Data Security and Privacy Risks for Law Firms
Transcription
Data Security and Privacy Risks for Law Firms
Data Security and Privacy Risks for Law Firms PRESENTED BY: Lisa Jaffee and Theresa Garthwaite 2 Data Security and Privacy Risks for Law Firms Presenters • • • • Lisa Jaffee CNA Specialty (914) 524-5660 lisa.jaffee@cna.com • • • • Theresa Garthwaite CNA Risk Control (312) 822-1622 theresa.garthwaite@cna.com 3 Disclaimer The purpose of this presentation is to provide information, rather than advice or opinion. It is accurate to the best of the speaker's knowledge as of the date of the presentation. Accordingly, this presentation should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites. To the extent this presentation contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice. CNA is a registered trade mark of CNA Financial Corporation. Copyright © 2016 CNA. All rights reserved. 3 4 Outline for Cyber Presentation I. Understanding Cyber Risks of Law Firms II. Lawyers’ Duty to Provide Data Security III. Opportunities to Advance Law Firm Security 4 5 I. Understanding Cyber Risks of Law Firms Overview of Data Risks for Law Firms: Why are law firms a target? Rich collection of confidential information Sub-standard security Frequency of law firm data breaches Lack of reporting requirements Thinkstock Failure to detect a breach 5 6 I. Understanding Cyber Risks of Law Firms Business Reasons to Address Information Risk: Increased cyber security regulation of law firms and clients Clients increasingly making excellent data security a key criterion for their vendor relationships Examples Requirement of information security compliance programs before carriers will place cyber liability insurance coverage Thinkstock 6 I. Understanding Cyber Risks 7 Percentage of Data Breaches by Cause of Loss Source: NetDiligence Cyber Claims Study 2014 http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf 7 8 I. Understanding Cyber Risks of Law Firms Lawyers’ Use of Data Security Tools Spam Filters – 85% Firewalls – 71% Virus Scanning for PCs – 66% Bring Your Own Device (BYOD) access with restrictions - 66% Virus scanning for emails – 65% File encryption – 33% E-mail encryption – 24% Full-disk encryption – 16% Thinkstock Source: ABA TECHREPORT 2013, Legal Technology Resource Center, Security Snapshot: Threats and Opportunities 8 9 II. Lawyers’ Duty to Provide Data Security Ethical Obligations o MRPC 1.6* – Confidentiality o Comment 18 o MRPC 1.1 – Competence o Comment 8 Common Law Duties Thinkstock o Restatement (3rd) of the Law Governing Lawyers (2000). * All references to MRPC in the presentation refer to the ABA Model Rules of Professional Conduct 9 10 II. Lawyers’ Duty to Provide Data Security State Regulations and Statutes General security laws Protect defined categories of personal information State data breach notification requirements Enacted in 47 states Compliance may be complex. Thinkstock 10 II. Lawyers’ Duty to Provide Data Security 11 Federal Statutes Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) The Health Information Technology for Economic and Clinical Health Act (“HITECH”) Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) Gramm-Leach-Bliley Act (“GLBA”) Other cybersecurity legislation Thinkstock 11 12 II. Lawyers’ Duty to Provide Data Security What to Protect Protected health information (PHI) Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual Personally identifiable information (PII) – Generally, name plus: SSN Driver’s license/ government ID # Credit/debit card # Financial account information Medical insurance/health information Passwords with usernames (few states, ie. CA and FL) Information related to a representation And more 12 II. Lawyers’ Duty to Provide Data Security 13 “Resolved, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” [Emphasis Added] –ABA Resolution 109 - adopted 08/12/14 13 14 II. Lawyers’ Duty to Provide Data Security Potential Risks for Law Firms Security/ Privacy Civil Claims Network damage claims Regulatory Investigations Reputational risk Financial risk Lost billable time Breach response costs Risks to computer systems Thinkstock 14 15 II. Lawyers’ Duty to Provide Data Security Cost of a Potential Data Breach Average claim payout : $733,109 $366,484 (48%) on Crisis Services* $109,966 (15%) on Legal Defense $73,310 (10%) on Legal Settlements $73,310 (10%) on Regulatory Defense $43,986 (6%) on Regulatory Fines $80,641 (11%) for PCI** Fines Thinkstock *Crisis Services include forensics, notification, and legal guidance ** PCI – Payment Card Industry Source: NetDiligence 2014 Cyber Claims Study 15 16 III. Opportunities to Heighten Law Firm Security 1. Encrypt, encrypt, encrypt 2. Use Caution in the Cloud 3. Beware of BYOD ThinkStock 16 17 III. Opportunities to Heighten Law Firm Security 4. Vet Your Vendors 5. Staff Training is Critical 6. Be Wireless Savvy ThinkStock 17 18 III. Opportunities to Heighten Law Firm Security 7. Have a Password Policy 8. If