Have you gone over your cybersecurity plan lately? If not, you should. This article will provide some basic steps you can take to protect your client's personal information.
In March 2012, the FBI Director, Robert Mueller, said "there are only two types of companies: those that have been hacked and those that will be." Law firms are now targets of hackers. Their arsenal includes: malware, ransomware, and human error. Today, hackers are focusing their attention on law firms because they see them as "soft targets" due to the sensitive material they store on their hard drives and networks. Cybersecurity is no longer just an IT issue; it is now under the umbrella of executive management and office engagement. The risk is real and should be a top priority for all law firms.
In Texas, law firms are ethically bound to protect their client's confidential information. This includes both "privileged information" and "unprivileged client information." In addition to protecting information, attorneys have a duty to notify individuals of breaches to the security of their information. Breach notification rules are found under Chapter 521 of the Texas Business and Commerce Code. Under the statute, you must disclose to any individual whose sensitive personal information has been acquired by an unauthorized person "as soon as possible". If you fail to do so, and actual damages have occurred, you may be liable. Furthermore, under the Health Insurance Portability and Accountability Act (HIPPA), if your firm handles protected health information you may be subject to federal regulations, as well. You should check you commercial general liability insurance and see if you are covered for the fallout from such an attack.
What can you do to protect yourself from cyber-attack?
To begin with, you need to have an IT expert create a firewall for your network. Once that is complete, you need to create a custom made cybersecurity policy for your law firm. Within the policy, you will need to identify potential risks to your system in order to minimize your liability. If you are not sure what this policy should look like, then you are in luck. The Federal Communications Commission (FCC) has a comprehensive "Cyber Security Planning Guide" for you to go by while creating your plan. At a minimum, here are (3) things all plans should have in them:
1. Training procedures for your employees about cybersecurity;
2. A procedure to maintain control over all firm electronic devices that access to your system to view protected health information; and
3. Forbidding anyone with access to your system to connect to a "Wi-Fi" hot spot.
If this is too daunting, then you can always hire an IT consultant for help. Another smart move is to purchase cybersecurity insurance. This will cover you if you find yourself in a cybersecurity nightmare.
Be proactive. Sticking your head in the sand about these types of threats can be costly.
American Bar Association, Cybersecurity: Ethically Protecting Your Confidential Data in a Breach-A-Day World (April 27, 2016)
Tex. Disciplinary R. Prof'l Conduct 1.05(a).
See TEX. BUS. & COM. CODE ANN. § 521.053.
See 45 C.F.R. §§ 164.400-414.
Federal Communications Commission, Cybersecurity Planning Guide, 2012, https://transition.fcc.gov/cyber/cyberplanner.pdf