Beginning in 2009, state and federal law enforcement agencies have warned larger United States law firms that their computer files are targets for cyber spies and thieves looking for valuable information about potential corporate mergers, patent and trademark secrets, litigation plans, and financial data of corporate clients. A trade dispute for a maker of solar panels recently subjected a Washington, D.C. law firm to Chinese military hackers. A client’s computer breach resulted in a hack of a New York law firm that infiltrated not only its client base, but also resulted in the loss of its own employees’ social security numbers. “If you are a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim...”2
Solo practitioners and smaller law firms should not think they are immune to cyber attacks. As a partner in a three-attorney law firm reported last year, his firm was a victim of a new Cryptolocker-type virus, a ransomware used to encrypt his client files so they were unreadable. The hackers demanded money to restore the data. “Dear Clients”, Attorney Robert Ziprick wrote in the letter the law firm mailed out giving notice to its clients, “It is almost a daily occurrence that we read about cyber attacks in the news. Unfortunately, our firm was the victim of a single cyber attack....”3 The point is that all law firms are at a higher risk for cyber-intrusions than ever before. Attorneys must assess how their vulnerability to third party attacks can make them liable for failing to protect client information.
This article is intended to provide an overview of what these developments mean to Kentucky lawyers and offer cyber security risk management considerations to assist you in protecting your firm from professional responsibility violations and malpractice claims.
Kentucky’s Consumer Protection Data Breach Notification Law KRS 365.732
The Kentucky General Assembly joined 40 other states when it enacted a consumer protection data breach notification law in 2014. KRS 365.732 requires written notice to persons affected by a computer security ‘breach’ involving their unencrypted ‘personally identifiable information.’ Breach is defined as the unauthorized acquisition of unencrypted and unredacted computerized data that can compromise the security and confidentiality of an individual.4 An individual’s first name or first initial, in combination with a social security number, driver’s license number or an account number or credit card with the required password, constitutes personally identifiable information under the statute. The ‘information holder,’ in our case the attorney, is required to disclose any breach to the client, in an ‘expedient time’ and ‘without reasonable delay.’ The only exception for not notifying clients quickly is if there is a pending criminal investigation by a law enforcement agency.
The notification required under the statute is to be in written form, or, may be sent electronically if the client has agreed to accept such notices.5 If the cost of providing individual notices exceeds $250,000, or the class of persons affected exceeds 500,000 people, then a ‘substitute notice’ by email posted on the information holder’s website, coupled with statewide media notification suffices. If more than 1,000 persons are impacted at any one time, the statute mandates that the information holder notify all consumer reporting agencies and credit bureaus that maintain consumer files on a nation wide basis. The timing, distribution and content of those notices are prescribed by federal law.6
The data breach notification statute establishes no new cause of action. Nor does it authorize fines or penalties for non-compliance. However, KRS 446.070 allows a person injured by the violation of any Kentucky statute to recover damages sustained by reason of the violation.
The greatest harm inflicted to a law firm by a data breach is the violation of the attorney’s duty to keep and preserve a client’s confidential information.7 However, from the business aspect of the law firm, reputational damage and loss of client confidence can have a significant impact on the firm’s bottom line. Thus, cyber security oversight and management for law practices is essential.
Cyber Security Assessment and Plan: Efforts to protect your law firm from data breaches begin with a law firm discussion on cyber security issues and the development of a plan to detect intrusions, respond to those intrusions, and mitigate their impact with an effective response. Discussion should first focus on an assessment of all cyber security risks associated with the law firm’s use of technology, including email communications, e-filings with state and federal courts, the exchange of discovery in litigation, and maintenance and storage of digital client information and files. Have you appropriately assessed all of your law firm’s cyber security risks? What steps have been taken to evaluate those risks?
Evaluate Your Law Firm’s Computer Practices:
Consider Your Law Firm’s Operational Practices:
Cyber security liability insurance emerged at the end of the 1990’s to cover losses of revenue and data restoration costs from corporation cyber attacks. It was not until California passed the world’s first data breach notification law that demand for commercial coverage for law firms began. Insurers now provide cyber security liability insurance coverage to pay for expenses associated with notification to clients, credit monitoring for the affected clients, IT forensics, public relations fees, defense costs and civil fines from privacy regulation actions, and civil litigation. Some policies also extend coverage to address loss of income as a consequence of the network’s downtime and for property damage to the firm’s physical assets. Theft of the law firm’s own intellectual property, however, remains uninsurable as insurance companies have struggled to understand what is the intrinsic loss value if the system is compromised.
Despite an attorney’s best efforts to minimize exposure to data breaches of client information by evaluating its policies and procedures, realistically breaches will occur and law firms can experience significant financial losses associated with the breach. In today’s technological world, cyber security risks affect solo practitioners and law firms of all sizes. Attorneys are placed in an unenviable position of maintaining professional responsibility to their clients, while guarding against a variety of cyber security threats, aware that despite their efforts, no defense can provide perfect protection of their valuable client information. Only by having an effective strategy to analyze those risks, mitigate their impact on your law firm, and maximize protection against data breaches, can attorneys feel confident they are doing all that they can to reasonably protect against cyber security risks.