On August 5, 2014, the United Kingdom’s Information Commissioner “sounded the alarm” on data breaches within the legal profession in the U.K. Citing the fact that 15 incidents had been reported in the previous three months, the ICO used the press release to highlight the potential downfalls of poor information management protocols (a fine of over $800,000) and ways to ensure breaches do not occur. As law firms often deal with extremely sensitive information such as trade secrets or strategic planning for upcoming business partnerships and actions, it should be no surprise that law firms are attractive targets for hackers. Despite the fact that the United States does not have an organization comparable to the Information Commissioner’s Office, certain federal agencies like the Department of Health and Human Services (“HHS”) and the Securities and Exchange Commission (“SEC”) mandate standards for information security of healthcare and financial data, respectively, and state Attorneys General enforce state security and privacy laws that often comprise obligations for information stewards such as law firms. State bar associations also fill the gap to ensure that law firms comply with ethics obligations to maintain client confidences in electronic communications and other data. Indeed, there is little doubt that the time has come for law firms to seriously audit their information practices in an attempt to mitigate potential risks and damages.
Good information management practices are essential for law firms to avoid fines, ethical or legal actions, beach-related costs, or perhaps most devastating for a law firm, a loss of client confidence. Employee protocols, including Bring Your Own Device (“BYOD”) policies, that address password management, encryption , remote wiping, and file access restrictions are one way a law firm may mitigate its risks. Cyber insurance may also provide an avenue for financial relief in the event of a breach or governmental investigation into information management practices. Ultimately, preventing a data breach and mitigating the effects of an actual breach require forethought and planning tailored specifically to the law firm’s organizational culture, its practice areas, and its employees. Should you have questions about your law firm’s information management practices or the availability of cyber insurance, please contact Kenneth N. Rashbaum.