As more and more businesses require customers to submit sensitive personally identifiable information (PII) to provide goods or services – such as Social Security numbers, and birth dates – people are forced to trust that these companies will safely store their data. Unfortunately, that is not always the case.
There were 2,216 confirmed data breaches worldwide in 2017 alone. Data breaches affect companies of all sizes, with 58 percent of targets categorized as small businesses across a range of industries, including health care, education, and financial services.
While data breaches that dominate the news tend to involve the massive corporations and tens of millions of victims, a smaller data breach of a local business that affects people in a limited geographic area is more likely to come across the desk of most attorneys. Three types of data breaches frequently occur in local communities: phishing emails to office staff, employees improperly accessing medical records, or hackers deploying ransomware. Although these data breaches may be “small” in scale, the impact on victims and local communities can be devastating.
Big data breaches grab headlines, but smaller-scale, localized ones occur frequently and have the same impact on consumers. Learn about the features of these breaches and how to handle them in the below article published by the American Association for Justice and written by Faraci Lange partner Hadley Matarazzo and Cohen & Malad attorney Lynn A. Toops.
On October 17, 2018, the American Bar Association issued its first formal opinion addressing the obligations of a lawyer who has been the victim of a data breach or cyberattack.
The opinion is Formal Opinion 483, titled “Lawyers Obligations After an Electronic Data Breach or Cyberattack”. Before discussing this opinion, it is important to have an understanding of a lawyers’ obligation with regard to her use of technology in providing legal services.
For the last decade, lawyers and the ABA have been grappling with a lawyer’s ethical obligations as they pertain to the constantly evolving use of technology. As noted in Formal Opinion 483, the model rules were amended in 2012 to address the use of technology. These amendments are referred to as the “Technology Amendments” and include the obligation to understand the risks and benefits of relevant technology (Model Rule 1.1) and the obligation to take reasonable measures to prevent inadvertent or unauthorized disclosure of information pertaining to the representation (Model Rule 1.6(c)). They also include the requirement that lawyers ensure their staff is likewise trained to and takes reasonable measures to prevent unauthorized disclosure of or access to this information (Model Rules 5.1 and 5.3).
On May 11, 2017, the ABA issued Formal Opinion 477, titled “Securing Communication of Protected Client Information”. The Committee sought to update the prior rule, Formal Opinion 99-413, which addressed a lawyer’s confidentiality obligations pertaining to emails with clients. While the Committee does not dictate what constitutes reasonable steps a lawyer must or should take to protect sensitive data, it does provide seven considerations to guide lawyers with regard to reasonable steps.
The Committee concludes that “a lawyer may transmit information related to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.” In practice, there are several ways lawyer can seek to protect client information from inadvertent disclosure. For example, a lawyer can encrypt emails and attachments, password protect attachments or transmit correspondence and attachments using a secure FTP site.
A year and a half later, recognizing that data breaches and cyberattacks have affected and will continue to affect law firms, the Committee issued Formal Opinion 483 to address a lawyer’s ethical obligation if this occurs and information related to representation of a client is compromised. This Opinion picks up where Formal Opinion 477 left off.
For purposes of this opinion, the Committee has defined data breach to mean “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised or where a lawyer’s ability to perform legal services for which the lawyer is hired is significantly impaired by the episode.”
This definition is broad enough to include a number of situations. For example, it could involve a data breach where sensitive client data is exfiltrated from a lawyer’s computer network or a ransomware attack where a lawyer is prohibited from accessing a client’s file. It could also include an attack involving destruction of part or all of a lawyer’s computer network where confidential information is stored, resulting in an inability for the lawyer to access the information necessary to perform legal services.
The Committee concluded based on the Model Rules discussed above, “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the Internet, external data sources and external vendors providing services related to data and use of data.”
The Committee clarifies that a breach or failure to immediately detect a breach does not necessarily give rise to an ethical violation if reasonable steps were taken, but evaded by intruders. Instead, an ethical violation may be found when reasonable efforts are not taken, and because reasonable efforts are not taken, a breach occurs or goes undetected for some period of time.
If a breach is suspected or detected, a lawyer must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” The Committee recommends having a plan in place to deal with a suspected or actual breach and provides guidance regarding the contents of an incident response plan.
Regardless of whether a plan is in place, “a competent lawyer must make all reasonable efforts to restore computer operations to be able again to service the needs of the lawyer’s clients.” The lawyer must also investigate the breach to determine it has been stopped and to figure out what information, if any, has been exposed.
