Sign In
    Wisconsin Lawyer
    October 01, 2016

    Managing Risk
    Give TLC to Clients: Respond ASAP to Security Breaches

    As with many types of emergencies, planning what you’ll do if cyber criminals attack your firm will also reduce the likelihood of being hacked in the first place.

    Thomas J. Watson

    Lit fuse

    Lawyers always have had an obligation to keep client information confidential. But now, in addition to information being stored electronically more than ever before, two changes have increased that obligation. The first is that storage of client information is much more portable, for example, on laptops and smartphones; and the second is a statutory obligation in almost all states to protect personally identifiable information (PII), not only that of clients but that of other people as well.

    What would you do if you lost sensitive client information? Whether because of a data breach due to hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers need to consider how they are protecting client and employee information. Experts say law firms have become a prime target because of all the sensitive and confidential PII stored in law firm databases.

    The consequences of a breach or lost data can be monumental, especially for solo practitioners. Sandy Hauserman, a Vermont lawyer and founder and managing member of Digital Risk Resources ("DRe"), an insurance-product development company, says there are cyber exposures that arise from a law firm's dependence on computers and the internet and from collecting clients' personal information. He says cyber exposures can significantly affect law firms – and he expects those exposures to grow. "Every law firm is now dependent on technology and the internet," he says. "This dependency creates business risk not covered in standard errors and omissions or property-casualty policies."

    Thomas J. WatsonThomas J. Watson, Marquette 2002, is senior vice president and director of communications at Wisconsin Lawyers Mutual Insurance Co., Madison.

    Client records and credit and debit card processing make up a significant portion of the overall risk profile. Law firms gather and transmit PII of clients, employees, vendors, and others. Law firms collect a lot of very sensitive information that, if made public, could severely damage a client's reputation.

    In addition, some cyber criminals want to steal data or damage IT systems. They often plant harmful software (viruses, malware, and so on) on one computer and hope it will be accidentally transmitted to others.

    Protect File Documents

    In addition to all the client information lawyers have in their computer system, many, if not most, lawyers also store file documents electronically. The file is the property of the client, and as the lawyer you are obligated to safeguard the file's documents. That means you must use reasonable care to ensure the confidentiality of electronically stored client files and ensure that any security measures are reviewed periodically so that such measures stay current.

    If you back up your files with a third-party internet service provider (ISP) or in the "cloud," as many like to refer to it, you should make sure the third party understands your obligation as a lawyer to keep the information confidential, the third party is itself obligated to keep the information confidential, and reasonable measures are used to preserve the confidentiality of the files.

    What is the best way to do these things? First, find out how the ISP protects the data. For example, some providers split up the data, encrypt it, and keep it in separate servers, adding a few layers of security. But the best way to understand what a third-party vendor does with your data is to ask. If your vendor isn't responsive, you may consider switching to another vendor.

    Second, look at your contract with that vendor. What kind of security does it promise?

    Many technology experts believe the cloud or a third-party ISP is more secure than the server you have at your law firm. They caution, however, to make sure you know what you are purchasing when you go to that third party. Sometimes, it's a matter of getting what you pay for. The cheapest is not always best.

    Hauserman says, "In general, the problem with the cloud, or other electronic storage options, is that the contracts the law firms have to sign push back liability for any losses due to a breach to the law firm. This is especially true of cloud providers. Also, when information is lost or stolen, attorney-client confidentiality can and almost surely will be lost. In any case, data storage contracts need to be closely scrutinized."

    Dealing With a Security Breach

    Hauserman says it is important to act quickly if your or your firm's computers are hacked. "Disconnect from the internet and seek help. Hire a security service provider who can 1) arrange for a forensic investigation to determine the extent of the loss of PII, 2) help with reporting to the proper state and federal law enforcement authorities or agencies, 3) arrange for proper notification to victims whose PII has been lost or stolen, and 4) provide the victims with identity theft remediation and credit monitoring."

    Notifying Clients. Most states have enacted breach notice laws that require a business suffering a security breach or losing PII to notify victims. This allows the victims to take action to protect themselves from identity theft. Wisconsin lawyers must comply with Wisconsin's breach-notice law (Wis. Stat. § 134.98) and potentially other state laws. In addition, any law firm storing medical information is subject to the notification rules of HIPAA.

    Notification costs can grow rapidly. The average cost is between $50 and $100 for each affected person. Even a modest-sized breach can result in a huge legal liability that could potentially bankrupt a small law firm. At the very least, notification of a security breach will be expensive and will disrupt your practice.

    If an individual who has been notified actually suffers a monetary loss, or, more important, if financial or medical information collected by the law firm gets in the wrong hands, the law firm might be sued.

    Post-notice Response Plan. After you have notified potential victims, Hauserman recommends that you activate your response plan. If you don't have a plan, develop one now so you are ready in case you need it.

    What should the plan contain? First, establish priorities. The top priority is often protecting the confidentiality of client information. Identify and rank your priorities (including the need to notify your clients, malpractice carrier, and cyber risk insurer).

    Second, be ready to investigate. To respond appropriately, you must understand the nature and extent of the cyber attack or breach. Your IT consultant or department, if you have one, should have sufficient knowledge of forensic investigation to isolate the problem. If you do not have an IT department or consultant, you should identify the provider you would contact to investigate the breach.

