is how do you protect your firm from being the next headline? Given the legal and ethical implication for lawyers who handle personal information from a client or adversary, it is crucial to make sure the appropriate steps are taken to not only secure the data, but also prevent against potential inadvertent disclosure. Obviously, no business is immune to a breach, regardless of the implementation of various protection software or company policies and procedures, but here are a few suggestions for best practices that certainly help mitigate the risk in some capacity.
- If and when possible, use encryption. As mentioned above, most states have an Encryption Safe Harbor under their breach laws which greatly reduces the risk of a date breach.
- Monitor technology to keep current and up to date of any threats to confidentiality of client data.
- Adopt a written information security plan and engage in implementing and training associated with such plan. (Your IT personnel or company should be able to assist)
- Carefully review and monitor your vendor agreement to ensure compliance with your suggested and agreed upon data security agreements.
As of 10/7/2014, there were 589 data breaches reported affecting 76,681,707 records. Now lets talk a little about the hard costs associated with a breach, as well as, some trends and how that might impact your firm. Then I will touch a little on an emerging insurance product designed to protect your firm from a number of these variables. Presently the average cost of a data breach is $188 per record ($128 being indirect costs). In some industries such as healthcare and financial services, that cost is even higher. Today, 35% of organizations had a breach due to a lost or stolen mobile device such as a tablet, smartphone, etc. 81% of employers permit their employees to use their own mobile device to access their network or enterprise system. Many organizations are embracing the Cloud so global exposure is only going to increase. Here are a few more astounding figures to consider. For the first time ever, the main cause of a data breach is actually a criminal or malicious attack. This accounted for 41% of the data breaches last year. Whereas a negligent employee was next at 33% and a system glitch accounted for 26%.
Do you think your firm is protected?