Wednesday, May 6, 2015

Interesting InfoSec Updates: Breaches, Disclosure Duties, Ethics Opinions & More

Several interesting updates on all things law firm information security to share. First: "Cybercrime at Firms Triggers Ethical Duties" --
  • "Law firms of all sizes are falling prey to hackers and Internet scams. Now the New York City Bar Association has released an ethics opinion clarifying that lawyers must report hacking or other breaches of their computer systems."
  • "The opinion makes clear that lawyers don’t violate their ethical obligations by reporting cyberfraud to enforcement authorities. The opinion also emphasizes that law firms must tell clients if their interests might be at risk."
The Association of Certified E-Discovery Specialists (ACEDS) has some interesting commentary on the same topic: "Tension between client confidentiality, public disclosure stifling law firm cyber-breach reporting" --
  • "As cyberattacks on law firms increasingly take on an air of inevitability, though their accounts are largely anecdotal, new questions center on how to respond to breaches of sensitive materials and how to responsibly disclose these incidents without jeopardizing client relationships, and running afoul of professional codes."
  • "Citigroup, for example, recently told its employees in an internal report that law firms are vulnerable hacking targets because they are clearinghouses of high-value information and possess relatively weak security measures, according to The New York Times. The Citi memo also said that law firm security generally falls below the standards of other industries — and pointed to a reluctance by law firms to publicly disclose breaches and the absence of formal reporting requirements in the legal field as reasons for silence."
  • "Attorney Gary Kibel, a partner at Davis & Gilbert, poses a hypothetical scenario. 'What if you had a breach of a client’s files, and that breach involved personal information of the client’s customers? Now what if there’s a requirement that you have to go tell the customers your firm was in possession of the client’s files in the first place? I have no doubt that some law firm is going to be faced with this at some point,' Kibel told ACEDS. 'We’re all going to have to research this information carefully or make an appeal to the state bar associations,' he said. 'I suspect that compliance of the law is going to trump attorney-client privilege — and that the client is going to be very perturbed.'"
  • "Right now I think there are a lot of law firms that just are not aware of how serious the threat can be. It’s still the mentality of, 'This can’t happen to us'," said Dana Post, special counsel for e-discovery and data management at Freshfields Bruckhaus Deringer, at a recent ACEDS New York chapter panel discussion on cybersecurity. Client pressure may prove to be among the most powerful forces in prompting law firms to bolster their security practices. Prospective clients are starting to ask about information security when shopping for legal representation, Post explained. 'he smart clients already ask the questions,' she said. 'But more are coming.'
  • "The inherent tension between maintaining client confidentiality and disclosing breaches where client confidences are directly at issue shows no signs of easing. As lawmakers eye legislation that would impose reporting requirements on breach victims, that conflict may be coming to a head."
It's these trends and shifting requirements that inform calls like this recent piece from Ryan Schlunz, Chief Innovation Officer, Stoel Rives: "It’s Time To Get Serious About Law Firm Cybersecurity" --
  • "Imagine if there were only two types of law firms in the United States today: those who have experienced a data breach and those who don’t yet know they have experienced a data breach. This scenario is actually not far from reality, and for most AmLaw 200 firms it is likely already accurate. However, many law firms don’t yet appear to appreciate the scale of the threat."
  • "Patent and insider deal information are not the only types of information at risk of cyber-attack. Stolen healthcare data sells for as much as $10 per medical record on the black market, and has fast become more valuable than credit card information. Even those firms who do not store healthcare and financial data, or data related to mergers & acquisitions or patents, are at risk of hackers coming after client information that could help them hack into client systems It’s time for law firms to wake up and make cybersecurity a top priority at all firms."
  • "How law firms ensure the security of data is already a critical issue for all clients. Having data security procedures in place – such as regular client audits that prove that data is secured properly – is quickly becoming an industry standard. Regulatory requirements are likely not far behind. It’s time for all law firms to get serious about cybersecurity." 

No comments:

Post a Comment