businessinsurance/article/20140618/ISSUE0401/140619806 Not surprisingly to some observers, law firms are among the worst offenders when it comes to implementing a robust privacy and cyber security protection program to manage their data. One of the most critical components of a best-practices information governance regime is the purchase of dedicated cyber, privacy and technology insurance. Many — indeed, more than many — attorneys fail to focus on the fact that they hold third parties regulated personally identifiable information and personal health information as well as clients confidential commercial information, among other sensitive data. This is not to say that we necessarily ignore the associated risks and exposures. Rather, in many cases, it is simply a function of the fact that law firm decision-makers typically are too busy to think about it. But they should. A recent example of a law firm breach was disclosed by Edward Snowden, who published a top-secret document that revealed that a global law firm based in the U.S. had been monitored by the National Security Agency and its Australian counterpart because the firm was representing the interests of Indonesia in connection with trade negotiations. Mr. Snowdens revelations are not unique to the extent they involve a breach at a law firm. The cyber security firm Mandiant estimated that 80 major U.S. law firms were hacked as of 2011. And the number of firms that have been breached since then reportedly has grown significantly. Perhaps of greatest concern is the financial implications of a data breach. The average of all costs associated with a cyber incident in 2013 was $3.5 million, according to the Ponemon Institute. Third-party litigation, lost opportunity costs and, in many cases, a potentially significant hit to the firms bottom line would naturally follow a breach. In other words, the reputational and financial risks of a data security breach can be devastating. Law firms are a preferred target of cyber criminals While law firms can discount NSA surveillance as an anomaly, the threat of a law firm privacy incident is far from hypothetical. The American Bar Association recognized the risk in 2012 when it amended its ethics rules to require attorneys to “make reasonable efforts” to protect client information. In turn, the FBI has cautioned attorneys on their cyber risks and exposures, having pointedly warned that hackers view them as a back door to their commercial clients confidential information. Privacy related litigation can take many forms, whether or not a breach has occurred. For example, in May 2014, a Pennsylvania collections attorney was sued in a putative class action lawsuit alleging that he and his client had included in a public court filing the named plaintiffs full Social Security number rather than just the last four numbers. The complaint alleges violation of the common law tort of invasion of privacy. Even absent litigation, the financial and reputational costs of a privacy incident can be incalculable. In March 2014, a significant international law firm notified Maryland authorities that hundreds of employees W-2 and other information had been stolen when a vendors database was compromised allowing the hackers access to the law firms servers. As a remedial measure, the firm provided free credit monitoring to all affected persons, numbering in the hundreds. Entities holding client trust funds in particular appear be a favored target of cyber fraudsters. For example, two Canadian law firms were victimized in December 2012 when their trust accounts were accessed by malfeasants. In the first case, $90,000 was stolen from an attorney who succumbed to the widely known bad check collection scam where the attorney sent a firm check to a purported client posing as a foreign national seeking assistance in collecting on a fraudulent debt. Needless to say, there was no errors and omissions coverage for the resulting loss. The second case is more troublesome. There, an Ontario, Canada, firm suffered a six-figure loss from its trust account when its system was infected by a Trojan horse virus that tracked a computer users keystrokes. Through this mechanism, the fraudsters were able to gain access to confidential passwords when the firms bookkeeper logged into its trust account. Trust funds were then serially wire-transferred to an overseas account and never recovered. One of the best known law firm breaches occurred in 2010, when China-based hackers, looking to scuttle a $40 billion corporate takeover of the worlds largest potash producer by an Australian mining company, infiltrated the secure computer networks of at least seven Toronto-based law firms connected to the deal. Canadas Finance Ministry and its Treasury Board also were hacked. The acquisition ultimately fell through, albeit reportedly for unrelated reasons. Law firm decision-makers should be particularly mindful of the fate that befell a California escrow services company that had been breached by cyber criminals who stole roughly $1.5 million from over 100 of the firms escrow accounts. Like the Canadian law firm, the escrow service had been the subject of rogue Trojan horse malware. The stolen capital was then wired to Russia and China. The unauthorized accesses began in December 2012 and continued into January 2013. They were reported to regulators in February 2013. An investigation ensued, pursuant to which the company was ordered to replace the stolen funds within three days from the date of the order. The escrow firm was unable to meet its financial obligations. As a result, the California Department of Corporations filed a petition in state court and subsequently appointed a receiver. In the end, the company was forced to shut down and lay off its entire staff. Then there is the risk — and almost daily real-life occurrence — of improper document disposal. There have been a number of instances were attorneys were found to have disposed of unshredded client records in dumpsters. In another case, a Texas law firms laptops were found in a pawn shop, notwithstanding the firms policy of donating only those computers that have been professionally scrubbed of client information. In yet another, an employee stole 200 laptops from a Palo Alto, California, law firm. And we all have heard the myriad stories or had first-hand experience involving the negligent losses of laptops, cellphones, smartphones, etc. The value of a robust information governance plan, including dedicated cyber insurance With these facts, statistics and warnings in mind, the solution is simple: Information governance is a practical place to start. A cyber security and risk transfer expert wielding associated legal privileges can assist a law firm and other professionals in formulating and implementing practical and reasonable steps to protect their clients’ and employees’ personally identifiable information, personal health information and confidential commercial information — and, by extension, the law firm’s financial health. Given the magnitude of the costs inherent in remediating a privacy incident, it is a relatively modest investment for a law firm to purchase dedicated cyber, privacy and technology insurance. While various insurers’ policies differ on the scope of coverage provided, cyber insurance can reduce the net expense of a material cyber incident by factors of the premium paid. Indeed, it is comparatively cheaper to implement a strong privacy regime with associated CPT insurance than to bear the entire net burden of having to remediate a privacy event and potentially face protracted litigation. In the long run, a firm-specific information governance program developed and deployed by an experienced, knowledgeable cyber risk transfer attorney is both practical and virtually a necessity. More and more clients are requiring their outside advisers to sign certifications that their information governance systems include robust cyber security and privacy policies and procedures. To the extent a law firm can not so certify, it likely will not be considered for the proposed retention — or, most likely, future retentions by other prospective or even existing clients.
Posted on: Mon, 14 Jul 2014 23:18:32 +0000
Trending Topics
Recently Viewed Topics
© 2015