Finally, under Model Rule 1.4, a lawyer must notify current clients when “unauthorized release of confidential information could reasonably be viewed as a significant factor in the representation…”
This includes situations where the client’s position or legal matter may be impacted. Interestingly, under Model Rule 1.9, the Committee declines to extend this requirement to former clients. However, the Committee does note that consistent with best practices a lawyer should reach an agreement with the client at the termination or conclusion of representation to determine how to handle the client’s electronic information. Absent an agreement, the Committee encourages lawyers to have a document retention policy, compliant with applicable laws and regulations, and to follow it.
The content of the notice to the client is dependent on the circumstances of the data breach and must be tailored accordingly. It is crucial that the notice provide sufficient information for the client to make an informed decision about what to do next. At a minimum, the lawyer must tell the client what sensitive information may be at risk and how it was believed to have been accessed unless the lawyer is unable to ascertain this information after taking reasonable steps to do so.
While not required, the Committee recommends the lawyer inform the client of the steps the lawyer is taking to respond to the breach and, where applicable and feasible, recover the data. The lawyer, on the other hand, has an ongoing obligation to keep the client apprised of any material information obtained from the post-breach investigation.
While Formal Opinion 483 does not address legal obligations a lawyer may have under federal or state privacy and notification laws such as HIPAA or the Graham-Leach-Bliley Act and other statutes such as notice statutes that may be implicated, the Committee notes that where personally identifiable information (PII) such as social security numbers are implicated, the lawyer should familiarize herself with the applicable federal and state notification laws. It is crucial that a lawyer who has been the victim of an attack understand and comply with all her legal obligations.
Faraci Lange partner, Hadley L. Matarazzo, has been litigating cases involving data breaches, personal injury, defective drugs and medical devices, toxic torts, and medical malpractice since joining the firm in 2010.
Contact Faraci Lange today if you or someone you know is in need of an experienced and trustworthy attorney.
Last week, the consumer credit reporting agency, Equifax, announced that a data breach had compromised the Social Security numbers, dates of birth, names and addresses of up to 143 million Americans.
This massive data breach has put millions of Americans at risk for identity theft and other potentially harmful cyber crimes.
In an editorial published in the New York Times, Zeynep Tufekci stresses the underlying political reason why cybersecurity has become so weak in recent times.
“Big corporations have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less,” Tufekci wrote.
Although no software system can be free from bugs, most data breaches aren’t inevitable and are a result of neglect and under-investment in cybersecurity.
In addition to the news of Equifax’s data breach, it was revealed that three of the company’s executives sold $2 million worth of stock soon after the breach’s discovery in July.
A company spokesperson stated that the executives had no knowledge of the breach at the time they sold “a small percentage of their Equifax shares”.
As long as this unaccountability exists for corporations and their executives, data breaches will continue to occur and consumers will continue to be put at risk.
Read the full article here.
If you believe you are eligible for a consumer protection claim, please call or text us at (888) 325-5150 or fill out a contact form for a free legal consultation.
Fewer than a quarter of 21 million federal workers hit by a major computer hack have been officially told that their personal information was compromised, six months after the breach was detected, a U.S. government official recently said.
About 5 million notifications have been sent out to hack victims so far, a spokesperson for the U.S. Office of Personnel Management (OPM) told Reuters in an email.
The slowness of the notification process underscores Washington’s struggles in dealing with its computer vulnerabilities, a growing problem that the Obama administration has been trying to address.
After it fell victim to two successive cyberattacks, both begun in 2014 and revealed earlier this year, OPM was roundly criticized by lawmakers for its response.
The Defense Information Systems Agency in September awarded a $1.8 million contract to Advanced Onion, a technology firm, to help locate and notify victims of the OPM breach, which exposed names, addresses, Social Security numbers and other sensitive information of current and former federal employees and contractors. About 5.6 million fingerprints were pilfered, an upwardly revised number from an initial estimate of 1.1 million.
The notification process for the smaller of the two breaches, which affected 4.2 million individuals, raised alarm when victims were asked to follow instructions online in prompts that some said resembled phishing scams. Others complained of long wait times with support call centers. That episode prompted the government to pursue Advanced Onion to deal with the larger breach, a process that took several months.
It has been six months since the larger OPM hack was detected, and more than a year and a half since hackers first infiltrated the agency’s data banks.
Officials have offered three years of credit monitoring and identify-theft monitoring services to hacked employees.
Read the full article here.