Wisconsin Lawyer: 101 Cybersecurity and the Duty to Protect Client Data :

State Bar of Wisconsin

Sign In

Top Link Bar

    Wisconsin LawyerWisconsin Lawyer

News & Pubs Search

Advanced

    101
    Cybersecurity and the Duty to Protect Client Data

    Even if not experts in information technology, lawyers retain the ultimate responsibility to protect their clients’ data from hacking and other threats.

    Martin J. McLaughlin

    Share This:
    cactus-shaped flash drive

    With the marriage of technology to the practice of law, lawyers and law firms must ensure their use of technology complies with their duty to protect confidential information. This duty to protect personal data and client information arises from legal, contractual, and ethical obligations. It requires lawyers to develop, implement, and monitor an adequate information or data security program, including activating physical safeguards (secured buildings and locks), administrative safeguards (written policies and training), and technical safeguards (firewalls and encryption).

    Lawyers possess vast amounts of client data and other confidential information. While increasingly relying on technology to manage that confidential information, many lawyers delegate the responsibility of securing client data and information to either in-house information technology personnel or third-party IT vendors. However, to fully meet our obligations, lawyers cannot completely delegate the security mission to other people.

    Statutory Obligations

    A lawyer’s legal obligation to ensure the security of client data can arise under a variety of federal and state laws or regulations. Federal laws regulating data security are largely industry based, with some applying directly to law firms.

    Martin J. McLaughlincom mmclaughlin reinhartlaw Martin J. McLaughlin, Boston Univ. 1987, is a shareholder and chair of the data privacy and cybersecurity group at Reinhart Boerner Van Deuren s.c., Milwaukee, focusing on corporate finance, private equity, mergers and acquisitions, and general corporate counsel. He advises clients on information security compliance, risk management, cross-border data transfer, and data privacy-related incidents. He also is a Certified Information Privacy Professional/United States (CIPP/US).

    For example, a law firm may be classified as a business associate under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s privacy and security rules require business associates to implement certain physical, administrative, and technical safeguards. Similarly, the Gramm-Leach-Bliley Act (GLBA) may impose security obligations on a law firm. If a lawyer provides services to financial institutions covered under the GLBA, the financial institutions may need to comply with its safeguard rule, which requires a written data security plan and appropriate security measures. As lawyers who represent financial institutions can attest, most banks also contractually impose their own stringent security requirements.

    State laws also affect lawyers’ obligations to protect client data. All 50 states have breach-notification laws that obligate law firms (and other businesses) to notify clients and other affected third parties of data breaches. Many states have also adopted data privacy and security laws that obligate businesses to adopt and maintain reasonable data security measures.

    For example, the Illinois Personal Information Protection Act requires businesses that possess Illinois residents’ data to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”1 If a law firm has Illinois residents’ personal information (defined to include a person's name with their Social Security number, financial account number, or driver’s license number), it is required to implement reasonable security measures. Note, this requirement applies both to lawyers actively representing Illinois-based clients, as well as Wisconsin‑based clients with employees, locations, or business relationships in Illinois.

    Another example is the California Consumer Privacy Act, which was signed into law in late June 2018 with a January 2020 effective date. The Act provides California consumers with sweeping privacy rights and will apply to many businesses that collect California residents’ personal information.

    Lawyers should also understand the life cycle of their data – where it comes from, how it is used, where it goes, how long it is stored, and how it is destroyed.

    Absent passage of an overarching federal data privacy law, more states will require reasonable security measures to protect their residents’ data or provide their residents with expanded privacy rights. Law firms that ignore this trend do so at their own peril: a failure to adhere to the requisite standard exposes those firms to both regulatory and private rights of action.

    Law firms may also be subject to international data security laws, such as the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR applies to American firms that provide services to clients established in the European Union and to firms that collect personal data from individuals located in the European Union. The GDPR and other foreign data-security regulations are more rigorous than most U.S. laws and require firms to implement detailed privacy policies and procedures to comply with the regulations.

    Accordingly, lawyers must carefully assess which federal, state, and international data security laws and regulations affect their practices. Lawyers should consider what types of client and personal data they possess, how they receive it, and how they use and handle it. Lawyers should also understand the life cycle of their data – where it comes from, how it is used, where it goes, how long it is stored, and how it is destroyed.

    Lawyers may also want to engage their IT personnel or vendors to evaluate the information they collect. Often, IT personnel can use data-mapping tools to analyze where and how data moves throughout a network. Those data maps will often aid in discussions regarding data security programs between laypersons and IT personnel. Once the lawyers fully understand the client data their firm processes, they can thoroughly evaluate which laws apply and implement the appropriate policies and procedures to comply with those laws. 

