The Connecticut Law Tribune published my piece this week about the risk law firms, including small ones, face from data breaches:
In recent months, corporate America has been shaken by several headline-grabbing data breaches.
Retailer Target's first quarter profits were down 16 percent after credit card and personal information of millions of its customers was stolen. Daily-deal website LivingSocial was hacked with more than 50 million users impacted. Last week, hackers gained access to the personal data of 145 million of online eBay's customers.
Lawyers are among the specialists called in to help with these security crises. But data breach risk doesn't belong to clients alone. Law firms of all sizes risk having client data and other sensitive materials exposed, legal and technical experts say.
In Massachusetts, state officials felt so strongly about the threat to law firms that they've planned a seminar for May 29. In an email pitching the program to the state's lawyers says: "Hackers are now targeting small law firms because of the wealth of info in client files that can be used for identity theft – in family law, estate planning, real estate, elder law and other matters. And Mass. law requires you to notify clients of a data breach – do you really want to have to do that?"
Anthony Minchella says Connecticut lawyers shouldn't feel any more comfortable.
The owner of Minchella & Associates in Middlebury and the vice-chair of the Connecticut Bar Association's small firm practice management section, said in an email that "small firms or solos sometimes feel safe from cybersecurity threats, but that is completely false. No business is safe. Practices that obtain sensitive information, such as credit card numbers, often have the entire package of information a cyber-thief would need to steal an identity."
Monique Ferraro, a general practitioner in Waterbury who also runs a forensic technology business and lectures on IT security, said data breaches can be as simple as the loss of a lawyer's laptop or smartphone that isn't protected by a password. "I see a lot of lawyers who are not securing their data appropriately," Ferraro said.
Connecticut has put businesses of all types on notice that they have to take safeguards to prevent data breaches. Unfair trade practice charges can be brought against companies and organizations if they expose personal information like social security numbers, credit card numbers and driver's license numbers. And lawyers must provide notice to their clients and the Office of the Attorney General if they've suffered a data security breach.
There are at least three other ways that data breaches can occur, says Ellen Giblin, lead privacy and data security counsel with the Ashcroft Law Firm in Boston and manager of the data breach response teams for clients.
Hackers can keep pinging away at a law firm's information security apparatus until they break in. They can use an insider to provide them with sensitive information. Or they can "socially engineer" their way past IT security protocols by using phishing scams that entice lawyers to respond to fraudulent e-mails which, in turn, provide entree to their firms' electronic data.
Under the law, law firms are considered to be vendors, and vendors are required to have the appropriate "administrative, physical and technological safeguards in place" to ensure data security, Giblin said.
"It's important for law firms to always safeguard and keep confidential their client information, whether it's to protect attorney-client privilege" or to follow federal, state or other laws enacted to protect privacy and confidential information.
Not even the experts agree on how to best protect client data.
Lawyers Dan Siegel and Molly Gilligan, whose company, Integrated Technology Services, advises small and mid-sized law firms, said the best practice is to store client data with a cloud vendor on the web and on a hard drive in one's legal office.
It's the practice they use in their own businesses. Siegel, who is based in the Philadelphia suburbs, and Gilligan, a Quinnipiac University School of Law graduate now based in Maine, are using a remote case management system so they can work together in a law practice as well as in their technology business.
Cloud vendors can provide better security than a smaller law firm typically can come up with on its own, Siegel said.
But lawyers must do their due diligence and ensure that the vendor's terms of service acknowledges that the data belongs to the client, and not the vendor or the law firm, Siegel said. Lawyers should only use vendors that store the data in the U.S., he said.
The agreement with a cloud vendor also should cover what happens if the vendor goes out of business, Siegel said. If a vendor does go out of business, Siegel's firm has the encrypted data backed up on a hard drive, he said.
Connecticut bar officials have not issued an ethics opinion on whether its appropriate for lawyers to entrust client data to a cloud computing service where the data is accessed over the Internet via a web browser, according to a tally by the American Bar Association. New York and Massachusetts have released ethics opinions on the topic; both jurisdictions require that lawyers exercise reasonable care in putting client data on the cloud.
Ferraro, however, does not recommend using cloud vendors, saying that law firms should be leery about trusting an outside company with such sensitive client information. "If you have control of your data," she said, "you have control over your data."
If lawyers choose to go the cloud route, Ferraro says they should get client consent before storing their data remotely. She prefers that lawyers stores their own files, making sure they are encrypted. She recommends that attorneys install a self-encrypting hard-drive on their computers.
Heidi Alexander, a law practice advisor with the Massachusetts Law Office Management Assistance Program, said that Dropbox, one of the most popular cloud providers, may not be the safest and most secure vendor to use because it has experienced some data breaches of its own. She, too, said that encryption is the best way to protect documents. She added that attorneys should make sure that passwords are strong and unique.
Both Ferraro and Giblin recommend a number of other data security policies. They said law firms should have policies that forbid the use of computers for personal purpose. Along the same lines, Ferraro said lawyers should have separate business and personal smartphones. Those phones should be password-controlled and include features that allow their digital contents to be erased from a remote location in case they are lost or stolen.
A law firm is going to be experience a data breach and get into hot water, Ferraro and Giblin predicted.
Even though lawyers are supposed to notify their clients of data breaches under Connecticut law, "they don't do it and it's just a matter of time before this implodes upon itself," Ferraro said. There will be a class action lawsuits or criminal investigations, she said.
Giblin predicts federal action at some point against a law firm. The Federal Trade Commission has prosecuted data security breaches as an unfair trade practice, she said. "If they haven't gone after a law firm, they will," Giblin said.
Gilligan said that there is a balance to be struck between security and efficiency with technology. Lawyers need to take reasonable steps to use technology to protect their clients' data, Gilligan said, but technology also is about "making your office more efficient and better able to serve your clients. There is a trade-off."