All Else Fails, Be Prepared 9. Consider Cyber Liability Insurance ThinkStock 18 CNA Lawyers’ Risk Control Resources 19 Go to www.cna.com Click on Find Resources to Manage & Reduce Risk Click on Professional & Management Liability Article: Safe and Secure: Cyber Security Practices for Law Firms Article: Caution in the Cumulus: Using the Cloud in Law Practice And more 19 20 Trends in Social Media for Lawyers 21 Social Media Defined Social media is defined as “forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content…” - - Source: http://www.merriam-webster.com/dictionary/social%20media 22 Examples of Social Media • • • • • • • • Facebook® MySpace® LinkedIn® YouTube® Twitter®* Legal OnRamp®* Blogs Texting *All of the Trademarks listed above are the property of their respective owners 22 23 US Law Firm Blog Use 27% 22% Year 14% 15% 2010 2011 2012 Source: 2013-2015 American Bar Association Legal Technology Survey Report 2013 24% 2014 26% 2015 24 Law Firm Social Network Presence 55% 59% 62% 61% 2014 2015 42% 17% 2010 2011 2012 Source: 2013-2015 American Bar Association Legal Technology Survey 2013 25 Law Firm Social Media Presence 0% 10% 20% LinkedIn Facebook Google Plus Avvo LawLink None Don't Know Source: 2015 American Bar Association Legal Technology Survey 30% 40% 50% 60% Reasons for Social Media Use 26 Career Development/Networking Client Development Education/Current Awareness Case Investigation 0% 10% 20% 30% 40% 50% 60% 70% 80% Source: 2015 American Bar Association Legal Technology Survey Lawyers are using social media to: Convey value of services Reach and connect with potential clients Attract and retain talent Monitor issues of interest to the lawyer and his/her clients Keep tabs on competitors Stay abreast of trends and news in the industry Access information about defendants, plaintiffs, witnesses and potential jurors Other uses 27 Social Media: Impacting Your Public Reputation How you use social media directly affects your public reputation. Even your “lack of use” counts. What does this say? Your competition is using social media and so are your clients! Potential for public embarrassment Possibility of ethical missteps 28 29 Recent Model Rule Revisions “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” - Model Rule of Professional Conduct 1.1 “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” - Comment [8] to Rule 1.1 30 Social Media & Prospective Clients ABA Model Rule 1.18: Prospective Clients Clarifies that the rule applies even in the absence of an oral discussion Comment 2: “…Whether communications, including written, oral, or electronic communications, constitute a consultation depends on the circumstances. For example, a consultation is likely to have occurred if a lawyer, either in person or through the lawyer’s advertising in any medium, specifically requests or invites the submission of information about a potential representation without clear and reasonably understandable warnings and cautionary statements that limit the lawyer’s obligations, and a person provides information in response.” Uh-Oh…. CONTACT US!! Name: Address: Phone: A brief description of your legal issue (How can we help you?) Attach relevant documents: 31 Mitigating the “Uh-Oh…” 32 • [Firm] (1) does not guarantee the confidentiality of any communications sent by e-mail or through its website, or left in voicemail messages on firm telephones. Unsolicited information and material may not be treated as (2) confidential and will not be protected by any attorney-client privilege and may be unsecured. Accessing or using this website does not create an (3) attorneyclient relationship. Although the use of the web site may facilitate access to or communications with members of [firm] by e-mail or voicemail, receipt of any such communications or transmissions by any member of [firm] (4) does not create an attorney-client relationship, unless our firm formally agrees to represent you in writing. 33 Social Media & Prospective Clients,cont. • Chatroom discussions • Commenting on Facebook posts, etc. 34 Social Media & Confidentiality ABA Model Rule 1.6: Duty of Confidentiality In re Disciplinary Proceedings Against Peshek, 798 N.W.2d 879 (Wis. 2011)(IL Supreme Court suspended assistant public defender from practice for blogging personally identifiable about clients, including confidential information). Wisconsin Supreme Court imposed reciprocal discipline on the same attorney for the same misconduct. 