Cyber criminals are targeting law firms for their valuable confidential information from trade secrets to personal data. According to the American Bar Association, approximately one in four attorneys or law firms surveyed reported that they have experienced a data breach. Data breaches are on the rise across the board for small, medium and large firms with hackers infiltrating some of the most sophisticated law firms.
Being prepared for a data breach before one occurs is one of the best ways that lawyers can protect disclosure of client information and mitigate damages resulting from a breach; but, responding to a data breach is just as important. Here are three key actions that lawyers should take after a data breach.
- Have a formal response plan and follow it.
When faced with a data breach time is of the essence. Once a lawyer realizes that a data breach has occurred they are required, as per the Model Rules of Professional Conduct, to act reasonably and promptly to stop the breach. Rather than spending time trying to figure out what to do after the fact, lawyers can benefit from having a formal response plan already in place.
What should go into a formal response plan? In short, it depends. There is not a one-size-fits-all model of what actions lawyers should take. What works for a large law firm will not likely work for a solo practitioner and vice versa. However, lawyers can customize a formal response plan taking into account the unique challenges their law firm faces. Factors to consider include a firm’s practice areas, size, budget, the type and scope of technology it uses, and the frequency and number of vendors or third parties to whom client information is disclosed.
That said, as noted by the American Bar Association Standing Committee on Ethics and Professional Responsibility, although response plans vary, common features include designating the individual(s) who are responsible for each step of the process, identifying and eradicating the cause of the breach and restoring the firm’s computer operations so that its lawyers may service the needs of its clients. In addition, depending on the cause of a data breach, lawyers may need to work with outside experts to restore computer operations in addition to using their internal resources. Therefore, including a list of potential experts in a formal response plan is also worthwhile.
Similar to following a formal response plan, analyzing whether a lawyer must notify a client is also a key action to take after a data breach, as discussed below.
- Determine whether you need to notify a current or former client.
The Model Rules of Professional Conduct require attorneys to notify current clients of a data breach if it involves their confidential information or if the breach affects a lawyer’s ability to perform the legal services the client hired them to perform. Attorneys should take reasonable efforts to evaluate the data that was lost or accessed because of the breach to determine whether confidential information was disclosed.
Notification to a client should include the fact that unauthorized access or disclosure of the client’s information occurred and describe the extent of the breach as can reasonably be known by the attorney. If an attorney cannot determine the extent of the information affected, he or she so should inform the client. When notifying a client, it may also be helpful as guidance to follow content requirements under state breach notification statutes and to provide any notification in writing as opposed to electronically or verbally. Moreover, according to the American Bar Association, lawyers have a continuing duty to keep clients reasonably apprised of material developments in post-breach investigations affecting the clients’ information.
An attorney’s obligation to notify former clients is less definite. The model rules provide no direct guidance on when a data breach triggers the obligation to notify former clients. Attorneys can mitigate against the inadvertent disclosure of a former client’s information by returning the client’s file to the client at the conclusion of the representation or adhering to record retention policies to avoid retaining client files for a pro-longed time.
Whether a lawyer notifies a current or former client, lawyers may consider including in any notification their efforts to mitigate the inadvertent disclosure and any future actions they are taking to prevent future breaches.
In addition to notifying a client, attorneys should also consider notifying their insurance carrier after a data breach, as discussed below.
- Revisit your insurance needs.
With the prevalence of cyberattacks more insurers are writing cyber insurance compared to past years, according to Claims Journal. Growth in the cyber insurance market translates into more competitive premiums and a greater diversity in coverage, therefore attorneys would be wise to revisit whether a stand-alone cybersecurity policy is practical.
As an initial matter, though malpractice insurance may cover some cyber risks, law firms should consider any applicable exclusions or endorsements that can affect coverage. A cybersecurity policy specifically designed for cyber risks could avoid coverage disputes and their accompanying litigation costs, erosion of indemnity limits on a firm’s professional liability coverage and increases in professional liability premiums. For the uncovered risks, gaps in coverage could have significant financial consequences on a law firm. Data breaches can cause a variety of high-dollar damages that a malpractice policy may not cover, including loss of income from business disruption and reputational harm.
Ultimately, proactive discussions with your carrier or a broker that includes disclosing your current cybersecurity measures can help you determine your coverage needs. Such discussions should be continuing as a firm’s business practices continue to change and in particular if it adopts enhanced cybersecurity measures, which could lead to lower premiums.
Whether your firm relies on malpractice cover or a stand-alone cyber policy (or both), when appropriate, attorneys should notify their carrier following a data breach.
Cyberattacks on law firms are a reality. By attorneys taking reasonable efforts, including adopting a formal response plan, they can limit inadvertent client disclosure and mitigate their damages if a data breach does occur. In addition to managing the interplay between technology and sensitive information, lawyers may need to notify a client following a data breach and would benefit from keeping up-to-date data retention policies. Finally, yet importantly, attorneys should determine if a stand-alone cybersecurity policy is practical and whether notifying their carrier after a data breach is appropriate.
Peter C. Buckley, a partner with Fox Rothschild. focuses his practice on securities litigation, shareholder/partnership disputes and real estate litigation. He has served as lead counsel for outside director defendants in a securities class action and achieved successful settlements on behalf of oppressed minority shareholders.
Caroline A. Morgan, an associate with the firm, handles a broad range of complex commercial and business matters representing clients in a variety of industries in the courtroom and in arbitration or mediation. She represents clients in insurance disputes and all aspects of commercial litigation in both state and federal courts.