(Image by Yuri Samoilov, via Flickr)
Ubiquitous news of law firm data breaches, even among BigLaw, spotlights a treasure trove of trade secrets, confidential and strategic transactions, and sensitive client information — all of which might be stolen from law firms for ransom, sale, insider trading, blackmail or hacktivist purposes. No wonder law firms are perceived to be attractive targets of cyber-attacks. Attractive? You can’t help that. Easy? Not so fast. Don’t let your firm be an attractive AND easy target!
With developing and aggressive governmental policies to combat cyber warfare alongside ethical and legal obligations to protect clients’ technical, private and privileged information, lawyers must be competent and reasonable in their practice. For example, among the last things you need is an inadvertent electronic disclosure of confidential client data such as a customer list when working on a 363 sale. Your technical competence and the reasonableness of your efforts to thwart such a leak could lead to questioning by a governmental agency as well as to suffering punitive consequences.
What was seen to be reasonable at any given point is likely to change quickly with a new ruling or the enactment of a law. In fact, while technological competency was addressed back in 2012 with an amendment to MRPC 1.1, Florida, as of Jan. 1, 2017, was the first state to require technology related CLE courses. In adopting the bar association’s proposal for mandatory technology CLEs, the Florida Supreme Court opined that competent representation may involve a lawyer’s association with, or retention of, a non-lawyer adviser with established technological competence in the relevant field. Additionally, the court said, in order to maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including an understanding of the risks and benefits associated with the use of technology.
In what areas should a bankruptcy practitioner be vigilant regarding the risks and benefits of using technology?
Some valuable examples of bankruptcy-specific issues are discussed further below. But first, here are some excellent basics extracted from a publication of the Federal Trade Commission (FTC) that describes lessons learned from 50+ FTC data security settlements.
Start with Security. Make conscious choices about the kind of information you collect, how long you keep it, and who can access it. There is a plethora of personally identifiable information (PII), as defined at § 101(41A), together with other sensitive client data, that is collected in the bankruptcy and restructuring process. Consider also whether your data destruction policy can eliminate unnecessary maintenance or possession of sensitive client data.
Sensibly Control Access to Data. Not everyone in the firm needs access to the confidential data you collect. Implement proper user authorization controls and train personnel on proper treatment of confidential data. Restrict administrative rights so that changes to your network can only be made by those tasked to do so.
Require Secure Passwords and Authentication. Too many firms allow common dictionary words as administrative passwords, as well as passwords already in use for other accounts. Hackers use password-guessing tools and try passwords stolen from other services. Best to require complex passwords and avoid using the same or similar passwords for multiple and both business and personal accounts. Implement a policy to suspend or disable accounts after repeated login attempts.
Store Sensitive Information Securely and Protect It During Transmission. Assuming you have secured your own network, keep the sensitive information secure throughout its lifecycle. Use industry-tested and accepted methods. Often, data is encrypted in its initial transmission but once received the security feature is removed and then shared both in and outside of the firm. Ensure proper configuration. Encryption — even strong methods — won’t protect your users if you don’t configure it properly. (Turning off a critical process known as SSL certificate validation without implementing other compensating security measures is a common example.)
Segment Your Network and Monitor Who’s Trying to Get In and Out. Firewalls should be set up to segment your network, thereby limiting access between computers on your network and between your computers and the Internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.
Secure Remote Access to Your Network. Most firms allow remote access and mobile access, which can pose new security challenges. If you give employees, clients or service providers remote access to your network, have you taken steps to secure those access points? You need to ensure endpoint security. Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a device with remote access to it (e.g., ensure there’s anti-virus protection on outside computers accessing the firm’s network and clients or service providers with remote access should have basic security measures, like firewalls and updated antivirus software).
Make Sure Service Providers Implement Reasonable Security Measures. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements. Put it in writing. Insist that appropriate security standards are part of your contracts. Verify compliance. Security can’t be a “take our word for it” thing. Including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process.
Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise. If you use third-party software on your network, or you include third-party software libraries in your applications, don’t ignore updates, implement them as they’re issued. Outdated software undermines security. The solution is to update it regularly and implement third-party patches. Heed credible security warnings and move quickly to fix them.
Secure Paper, Physical Media and Devices. Just as you lock your office or filing cabinet, your server should be in a locked rack. Media and devices should be password protected. Dispose of sensitive data securely by shredding, burning, or pulverizing documents to make them unreadable and by using available technology to wipe devices that are lost or aren’t in use.
Avoid Unencrypted Emails, Mobile Transport of Confidential Data. Attention is certainly given to PII when selling or transferring same and when disclosed in court filings. Note, though, that PII such as customer and creditor lists, together with confidential data anticipating a client merger, acquisition or filing for Chapter 11 relief and asset and liability data, is often carried on thumb-drives or laptops, or transmitted via unencrypted email.
