Bar News - September 21, 2016
Cyber Crime and the Legal Profession – Managing Risk
By: Colleen M. Capossela
Who would have thought years ago that practicing law would now include the need to manage technology and technology security issues? Gone are the days of just focusing on providing clients the best legal advice and having the technology experts maintain and manage the technology. Attorneys now need to play an active role to protect their business.
The cost of data breaches continues to rise. First-party losses from a data breach include loss of data, loss of business income/business interruption, restoration, re-creation and remediation, notification and credit monitoring expenses to name a few. In addition, there are liability considerations. Absent clearly defined rules, regulations, standards and best practices, it is said that a “reasonableness” standard comes into play in determining negligence and assigning liability.
A business doing nothing to mitigate risks will not be acceptable. There are professional conduct rules to consider, and where federal and/or state rules and regulations govern law practices, there are more liabilities and penalties that could impact operations. There are breach notification regulations, like RSA 359-C in New Hampshire. Some states are reviewing these regulations in light of the increase in cyberattacks and enhancing requirements on notification and credit monitoring, as well as now considering requiring businesses to implement certain safeguard measures. Some states are also expanding the definition of the kinds of information that must be protected.
And, of course there is the loss of good will and the negative impact on your reputation in the event of a cyberattack, especially if you have not taken reasonable steps to mitigate risks that impact your clients and employees. The bottom line: The costs associated with a cyberattack on a law firm could have a devastating financial impact.
Law firms of all sizes are experiencing attacks. Given this, all law firms, if they have not done so already, need to take action and adopt security plans and protocols to minimize risk. In the event a breach happens, law firms need to put in place incident response plans to effectively respond.
In creating a security plan and protocols, the law firm should evaluate the roles and responsibilities of the people within the firm from the top down and put in writing key protocols and procedures with regard to the use of their networks, computer systems, mobile devices and hard copy files. The law firm should also involve in this process their key IT support to assist, as well as others that the firm would ultimately turn to if a breach occurred, including the insurance broker and underwriters, public relations representatives, forensic investigators, and even a cyber security privacy attorney if that is not their specific area of expertise, to help with putting in place preventive measures.
Consider for example:
- Working with security and technology professionals with proper knowledge and understanding of the cyber industry, including forensic experts;
- Inventorying all systems, networks and mobile devices used, and addressing security needs and protocols for each – evaluate use, level of importance, level of risk and determine what security is needed;
- Working with a cyber security privacy attorney to understand the applicable laws, rules and regulations that affect your business if not your area of expertise;
- Limiting access – allowing employees to access only the specific data systems that they need to do their jobs, instead of all;
- Educating your employees regularly on how the industry is being affected and what to look out for;
- Establishing reporting procedures for any incidents or breaches;
- Establishing protocols for discarding hard copy files, computers, phones, copiers and other equipment as well as scrubbing of information; and
- Establishing an Incident Response Plan and Business Continuity Plan in the event of a breach.
Attorneys should be sure to test security plans and protocols regularly and modify when necessary. Also, it should be made clear to all in the firm what the penalties will be for violating the firm’s plan and protocols.
In addition, firm managers need to be sure the firm has the proper insurance coverage to help pay for the expenses and losses that may be incurred. When considering cyber or crime-related losses, many may believe that their current policies, like professional liability and comprehensive general liability, will cover their losses, but many of these policies do not provide adequate coverage or sufficient limits. Also, insurance coverage in a business owner’s policy (BOP) or “package policy” could potentially bring a false sense of security. Reviewing policies can reveal gaps in coverage or possibly specific malicious-code and system-penetration exclusions. A separate cyber policy and/or crime policy may be necessary.
Colleen M. Capossela is an attorney, licensed insurance producer and president of CentricPro Management Services Inc., a subsidiary of CATIC Financial Inc. and a sister company to CATIC, providing solutions to the legal community in the areas of insurance, bonds, voluntary employee benefits, succession planning, independent escrow agent services and 1031 like-kind exchange services.