35 Social Media & Confidentiality, cont. Responding to Negative Reviews on social media: • Any public response to a negative review online must not “disclose confidential information,” must “not injure the former client in any matter involving the prior representation” and must be “proportionate and restrained.” - Los Angeles County Bar Association, Formal Ethics Opinion #525 (12/06/12). Social Media & Confidentiality, cont. 36 Responding to Negative Reviews on Social Media: In re Skinner, Ga., No. S13Y0105, 3/18/13 Key Holding: Stronger sanction than reprimand is called for where lawyer posted confidential information about former client in response to negative online reviews. Significance: Case of first impression in Georgia and one of only a few to address this issue. Social Media & Confidentiality, cont. Posting Case Information to Websites: • ABA Formal Ethics Opinion 10-457: Attorney needs client’s consent to disclose information about their case on websites. • In some states, it is even prohibited to use or reveal publicly available information without client’s informed consent 37 Social Media & Confidentiality, cont. Posting to YouTube: • Jesse Raymond Gilsdorf uploaded videos of client obtained in discovery on YouTube entitled “Cops and Task Force Planting Drugs”, and then posted the video to his Facebook page • The video was viewed more than 2,000 times • When viewed on a larger screen, the videos clearly showed client dealing drugs. • The ARDC found a violation of Rule 1.6 and suspended the lawyer for 5 months. - Illinois Bar Journal; Janan Hanna, “Lawyer Sues After his YouTube Post of Client Leads to Suspension,” May 2014. 38 Social Media & Candor Toward a Tribunal • Model Rule 3.3: Candor Toward a Tribunal • Were you at a funeral or really at a party? • One judge in Galveston, Texas, utilized Facebook to catch an attorney who requested a continuance, allegedly because of the death of her father. The attorney, however, had recently posted a string of status updates on Facebook portraying a week of drinking and partying. • In a separate incident, the same judge caught another attorney griping about having to handle a motion before her. - See M. McDonough, “Facebooking Judge Catches Lawyer in Lie, Sees Ethical Breaches #ABA Chicago” (July 31, 2009). 39 Social Media & Investigating Witnesses 40 • A lawyer may view a witness's social media website … if the website is publicly accessible; doing so does not constitute a “communication” within the meaning of Rules 4.2 and 4.3. If the lawyer sends a request to an unrepresented witness in order to access the witness's private social media information, the request must clearly state the lawyer's name and position as a lawyer and must explain the lawyer's involvement in the matter for which the lawyer seeks the witness's information….* New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13) *See Also San Diego County Ethics Op. 2011-2, and Philadelphia Ethics Op. 2009-2 (consistent with this requirement); but see New York City Ethics Op. 2010-2 (there is no ethical obligation to affirmatively disclose the reason for such request). Social Media & Investigating Witnesses, cont. • 41 …A lawyer may not send a request to follow or friend a witness's restricted social media account under a false name or using another person's account and may not direct a client or nonlawyer assistant to do so, but the lawyer may receive information from a client who has accessed such an account without direction from the lawyer. As part of the duties of competence and diligence, a lawyer who represents a client in litigation must keep abreast of, understand, and be able to effectively use investigatory tools such as social media . New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13) Social Media & Investigating Witnesses, cont. • 42 A lawyer may not send a “friend” request to high-ranking employees of a litigation adversary in order to access their private Facebook pages in search of evidence if the employees are considered to be represented persons—for example, if they exercise substantial authority over the organization's policy decisions. Even if the employees are not considered to be represented persons the lawyer may not send the request without disclosing its purpose. San Diego County Bar Association Ethics Op. 2011-2. Social Media & Supervision of Non-Lawyers • 43 ABA Model Rule 5.3: Supervision of Non-Lawyers – Large NJ law firm: Attorneys asked paralegals to scour the internet and to “dig up anything they could” on plaintiff. – Paralegals sent “friend request” to plaintiff to access private information – Violates N.J. Rule 4.2: communication with represented parties Social Media & Investigating Jurors 44 Lawyers may have duty to investigate jurors online during the voir dire process: Johnson v. McCullough, 306 S.W. 3d 551 (Mo. 2010) (lawyers must use reasonable efforts to research jurors litigation history online during the voir dire process). Ass’n of the Bar of the City of N.Y. Comm. On Professional Ethics, Formal Op. 2012-2 (standards of competence and diligence may require doing everything reasonably possible to learn about jurors). N.H. Bar Ass’n, Op. 2012-13/05 (lawyers “have a general duty to be aware of social media as a source of potentially useful information in litigation, to be competent to obtain that information directly or through an agent, and to know how to make effective use of that information in litigation”) Social Media & Investigating Jurors 45 But: Avoid prohibited juror communications! 