    11 Tips to Increase Security and Minimize Your Target Area

    Given technology’s pace of change and the increasing number of malicious intrusions, law firms and lawyers may struggle to keep up. While not foolproof, here are a few relatively simple ways to increase security and minimize your target area.

    1. Evaluate the Cybersecurity Guidelines recently released by the International Bar Association to help law firms protect against and react to data security incidents.7

    2. Create a culture of data security at your firm by providing regular training for employees, regularly reviewing and updating policies and best practices, and emphasizing data security in organizational decisions.

    3. Ensure your cyber liability insurance adequately covers your known exposures. Because some insurance policies exclude coverage for certain types of data breaches, such as breaches involving phishing or intentional bad acts by employees, lawyers should carefully review the scope of their cyber liability policies.

    4. Use specific resources and assistance from your insurance broker and malpractice carrier to help minimize exposure.

    5. Test your data security program by hiring vendors to perform penetration tests on systems to reveal weaknesses in physical, administrative, and technical safeguards. While IT providers and staff can be helpful in evaluating a data security program, lawyers should not solely rely on their customary IT support to evaluate security; a third-party, nonconflicted security evaluation often reveals previously unidentified vulnerabilities.

    6. Regularly patch and update your software applications.

    7. Manage access control.

    8. Use tabletop exercises to practice incident response plans with key internal and external team members. Tabletop exercises allow response teams to work through breach scenarios and discover weaknesses and administrative barriers to an effective and timely response.

    9. Consider whether a cloud‑based solution from an experienced law firm vendor offers a more economical and secure solution. When evaluating whether a cloud service provider is the right option, firms should perform adequate due diligence because not all cloud-based offerings are equally robust.

    10. Update and enforce password protocols that require complex passwords with regular changes.

    11. Require two-factor authentication (software that requires a person to approve a log-in request from their cell phone or email) for employees remotely accessing the firm’s network.

    Contractual Obligations

    As more and more businesses include data security provisions in their contracts, law firms need to ensure that 1) they can comply with any data-centric contractual requirements in client engagements, and 2) their arrangements with third‑party vendors commit to appropriately protect client data.

    Clients, particularly those in regulated industries, regularly require data security commitments from their law firms. The Association of Corporate Counsel recommends that outside counsel have internal security and privacy policies designed to protect the security, confidentiality, and integrity of confidential information.2

    Those policies should, at a minimum, include an incident response plan to follow when a data security incident or breach occurs, employee handbooks that require employees to follow data security policies, a privacy policy featured on the firm’s website, and a general information security policy. Firms should monitor and review these polices at least annually. A law firm, on request, should be able to provide clients with a list of the security measures it has in place.

    If a client requires a firm to implement minimum security measures, the firm should work closely with its IT support staff to ensure those measures are met. If a firm does not have sufficient in-house IT support, the ABA recommends engaging an IT consultant familiar with supporting law firms and their security needs.3 In order to fully assess its risk and exposure in the event of a data breach, a law firm must understand the data security obligations it contractually agreed to.

    On the other hand, lawyers also must consider whether to impose appropriate data security commitments on their third‑party vendors. Vendors, such as web-hosting providers, software-as-a-service providers, or even HVAC vendors, are the source of many data breaches. For instance, attackers in the 2013 Target breach backed their way into Target's network by compromising a refrigeration contractor.

    Although vendors are often the source of an intrusion, absent appropriate contractual protections, the expenses of a vendor-caused data breach are still borne by the entity that owns or controls the data – in this case, the law firm. These expenses can include reputational harm, potential governmental fines, third-party lawsuits, costs related to investigating and responding to the breach, and lost client revenue.

    Firms should perform due diligence on their vendors to ensure the vendors have adequate financial wherewithal, experience, effective data security policies and procedures, and adequate levels of cyber liability insurance.

    To reduce this vendor-related exposure, firms should perform due diligence on their vendors to ensure the vendors have adequate financial wherewithal, law firm experience, effective data security policies and procedures, and adequate levels of cyber liability insurance. Lawyers should also ensure their vendor agreements contain clauses that protect confidentiality, require industry-appropriate data security measures, permit audits of the vendor’s data security programs, and indemnify the law firm for any losses arising from a vendor-caused data breach.

    Finally, vendor contracts should require the vendor to timely notify the law firm of a suspected breach and fully cooperate with the law firm to perform any necessary investigation and remediation. By performing due diligence and appropriately allocating risk, law firms can significantly lower both the likelihood of a breach and its costs.