    "If you do not have an IT department or consultant, you should identify the provider you would contact to investigate the breach."

    It is important to remember that non-IT staff may be the first to discover a cyber incident. Encourage staff to report indications of trouble immediately.

    Third, have a communication plan. Effective internal communication with your staff is crucial to a good response plan. External communication is equally important, including with outside IT consultants and other service providers.

    Fourth, be prepared to make decisions about containing the damage. Certain staff members should have the authority to lock down accounts, change passwords, and determine which parts of your computer system should be shut down or isolated and when it is safe to restore operations.

    Fifth, you should be prepared to resolve the incident by identifying and correcting all the breach points and eliminating any malware or other intrusion mechanisms.

    Finally, analyze the incident and the effectiveness of your response.


    Of course, preventing a breach in the first place is the best way to avoid potential trouble. Hauserman says, "If you don't plug up the cracks in your system now, you may find yourself in the same situation down the road." He suggests eight steps lawyers can take to prevent a future breach. They are the following:

    1. Train employees. Criminals are experts at exploiting people who do not know how to adequately protect PII.
    2. Encrypt the corporate network and any mobile devices, making PII accessible only by the user.
    3. Store paper records in a locked file cabinet or room; back up electronic data and store the backups both on site and off site.
    4. Maintain firewalls on any computer device connected to the internet.   
    5. Use antivirus software and update it no less than every 30 days.
    6. Use strong passwords.
    7. Do not click on links or open attachments in suspicious emails. If you know the sender, but think the email looks strange, call the sender to ask whether the message is genuine.
    8. Dispose of unnecessary or outdated paper and electronic PII. Erase data from printers, cell phones, copiers, and computers. Shred paper documents.


    Law firms depend on technology and the internet. This dependency creates a business risk. Inadvertent disclosure of the PII law firms gather and transmit, such as names, addresses, birth dates, Social Security numbers, credit card information, and medical information, creates the possibility of identity theft.

    Be sure you are ready with a plan in case you experience a breach. In addition to the plan, finding the right expertise to begin a forensic investigation to determine the extent of the loss and complying with the notification laws are absolutely necessary to getting back on your feet. And Hauserman says having cyber liability insurance coverage can help you sleep at night. "Buying liability insurance coverage for law suits involving an information breach, whether they have merit or not, is the easiest and most efficient way to arrange for legal help and other assistance and to help pay for damages inflicted on others."

    What to Expect if You Buy Cyber Liability Insurance

    It's important to know what cyber liability insurance covers and what will happen to your premiums if you report a breach.

    Law firms depend on technology and the internet. This dependency creates a business risk not covered in standard business owners insurance policies and only partially covered in professional liability policies. Inadvertent disclosure of the PII law firms gather and transmit creates the possibility of identity theft.

    Cybercrime-specific Coverages
    What additional coverage beyond a business owners policy or a legal professional liability policy would help?

    Joe McCarthy, vice president of claims and underwriting at Wisconsin Lawyers Mutual Insurance Co. (WILMIC), says the type of policy WILMIC now offers includes three types of coverages:

    1. Breach notice coverage, which provides coverage for costs incurred by a lawyer or law firm to comply with Wisconsin’s privacy-breach-notice law, as well as notice-fulfillment services and credit and fraud monitoring for clients whose confidential information has been lost or stolen;
    2. Privacy liability coverage, which covers third-party liability for loss of personally identifiable information; and
    3. Security breach liability coverage, which covers third-party liability and damages from computer security breaches such as virus and hacker attacks that have been transmitted to a third party from a law firm computer.

    Ransomware coverage is expected to be added to cyber policies in the future, including the policy WILMIC offers. Ransomware emails are increasingly becoming a security risk, especially for law firms. Ransomware coverage provides assistance by a consultant to attempt to free a law firm computer system, if possible, of ransomware and restore system functionality. If that is not possible, the coverage provides expertise to restore the system to functionality from the latest backup, if one is available.

    McCarthy says that at the very least, lawyers should make sure they know what’s at risk. “If our policyholders and all Wisconsin lawyers are better educated about how to prevent security breaches, this risk can be better managed.”

    Some cyber liability carriers also offer media, extortion, and business-interruption coverage.

    Claims Handling
    If you think you have a security breach and want to make a claim, the claims process begins as if the lawyer were calling a 1-800 help line. Under the policy offered through WILMIC, the insurer and its vendors do the rest. As McCarthy notes, “As a lawyer, you do not want to handle a breach without expert help.”

    The insurance carrier takes the initial crisis call and documents the nature of the event. Then, the insurance provider’s staff of experts walks the lawyer through the claims-handling process and what he or she should do to assist. The insurance provider also offers an on-call hotline service for victim crisis management, personalized and dedicated case management for the duration of the resolution process, certified privacy and fraud experts, custom training, education and marketing services, forensic services, notification mailing, and credit and fraud monitoring.

    A third-party claim would be handled by a lawyer with extensive cyber breach experience.

    Finally, the policy also provides an online training module. This can be especially helpful for solo practitioners, who may not have the budget for IT staff.


Join the conversation! Log in to comment.

News & Pubs Search

Format: MM/DD/YYYY