EDISCOVERY|DATA PRIVACY CORNER
LAW FIRMS—ARE YOU READY
FOR A DATA BREACH?
ROBERT W. WILKINS
The old adage “the Cobbler’s children have
no shoes” highlights the fact that, as lawyers,
we are often too busy helping others that we
fail to take the time to help ourselves. All too
often law firms fail to conduct data breach
risk assessments concerning their own data,
and more importantly, client data entrusted to
them. As a result, the policies and procedures
required to implement data breach response
plans, including procedures to comply with
data breach notification rules, are not in place.
Solo and small firms may consider themselves
too small to be targeted. Even some mid-
sized firms fail to comply with the basic legal
requirements governing data breaches. Many
assume their outside IT vendor, in addition
to providing their cybersecurity, is also
preparing and implementing the policies and
procedures necessary to meet the data breach
compliance requirements. All too often, both
assume cyber insurance will protect them
from the costs and substantial damages,
including the reputational consequences of
data breaches.
Data breaches are increasing exponentially
with growing financial consequences. Every
year since 2015 the FBI has issued an annual
report based on data collected from its Internet
Crime Complaint Center (IC3). The report
summarizes internet related crime incidents.
In 2017, the number of reported complaints
was 301,580. In 2019, only two years later, that
number increased to 3.5 billion! Florida ranked
second highest among all states in both the
number of victims of internet crime and the
dollar amount of losses. The vast majority
of the incidents resulted from phishing/
vishing/smishing and pharming attacks on
individuals and businesses. 1
Your law firm is already being targeted by
internet bots and other malicious actors.
It is not a question of if your law firm will
suffer a breach, it is only a question of when.
Perfection is not possible or required, you are
only required to take reasonable measures
to protect the data in your possession.
What is reasonable depends on a number of
factors, all of which should be evaluated as
part of your risk assessment. If you haven’t
already performed a risk assessment and
implemented policies and procedures,
including an incident response plan, the
following highlights how you can begin the
process.
1. Develop and Maintain Knowledge of Legal
and Regulatory Requirements.
Obviously, lawyers must know the law
and maintain knowledge of the statutes,
regulations, rules and all other aspects of the
practice of law in general. The same is true
concerning the more specialized area of law
governing data privacy and security. Keeping
abreast of the rapidly changing legal and
technological requirements relating to data
privacy is essential. Larger firms develop
entire practice groups related to data privacy.
Regardless of the size of your law firm, the
requirement remains the same. Your ethical
requirements demand no less. If you don’t
have the time or resources to do so, retain
outside counsel with specialized knowledge
to assist you. 2
2. Prepare a Comprehensive Risk Assessment
Clients entrust their most sensitive data
to their attorneys, including their financial
and health related private and confidential
information. Lawyers have an obligation to
maintain that information in the strictest
of confidence. It is essential that law firms
“map” the data in their possession, custody
or control. Tangible data (paper, photos,
videos etc.) is typically located in the office
in file cabinets or similar storage locations.
Digital data is more dispersed, it can reside on
servers, hard drives, and in the cloud to name
a few. When mapping the data, it is important
to include all third party vendors the firm
uses—IT vendors, court reporters, experts, etc.
Once the data has been mapped, it is
important to identify the legal and contractual
obligations that apply to the data. There
may be regulatory requirements concerning
certain data, such as HIPAA, and there may
be contractual requirements governing
other data, such as trade secrets and other
confidential information. Essentially, review,
understand, and apply the requirements
identified in the Data Privacy Primer cited in
footnote two. Outside vendors specializing
in preparing data risk assessments are an
excellent resource to assist you with your risk
assessment and data mapping obligations.
Some will also assist in drafting the policies
and procedures required by the statutes,
rules and regulations. However, you are
ultimately responsible for compliance, and
you can’t delegate your ethical responsibility
to maintain confidentiality to your third
party vendor or your legal obligation to
PBCBA BAR BULLETIN
9
know whether those policies and procedures
comply with the law. Vendor contracts may
contain exculpatory language and most likely
won’t indemnify you from liability for data
breaches. And, they can’t protect you from
potential legal malpractice claims associated
with the data breach.
3. Prepare an Incident Response Plan
Once you have mapped the data and
determined the compliance requirements
that govern that data, you need to prepare and
implement an incident response plan (IRP).
The IRP details all aspects of responding to
an incident. An effective IRP will begin with
an initial assessment of the incident and
determine whether the incident response
team needs to be activated. The IRP also details
the levels of response required, including
when the incident rises to the level that legal
counsel needs to be engaged. Legal counsel
will determine the required notifications
to legal authorities, insurance carriers, and
related contractual notice obligations. For a
detailed explanation of the requirements of
an incident response plan and a model form,
the Sedona Conference Incident Response
Guide is an excellent resource. 3
Hopefully, the resources identified in this
article will assist you in navigating the many
laws, regulations and rules governing your
data privacy obligations and data breach
notification requirements.
Rob Wilkins is Chair of the Litigation and
Dispute Resolution Practice Group at Jones
Foster, P.A. He is an active member of The
Sedona Conference Working Group 1, Electronic
Document Retention and Production, and
Working Group 11, Data Security and Privacy
Liability. He is co-chair of the subcommittees
on data privacy and eDiscovery of the ABA
Commercial and Business Law Committee.
2019 Internet Crime Report, pdf.ic3.gov.
For an excellent resource on the laws, rules and regulations
governing data privacy, see, The Sedona Conference, Data
Privacy Primer, 19 Sedona Conf. J. 273 (2018).
3
The Sedona Conference, Incident Response Guide, 21
Sedona Conf. J. 125 (forthcoming 2020).
1
2