At a very minimum, password protect emails with attachments containing sensitive information. There is risk that the information may either be captured “en route,” or provided to the wrong party (either by mistake or on purpose). Once password protected data is received, don’t compromise it by removing the security. To safeguard confidential data transmissions, explore using a Secure Virtual Data Room (VDR). It is more likely that confidential data emerges not as the result of a hack, but due to security lapses. Today, more and more of our critical data safely resides in the cloud, accessible via the Internet, anywhere in the world.
Top-tier virtual data rooms have proven to be a secure, encrypted alternative to the unencrypted, insecure email systems that many law firms and advisers currently use. The user authorization requirements and global accessibility of VDRs really obviate the need to ever physically carry confidential data. Using VDRs to share confidential data and ease collaboration is standard practice in North America. Use of project names/aliases, rather than actual client names, is likewise a standard practice. Not taking such simple and effective steps to protect confidential data would likely be considered negligent by most courts in evaluating the culpability of a law firm.
Bankruptcy Rule 9037 addresses privacy concerns resulting from public access to electronic case files. It instructs filers to only include the last four digits of the Social Security number and taxpayer identification number, the year of the individual’s birth, only the initials of minors and the last four digits of any financial account numbers.
In the court’s effort to ensure compliance, filers must indicate that they are aware of this requirement by clicking acknowledgment when entering the court’s ECF website. Making this acknowledgment should be done with a conscious awareness, not casually. Per the Rule’s advisory committee notes, the Clerk of Court is not required to review documents filed with the court for compliance with this rule. Under subdivision (a) of the Rule, the responsibility to redact filings rests with counsel, creditor parties, and others who make filings with the court.
A particularly relevant example of unintentional submission of PII was the failure of several banks to exclude or redact underlying bower PII from the supporting documentation of thousands of claims. A debtor’s counsel may wish to reconsider the relevant definition of PII, particularly when representing healthcare and consumer-facing clients.
The Rule fails to contemplate relief in the event of prohibited disclosures. However, as in the case of bank-filed proofs of claim that included borrower PII, we have already seen quite serious consequences, including punitive damages. Regardless of the apparent scarceness of other enforcement actions surrounding Rule 9037, the increased attention being directed at rights regarding data privacy will likely lead to additional activity in the bankruptcy courts as well.
There’s no question that changes to data privacy laws are on the rise and becoming of increased public interest. It will be critical to keep abreast. Of note at the February 2017 LegalWeek conference held in New York was a session titled “The Data Privacy Landscape: Emerging Laws Affecting Cross-Border Discovery.” Natascha Gerlach, a Brussels-based senior attorney at Cleary Gottlieb Steen & Hamilton, was quoted, “In the EU, which is currently still governed by the EU data protection directive from 1995, the premise is that the processing of data is prohibited unless it is explicitly allowed by law. In the U.S., it’s the opposite: You can do whatever you like unless it’s prohibited.” Although the session was not specifically directed to bankruptcy practice, the alert is relevant to cross-border bankruptcies where the reports and filings that are usually public in U.S. cases may not be public in non-U.S. jurisdictions.
When a Data Breach Occurs
Data breach is not a matter of if, but of when. Breaches most commonly occur as a result of motive, opportunity, weak security and/or weak policies. Do you have breach insurance that covers notice and remediation? There are numerous changes being made in cybersecurity insurance offerings. Do you even know what constitutes a breach?
All too often, firms and companies aren’t aware until a governmental agency is investigating and advising a firm of its security lapse, aka data breach. Typical manifestations include hacks, theft, phishing and malware. Regulatory compliance in the event of a breach is also changing. Learn what the requirements are in your state, but at a minimum have an incident response plan, a plan for execution of quick and proper notification, and rules for preservation of evidence.
Being informed, educated and proactive in implementing a system of data security policies and procedures to protect client data, can prove vital. Persistently protect confidential data — when it is collected, stored, used, and shared in databases and applications, as well as when it is e-mailed or otherwise transmitted inside or outside the firm. Such precautions will likely reduce the occurrences of data breaches and may serve to mitigate some of the costs.
In summary, data security continues to be an issue for many law firms. More and more clients assess security measures of potential vendors as a key to vendor selection. Failure to take the simple steps referenced earlier in this article is not likely to be viewed as acceptable considering the trends with laws, regulation and expectations. Cybersecurity expectations are moving quickly and it is time law firms catch up.
Tinamarie Feil is a co-founder of, and runs, the restructuring services division of BMC Group, Inc., a global information management firm. A member of this newsletter’s Board of Editors, she can be reached at firstname.lastname@example.org or 212-310-5922.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.