2016 is shaping up to be the year of law firm data breaches as Cravath Swaine & Moore LLP, Weil Gotshal & Manges LLP, and of course, Mosack Fonesca can attest to. A year earlier, the 2015 ABA Technology Survey reported that nearly 25 percent of larger law firms had experienced a data breach at some point in the firm’s history. Th is number has clearly risen over the past year. Since the three noted high profile breaches were announced only a few months ago, we won’t have the full story of what happened for a while.
It may be more helpful to review a settlement from June 24, 2016, between the government and CHCS, a HIPAA Business Associate (BA). A BA refers to a company such as your law firm or my IT company that may encounter health records, but is not a hospital, doctor’s office, or health insurer. An iPhone containing sensitive information belonging to 442 individuals was stolen and was not password protected. Th e BA that lost the unprotected phone agreed to a $650,000 fine, a corrective action plan and a two-year monitored compliance program. Lack of appropriate diligence has led to $1.7 million USB drives, numerous laptops over $1.5 million and a $4.8 million server.
Some of you may be thinking, “That’s interesting, but my firm won’t ever have any medical records.” Are you sure? Your thoughts, beliefs and wishes are absent from the laws’ considerations. Regardless of your firm’s data profile and practice areas, other state and federal laws require every business to protect all forms of personally identifiable information (PII) with various standards of care. Ultimately, the Rules of Professional Conduct’s Ethical Rule (ER) 1.6 requires “reasonable efforts” from all lawyers to protect all client data.
So how do you know if you are good or if have work to do? You go to same place to which you must routinely return – your risk analysis. It was unsurprising that in the statement accompanying the settlement, U.S. Department of Health and Human Services Office for Civil Rights (OCR) director Jocelyn Samuels stated, “At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.” Had any sort of even rudimentary risk analysis been done, it’s difficult to see how this breach could have occurred. Mobile phones are easily lost or stolen and protecting them is simple. Failure to perform such basic protection, not only falls below the HIPAA standard of care, it is clearly unacceptable for any law firm as well.
There is no indication, yet, that any of the large law firm breaches mentioned involved a mobile phone. However, the OCR singled out the risk analysis and risk management plan for good reason since most breaches can be traced back to a failure in these fundamental areas. A formal risk analysis and update of your risk management plan must occur at least annually. Larger, more complex firms should perform reviews several times per year. Th is is the essence of the recently revised comment 6 to ER 1.1, which calls for staying up to date with “the benefits and risk associated of relevant technology.” Technology evolves rapidly and we must ensure risk analyses are thorough and timely. Consider engaging a third party to provide a fresh set of eyes to evaluate. Security is a specialized area of expertise and I’ve made continual investments in consultants and training. Consider similar investments where appropriate. Most importantly, your job here is never “finished,” so it’s all about your review, management rhythm and process. Lastly, your risk management plan should include educating your people of potential risks and have reasonable policies and procedures to mitigate those risks, which help you comply with ER 5.1 and 5.3 and your legal requirements. Dave Kinsey