With all the discussion lately about law firm security and the expectations for increased diligence in protecting your data, it’s understandable that many firms are asking – why now? In this post, we’ll review the growing importance of cyber security, why law firms are vulnerable to attacks, and the obligation they have to their clients in the event of a security breach.
Why are we hearing so much about law firm cyber security these days? What has changed in such a way that firms now have to spend time and money dealing with something that was seemingly a non-issue a year ago? The answer is Target.
At the recent ILTA Legal SEC conference where many of the nation’s leading legal security minds convened, the name ‘Target’ was mentioned dozens of times throughout the day. We all have heard the story of how Target stores were the target of a data breach where approximately 40 million credit cards were compromised. And while the cards and risks associated with their theft were the headlines, a smaller, secondary fuse was lit in the minds of people everywhere – if hackers can get to Target, where else can they go? And more importantly, what are they looking for?
The answer is gold. Data gold. Information gold. In the world of cyber crimes, data gold translates to Personally Identifiable Information, or PII. PII includes social security numbers, credit card numbers, driver’s license numbers, addresses, user names, passwords and even medical information. There are specific guidelines that clarify what combination of PII represents the highest risk for companies (and value for hackers /threats) but at a high level – this information is the primary target. There are other types of valuable information including corporate information, litigation information and intellectual property however, for the sake of discussion, we’ll focus on PII.
What the ‘bad guys’ have realized is that there is a substantial amount of PII that can be harvested from the networks of law firms. Law firms are ripe with PII. Nearly every practice area requires the collection and maintenance of PII critical to the handling of a case or file. Estate Law? Full of PII. Medical Malpractice? Chock full. Family Law – you guessed it. Most firms do not realize just how much information is gathered and stored as part of their normal business practice. You can be sure, however, that the criminals of the world are taking notice.
While Target was making everyone aware of their vulnerabilities, the legal industry was awoken to the fact that they could face a similar embarrassing fate if they do not head the ‘call to arms’ for IT security. Why? Because the biggest impact to Target wasn’t directly related to income – it was related to trust. And what’s more valuable to a law firm that trust from its clients? The loss in holiday sales combined with the loss in stock value represented a tremendous hit for the highly regarded company. The impact of a security breach to your firm could affect you in similar ways. How?
It’s a little known fact that the Ohio Revised Code 1349.19 (Private disclosure of security breach of computerized personal information data) requires that a known breach where PII information has been exposed requires notification of ALL clients potentially affected. Specifically:
b.1 Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. The disclosure described in this division may be made pursuant to any provision of a contract entered into by the person with another person prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this section and does not waive any provision of this section. For purposes of this section, a resident of this state is an individual whose principal mailing address as reflected in the records of the person is in this state.
Notifying every one of your clients that their personal information has been exposed and the client confidentiality has not been upheld is a frightening proposition. The implications to your business are substantial.
Costs implications to address a security breach range from network equipment, data recovery and security system repairs / upgrades, to client loss of business, reputation damage and lost hours trying to deal with the situation. All in all – every firm should avoid this at all costs.
So know what’s at risk and take whatever actions necessary to ensure your IT environment is ready and able to defend itself. There are no guaranteed ways to keeping the ‘bad guys’ out of your IT environment, however, doing the right things now will ensure client confidence in your legal practice for the foreseeable future.