    Cyber Insurance: Know Your Member Benefits

    The State Bar of Wisconsin is partnering with 3M Insurance to offer coverage that can be specifically tailored to meet your cybersecurity needs. The BIZLock program provided by Identity Fraud includes third-party liability insurance coverage and defense, coverage for regulatory fines and penalties, cyber extortion, data reconstructions, media and website liability, the costs for forensic investigations, and identity monitoring for breaches.

    To learn more, visit Member Benefits.

    Ethical Obligations

    Finally, a lawyer’s duty to protect client data arises under our Rules of Professional Conduct. On May 22, 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Ethics Opinion 477R, which emphasizes the duty of a lawyer to maintain reasonable data security. Opinion 447R reiterates that rule 1.1 of the ABA Model Rules of Professional Conduct requires lawyers to inform themselves of the benefits and risks associated with technology and understand the basic features of technology. Opinion 447R also provides guidance on how a lawyer’s duty to maintain the confidentiality of client data under ABA rule 1.6 translates into data security.

    Supreme Court Rule 20: 1.6(d), part of Wisconsin’s Rules of Professional Conduct for Attorneys, requires lawyers “to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The ABA’s comments to ABA rule 1.6 state that an unauthorized access or disclosure of information will not be considered a violation of the rule if the lawyer took reasonable efforts to prevent the access or disclosure.

    Opinion 447R rejects the notion that a lawyer must use particular security measures to fulfill the ethical duty. Rather, lawyers must adopt a fact-specific approach to data security that assesses risks, implements appropriate security given those risks, and regularly reevaluates security.

    Lawyers who fail to adequately safeguard client data might face malpractice claims for failure to protect confidential and personal client data, failure to supervise others, fraud, and misrepresentation.

    Lawyers who make data security an IT-only problem will not be fulfilling their obligations under ABA rules 1.1 and 1.6. Lawyers must actively evaluate their data security efforts. When analyzing whether to implement a specific security measure or technology, lawyers should consider the type and sensitivity of client data at risk, whether and how the data could be monetized by bad actors, and the benefits provided by the technology. Lawyers must have a basic understanding of the technology and data security to perform the required balancing test. For individual lawyers or small and mid-sized firms, a cloud solution from a reputable vendor may be the most secure and cost-effective option.

    Lawyers who fail to adequately safeguard client data might face malpractice claims for failure to protect confidential and personal client data, failure to supervise others, fraud, and misrepresentation. In 2016, Johnson & Bell in Chicago became one of the first firms to face a putative class action4 for maintaining inadequate safeguards, including for using out-of-date software. Similarly, a New York lawyer faced malpractice and breach-of-fiduciary-duty claims when her email system was hacked and used to send messages to clients requesting wire transfers.5 In response to the fraudulent email messages, the lawyer’s clients wired nearly $2 million to the hackers’ account.

    Recently, a malpractice suit was filed against a New Jersey law firm alleging that a lawyer carelessly sent an email to opposing counsel containing a password to access the law firm’s confidential client file.6 Opposing counsel forwarded the email to her client, the wife in a divorce case, who allegedly accessed her soon-to-be ex-husband’s confidential file 570 times.

    Conclusion

    To fulfill statutory, contractual, and ethical obligations, lawyers must embrace data security. While not every lawyer needs an in-depth understanding of data security, lawyers should understand the basics, implement an information or data security program and incident response plan, and know when to seek the right outside support.

    Meet Our Contributors

    What’s your favorite nonwork activity?

    Martin J. McLaughlinMy wife Jen and I spend our time trying to visit every soccer field in Wisconsin and the upper Midwest. I also enjoy cooking, music, and travelling to interesting locales.

    com mmclaughlin reinhartlaw Martin J. McLaughlin, Reinhart Boerner Van Deuren s.c., Milwaukee.

    Become a contributor! Are you working on an interesting case? Have a practice tip to share? There are several ways to contribute to Wisconsin Lawyer. To discuss a topic idea, contact Managing Editor Karlé Lester at (800) 444-9404, ext. 6127, or email org klester wisbar wisbar klester org. Check out our writing and submission guidelines.

    Endnotes

    1 815 Ill. Comp. Stat. 530/45.

    2 Association of Corporate Counsel, Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (2017).

    3 Jill Rhodes & Robert Litt, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2d ed. 2018).

    4 Shore v. Johnson & Bell Ltd., No. 16-cv-4363, 2016 WL 7197421 (N.D. Ill. Dec. 8, 2016).

    5 Millard v. Doran, No. 153262/2016 (N.Y. Sup. Ct. 2016).

    6 Kennedy v. Weinberger Divorce & Family Law Grp. LLC, No. LVC2018713245 (N.J. Super. Ct. 2018).

    7 Cybersecurity Guidelines prepared by the IBA’s Presidential Task Force on Cybersecurity (Oct. 2018).




Server Name