As the news media continues to make us aware of the ever mounting data breaches within our corporations and government agencies, one would assume these institutions are the only key targets for state and criminal sponsored hackers. However, data breaches at law firms are occurring at an ever increasing rate, yet go primarily unreported. However, 25 percent of firms did report some type of breach in 2015, up from 10 percent in 2012.
The fact that law firms host enormous amounts of very valuable data ranging from corporate intellectual property and strategy documents to sensitive government secrets is not lost on those who can gain from obtaining it. Implementing sound IT systems and data security practices is an essential business practice for every law firm, as well as an ethical duty for lawyers. Law firms that ignore this risk and do not devote the proper amount of resources to protect client data do so at their own demise.
The simple fact is, whether law firms like it or not, they are by the very nature of their profession entrenched in the data management/ security business.
The potential catastrophic financial impact a breach could have on a firm is something that every managing partner must consider. The average cost of a data breach ranges from $6.4 million to $7.5 million, including forensic investigation, remediation, notification expense, credit monitoring and crises management. This does not include the negative impact of any client attrition that undoubtedly occurs. Therefore, the very existence of the law firm may hinge on their ability to withstand such a cost.
Lawyers Duty to Protect Client Data
The legal and ethical obligations of law firms to protect client data is very well documented. A variety of federal laws like Health Insurance Portability Act (HIPAA) and Fair and Accurate Credit Transactions Act (FACTA) clearly obligate lawyers to protect certain types of data in their possession. States have also imposed obligations on law firms and businesses to protect personally identifiable information (PII) including driver’s license and social security numbers. Failure to do so can result in civil action, suits and penalties.
Lawyers are also tasked with complying with their ethical duties as spelled out in the ABA Model Rules of Professional Conduct 1.1 and 1.6. Any violation may result in a malpractice lawsuit and potential disciplinary action.
To compound matters, almost every law firm today goes through myriad IT systems and security audits at the demand of their corporate and government clients. Failure to meet client’s requirements may result in the loss of business or significant infrastructure investment to bring the firm into compliance. This is particularly true of firms who work in the financial and health care industries.
Therefore, responsible firms should pursue either an internal examination or external independent audit that looks at the following areas of information security. While this list is not exhaustive, it is a good first step into making security conscious decisions and laying the groundwork for a holistic approach to security.
- The Cloud.
- Email Security.
- Password Policy.
- Cyber Errors and Omissions Insurance Policy.
Take a Pragmatic Approach to Data Security
In closing, data breach is a very real threat and has become an ever growing concern to managing partners and CIOs of law firms around the world, regardless of size or practice areas. Complicating matters are law firm clients who are becoming increasingly more sophisticated about data security requirements and demanding their lawyers and their firms have systems in place to ensure compliance. Failure to protect client data by a law firm can result in disastrous monetary and reputational consequences. Therefore, instituting a comprehensive data security program at the enterprise level of every firm is a necessary cost of doing business. Jordan McQuown