3 types of lawyer review of juror’s Internet presence: X Passive lawyer review of juror’s website or social media available without an access request Active lawyer review where lawyer requests access to the juror’s social media; and Passive lawyer review where the juror becomes aware of the identity of the viewer (ie. Linked In notification). Source: ABA Formal Opinion 466 (April 24, 2014) Counseling Clients on Social Media Use 46 Lester v. Allied Concrete Court imposed sanctions of $522,000 against an attorney and $180,000 against his client for following the attorney’s advice to delete Facebook account postings. Attorney was concerned that pictures of the plaintiff-husband on his Facebook account drinking beer and announcing “I (HEART) HOT MOMS!” could hurt his case. On July 17, 2013, the Virginia State Bar Disciplinary Board suspended Matthew B. Murray’s license to practice law for five years for violating professional rules that govern candor toward the tribunal, fairness to opposing party and counsel, and misconduct Counseling Clients on Social Media Use 47 Mark Niesse, Twitter Sunk Woman’s Award after Car Crash, N.J. Law Journal (Jan. 2, 2013) (court reduced jury award after defendant introduced Twitter messages from plaintiff discussing traveling and partying after car accident). David Smiley, Daughter’s Facebook boast costs former Gulliver Prep headmaster $80,000 discrimination settlement, Miami Herald (February 26, 2014)(court tossed out discrimination settlement ruling the ex-employee and his daughter breached the confidentiality agreement when she took to social media to brag about it). Counseling Clients on Social Media Use 48 New York County Lawyers Ass'n Comm. on Professional Ethics, Op. 745, 7/2/13 An attorney may advise clients to keep their social media privacy settings turned on or maximized and may advise clients as to what should or should not be posted on public and/or private pages…. Provided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, an attorney may offer advice as to what may be kept on “private” social media pages, and what may be “taken down” or removed. An attorney's duty to represent clients competently could, in some circumstances, give rise to an obligation to advise clients, within legal and ethical requirements, concerning what steps to take to mitigate any adverse effects on the clients' position emanating from the clients' use of social media . Counseling Clients on Social Media Use, cont. 49 Offering a list of ethically permissible actions, the committee concluded that a lawyer may: counsel witnesses to publish truthful information favorable to a client; discuss the content and advisability of social media posts; review posts that may be published and that have already been published; discuss the possibility that a legal adversary may obtain access to “private” social media pages through court orders or compulsory process; advise clients how social media posts may be received or presented by adversaries and review how the factual context of the posts may affect their perception; and discuss possible lines of cross-examination. LinkedIn & Attorney Advertising 50 A law firm may not describe its services under a section on LinkedIn devoted to “Specialties,” but an individual lawyer may do so if she has been appropriately certified and complies with the disclaimer requirements that apply to communications about practice area specialization. New York State Bar Ass'n Comm. on Prof'l Ethics, Op. 972, 6/26/13. A lawyer may advertise through LinkedIn and may list general areas of practice under the site's “Skills and Expertise” section but may not use the service's subjective designations “expert” or “experienced” unless in compliance with Rule 7.4. The lawyer must monitor any comments posted to the page and should immediately remove comments that are misleading or that convey unreasonable or unquantifiable expectations. Professional Guidance Committee of the Philadelphia Bar Association Opinion 2012-8 (11/12). A problematic feature on LinkedIn allows members of the public to add endorsements of a lawyer's “expertise” to the lawyer's online profile. The endorser's comments then appear on “an as-yet unremovable section on each lawyer's page” entitled “Skills & Expertise.” This placement creates a Rule 7.4 problem even though it was a third party, and not the lawyer, who added the offending language. The bar group directed lawyers to a temporary fix: instructions on how to hide third-party endorsements on a LinkedIn profile. 51 Risk Control Resources Lawyers’ Toolkit 3.0: A Guide to Managing the AttorneyClient Relationship Creating a Document Retention and Destruction Policy The Conflicts Conundrum: Avoiding and Managing Conflicts of Interest Client Intake Procedures: Avoiding Problematic Clients Wills, Trusts and Estates Practice: Minimizing Exposure to Claims from Third-Party Beneficiaries Risk Control Hotline: 1-866-262-0034