“What to Do When Your Data is Breached” by Sharon Nelson, John Simek, and David Ries was featured in the September 2018 issue of Res Gestae, the journal of the Indiana State Bar Association. Res Gestae’s mission is to be a magazine with an emphasis on legal topics of practical value to lawyers.
Excerpt: “When, not if.” This mantra among cybersecurity experts recognizes the ever-increasing incidence of data breaches. In an address at a major information security conference in 2012, then-director of the Federal Bureau of Investigation (FBI) Robert Mueller put it this way: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Mueller’s observation is true for attorneys and law firms as well as small businesses through Fortune 500 companies. There have now been numerous reports of law firm data breaches. The FBI has reported that it is seeing hundreds of law firms being increasingly targeted by hackers. Law firm breaches have ranged from simple (like those resulting from a lost or stolen laptop or mobile device) to highly sophisticated (like the deep penetration of a law firm network, with access to everything, for a year or more).
Lawyers and law firms are beginning to recognize this new reality, but all too often they expose themselves to unnecessary risk simply because they don’t have a response plan for security incidents and data breaches. Attorneys have ethical and common law duties to employ competent and reasonable measures to safeguard information relating to clients. Many attorneys also have contractual and regulatory requirements for security. Attorneys also have ethical and common law duties to notify clients if client data has been breached.
Compliance with these duties includes implementing and maintaining comprehensive information security programs, including incident response plans, for law practices of all sizes, from solos to the largest firms. The security programs and response plans should be appropriately scaled to the size of the firm and the sensitivity of the information.
See the entire article here