You may have noticed that we write a lot about data security at this blog.  That’s not by accident: lawyers have a seemingly ever-increasing number of professional responsibilities respecting the confidentiality of the client information they maintain; simultaneously, they’re opposed in those efforts by new, and more complex threats related to data breach.  But, that’s only one of the reasons we’re happy to have this guest post from John Torvi, the Vice President of Sales & Marketing at the Herbert H. Landy Insurance Agency.  In addition to now writing for us, John is a frequent speaker and author on risk management and insurance issues for clients and professional associations nationwide.  The Landy Agency, founded in 1949, is a leading national provider of professional liability, cyber and privacy and other types of professional insurance products.  John can be reached directly by email at johnt@landy.com, or via phone at (781) 292-5417.

. . .

The growth of privacy breaches and cybercrimes poses the fastest-developing threat to businesses.  No longer just a concern of governments and big business, the dark hand of illegal access to privileged data has reached businesses of all sizes, and affects every profession.  While statistics abound, it is sufficient to say that the number of attacks and affected businesses is growing exponentially every year.  Independently owned and operated law firms face a particular risk.  Without expertise in the area, and little to no IT support, law firms often rely on “store-bought” third party anti-virus software; however, those defenses are usually no match for the sophisticated hacking and virus-spreading efforts of cybercriminals. The increasing number of work-at-home employees coupled with the rise of BYOD offices tends to further weaken data security.  With the increasing likelihood of privacy breach comes increased liability; and, demands from both regulators and clients necessitate awareness of issues and the taking of concrete actions to prevent breach.

What Are Cybercrime and Privacy Breaches?

Cybercrime’s broad definition encompasses any criminal act that involves computers, computer networks and/or the internet.  It can include identity theft, fraud, telemarketing, credit card theft, illegally obtaining funds, and any other crime resulting from the illegal or unauthorized theft or use of confidential or privileged information.  Cybercrime extends beyond email phishing and hacking, and increasingly involves social media and online advertising, as gateways to gain access to confidential information.  Incentives for criminal activity remain strong: according to the computer security company Norton, cybercrime now surpasses drug trafficking as an illegal moneymaker; furthermore, the Norton study notes that someone’s identity is stolen every three seconds.

Cybercrime can occur when a virus (such as a Trojan Horse, which logs a user’s keystrokes) is downloaded through an affected email or website.  Once a computer is infected by a Trojan Horse virus, for example, all keystrokes on the computer are monitored, which allows access to passwords, banking information, and so on.  Legitimate-looking emails may contain links that appear to be sent from one’s bank or credit card company, but that end up leading to illegitimate sites.  Many local and recent circumstances exist where a real estate attorney or escrow agent was duped into sending deposits or closing fees to a foreign country, or paid a fraudulent invoice created by a scammer.  Of note is that not all hackers are looking to get access to your money; some are looking for email addresses of your clients, in order to hack them as well.  Cybercriminals work on a large scale, and only need a small percentage of ‘hits’ to make their efforts worthwhile.

Neither do privacy breaches only involve computers.  Disastrous consequences can result from dumpster diving, theft of a briefcase, access to client records by unauthorized individuals or even a disgruntled employee stealing information and sharing it with a competitor, or a criminal.

Responsibility and Consequences Under the Law

The Commonwealth of Massachusetts, like most states, has established laws and regulations outlining the responsibilities of any person or business who owns or licenses personal information of a Massachusetts resident.  The laws also indicate that a business owner’s responsibility for data protection extends to regulating third parties who would manage client information, including case management software vendors and credit card processing companies.  Data, per the statutes, means ‘any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics’.

Massachusetts also defines what must be done if a breach occurs, including what and when notifications must be made to affected parties, including certain State regulators.  In the event of a breach, additional actions must be undertake, as well, including purchasing credit monitoring services for affected parties.

The requirements to monitor, and potentially notify, implies an ongoing cost; but, the price to be paid for a data breach is probably far more significant.  Beyond the aforementioned notice requirements, monetary costs can include civil penalties, payment card Industry penalties, restoration of reputation, third party liability, data restoration, data extortion, advertising injury and reimbursement of funds.  Most states penalize on a ‘per record’ basis.  So, if a law firm has 500 names or emails in a client database, and that gets hacked, there would be potentially 500 claims to address.  Massachusetts allows the Attorney General to levy penalties of up to $5,000 per record.  To add additional distress, if the breached data involves clients or records from different states, the response must meet the various requirements of each of those jurisdictions. Then, you’re adding in legal fees, including, potentially, the use of a data breach expert to assess the extent of the damage.  Of course, it goes without saying that the affected firm has a PR nightmare on its hands.

Strategies to Avoid Data and Privacy Breaches

95 percent of breaches result from human error.  If business owners and their employees are not aware of potential threats, and how to foreclose them, they may use their own personal devices (in an insecure manner) for work purposes, or they may access vulnerable apps or websites and thereby create multiple access points for criminals who wish to obtain confidential information.

Law firms should (and may be legally required to) establish a data and information security policy, including guidelines for the management and storage of documents(including emails), the use of the internet and mobile devices, passwords, encryption . . . and more.  Such policies must be in writing, and reviewed with employees.

Since human error so often leads to a breach, applying common sense can reduce the risk:

  • Wifi networks can be particularly vulnerable. Office Wifi access should be encrypted and secure, and access passwords should be changed regularly.  Extreme caution should be used when accessing public networks, such as those available in airports or coffee shops.
  • Back up data regularly; and, control access to which firm members can obtain what information.
  • Physically protect information, by locking office doors, clearing desks (make sure files are not left out overnight) and securing IT equipment.
  • Avoid opening multiple windows on a computer or mobile device.  A hacker, through an open, infected website, can view every other window that is open.  So, before you make that bank transfer, be sure all other windows are closed.  Avoid USB flash drives, especially if they have been used across multiple computers.

Consider cybercrime and privacy breach insurance.  This type of insurance has only recently become readily available (and affordable) for small to medium-sized law firms.  A good policy will cover the multitude of costs and penalties that might be incurred; and, some insurers will provide a breach counselor to provide a measure of damage control following a breach.  Note that not all policies will reimburse for funds lost through ecommerce fraud, or other illegal means.  If you hold client funds in escrow, trust accounts and so on, make sure that your policy covers the loss of those funds.

Conclusion

Incidences of data and privacy breaches are increasing in frightening numbers.  No small business, including a law firm, can consider itself immune, or ‘too small’, for a cybercriminal to care about.  More than half of the readers of this article will experience some type of breach in the next few years.  The development and implementation of a thorough policy for your business, that addresses internet security, data access, employee expectations, personal device usage and information management will not only keep you compliant with the law, it will also reduce the risk of a breach.