As illustrated by recent headlines, law firms of all sizes are squarely in the crosshairs of hackers. The consensus among data security professionals is there are now two types of organizations: those that have been hacked and those that will be hacked (or perhaps those that have already been hacked and just don’t know it yet!). With the recent amendment to Tennessee’s data breach notification law, now is a great time to assess your law firm’s data security practices as well as your readiness to respond when hit with a cyber incident.
Clients want to know: Who’s watching our data?
Maintaining the confidentiality of client information is a “fundamental principle in the client-lawyer relationship.” To fulfill this obligation, “[a] lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client.” A decade or two ago, this could have been accomplished by simply locking the office at night and keeping files tucked away. Today, safeguarding client information is a significantly more complex challenge. Reasonableness, not perfection, is the measure but clients and prospective clients are inquiring with increasing levels of specificity and depth about law firms’ security measures and practices. Your firm needs a data security policy. If your firm already has a security policy, it needs to be reviewed regularly—at least once a year—as security technology and practices are constantly evolving. If a client has not asked whether your firm has a security policy in place, that day will come soon. Corporate clients go to great lengths to protect their customers’ information. There is a growing expectation among clients that, when they hand their information over to their law firm, it will be just as protected. With data security, law firms have been regarded as a soft underbelly for far too long.
Additionally, if your firm has client information covered by data protection statutes or regulations, such as HIPAA, your firm is likely legally obligated to protect information either by law or by con- tract. Regulators are taking notice. The U.S. Department of Health and Human Services, Office for Civil Rights recently announced a $650,000 settlement with a business associate for a HIPAA violation, reportedly the first such action taken directly against a business associate.
Another consideration in protecting client data is knowing how and where it stored is. As cloud storage becomes ubiquitous, lawyers should know the considerations involved in storing data in the cloud. The Tennessee Board of Professional Responsibility issued a formal ethics opinion ad- dressing the question “May an attorney ethically store confidential client information or material in ‘the cloud’?” The answer is yes, so long as the lawyer takes reasonable care that the data remains confidential and that reasonable safeguards are employed to protect the information from breaches and other loss. When was the last time you reviewed your service agreement with your cloud storage vendor? Does it cover safeguards?
Read the full article here in The Memphis Lawyer, pages 10 – 11.
This article is by Justin Joy and is featured in the current edition of The Memphis Lawyer, and is reprinted with the permission of the Memphis Bar Association.
Mr. Joy has a variety of experience in various general civil litigation matters including business and commercial litigation, insurance coverage disputes, healthcare liability defense, medical device liability defense, personal injury and business torts. He also represents media organizations and journalists in defamation actions and other matters. Mr. Joy has been involved in a number of jury trials to verdict. Mr. Joy also provides counsel to clients in the area of information privacy and cybersecurity including security incident investigation, security awareness and policy drafting, cyber risk management including insurance policy coverage consultation and breach response management. Specifically in the area of healthcare, Mr. Joy counsels covered entities on a variety of matters pertaining to HIPAA Privacy Rule, Security Rule, and Breach Notification Rule compliance.