On Wednesday, the personal information of tens of millions of customers and employees of Anthem, one of the world’s largest health insurers, was compromised through a highly sophisticated external cyber-attack. Personal data, including names, dates of birth, social security numbers, health ID numbers, addresses, email addresses, telephone numbers, and employment information was accessed and most likely stolen. While the actual number of affected people is still not yet known, upon learning of the breach, Anthem took immediate steps to respond to the issue:
“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.” (Source)
While the incident is unfortunate, Anthem’s response was efficient and well-planned. They immediately notified each of their employees of the breach, distributed internal memos and FAQ sheets, created a dedicated website for their members, brought in the FBI, and hired a cyber security firm to begin a full investigation. They also plan to individually notify every member who’s information was accessed.
Anthem had a plan for this type of scenario, and the capacity to follow through with it. Do you?
These days, it’s no longer optional to have a plan to properly protect your data. Just because law firms are not regulated like financial and healthcare industries does not mean that you don’t have data security obligations. Cyber security needs to be a top priority. So when the day comes when you realize that you’ve been hacked – will you know what to do?
Breach Notification Guidelines for Law Firms
47 states have laws related to customer notification to anyone who has had personal information exposed during a security breach. It does not mean that you have to know for certain that the information or data was taken, rather that it simply could have been taken.
Personally Identifiable Information (PII) that requires client notification when breached is legally defined as a “Name” PLUS any of the following (Bro & Smedinghoff, 2014):
- Social Security Number
- Driver’s license number
- Government issued ID number
- Financial account / credit card number
- Other information including email address, healthcare data, etc.)
According to the American Bar Association (ABA), if you find that your confidential information may have been breached or exposed, you are obligated to (Bro & Smedinghoff, 2014):
- Investigate and remedy the problem
- Notify persons whose personal information was compromised
- Notify state enforcement agencies
- Notify Credit Agencies
Note: Some state laws provide exemptions for these requirements. For example, in many states, encryption represents a Safe Harbor to client breach notifications. Should a breach occur, if the exposed data has been encrypted, client notifications are not required. Be sure to refer to your state’s specific guidelines for full notification guidelines.
Are you prepared?
Is your firm prepared for a data breach? If a breach occurs, do you have the capacity to notify every single person your firm has employed or conducted business with? How long would it take to respond? If the data was lost or damaged, do you have systems and protocols in place to repair the damage? Could your firm survive the loss of revenue and reputation of such an event?
While it may sound self-serving to paint these apocalyptic doomsday scenarios, the truth is we see and deal with these issues. Every. Single. Day. Operating a law firm in 2015 requires a solid understanding of technology and a commitment to safeguarding the information you’ve been trusted to hold.