Data Security and Privacy Risks for Law Firms

Transcription

Data Security and Privacy Risks for Law Firms
Data Security and Privacy Risks
for Law Firms
PRESENTED BY: Lisa Jaffee and Theresa Garthwaite
2
Data Security and Privacy Risks for Law Firms
Presenters
•
•
•
•
Lisa Jaffee
CNA Specialty
(914) 524-5660
lisa.jaffee@cna.com
•
•
•
•
Theresa Garthwaite
CNA Risk Control
(312) 822-1622
theresa.garthwaite@cna.com
3
Disclaimer
The purpose of this presentation is to provide information, rather than advice or opinion. It is accurate
to the best of the speaker's knowledge as of the date of the presentation. Accordingly, this
presentation should not be viewed as a substitute for the guidance and recommendations of a retained
professional. In addition, CNA does not endorse any coverages, systems, processes or protocols
addressed herein unless they are produced or created by CNA.
Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any
responsibility with respect to such websites.
To the extent this presentation contains any examples, please note that they are for illustrative
purposes only and any similarity to actual individuals, entities, places or situations is unintentional and
purely coincidental. In addition, any examples are not intended to establish any standards of care, to
serve as legal advice appropriate for any particular factual situations, or to provide an
acknowledgement that any given factual situation is covered under any CNA insurance policy. Please
remember that only the relevant insurance policy can provide the actual terms, coverages, amounts,
conditions and exclusions for an insured. All CNA products and services may not be available in all
states and may be subject to change without notice.
CNA is a registered trade mark of CNA Financial Corporation. Copyright © 2016 CNA. All rights
reserved.
3
4
Outline for Cyber Presentation
I.
Understanding Cyber Risks of Law
Firms
II.
Lawyers’ Duty to Provide Data Security
III. Opportunities to Advance Law Firm
Security
4
5
I. Understanding Cyber Risks of Law Firms
Overview of Data Risks for Law Firms:
 Why are law firms a target?
 Rich collection of confidential
information
 Sub-standard security
 Frequency of law firm data breaches
 Lack of reporting requirements
Thinkstock
 Failure to detect a breach
5
6
I. Understanding Cyber Risks of Law Firms
Business Reasons to Address
Information Risk:
 Increased cyber security regulation of
law firms and clients
 Clients increasingly making excellent
data security a key criterion for their
vendor relationships
 Examples
 Requirement of information security
compliance programs before carriers
will place cyber liability insurance
coverage
Thinkstock
6
I. Understanding Cyber Risks
7
Percentage of Data Breaches by Cause of Loss
Source: NetDiligence Cyber Claims Study 2014
http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf
7
8
I. Understanding Cyber Risks of Law Firms
Lawyers’ Use of Data Security Tools
 Spam Filters – 85%
 Firewalls – 71%
 Virus Scanning for PCs – 66%
 Bring Your Own Device (BYOD) access
with restrictions - 66%
 Virus scanning for emails – 65%
 File encryption – 33%
 E-mail encryption – 24%
 Full-disk encryption – 16%
Thinkstock
Source: ABA TECHREPORT 2013, Legal Technology Resource
Center, Security Snapshot: Threats and Opportunities
8
9
II. Lawyers’ Duty to Provide Data Security
Ethical Obligations
o MRPC 1.6* – Confidentiality
o Comment 18
o MRPC 1.1 – Competence
o Comment 8
Common Law Duties
Thinkstock
o Restatement (3rd) of the Law
Governing Lawyers (2000).
* All references to MRPC in the presentation refer to the ABA Model Rules of
Professional Conduct
9
10
II. Lawyers’ Duty to Provide Data Security
State Regulations and Statutes
 General security laws
 Protect defined categories of
personal information
 State data breach notification
requirements
 Enacted in 47 states
 Compliance may be complex.
Thinkstock
10
II. Lawyers’ Duty to Provide Data Security
11
Federal Statutes
 Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”)
 The Health Information Technology for
Economic and Clinical Health Act
(“HITECH”)
 Fair and Accurate Credit Transactions
Act of 2003 (“FACTA”)
 Gramm-Leach-Bliley Act (“GLBA”)
 Other cybersecurity legislation
Thinkstock
11
12
II. Lawyers’ Duty to Provide Data Security
What to Protect
 Protected health information (PHI)
 Any information about health status, provision of health care, or payment for
health care that can be linked to a specific individual
 Personally identifiable information (PII) – Generally, name plus:
 SSN
 Driver’s license/ government ID #
 Credit/debit card #
 Financial account information
 Medical insurance/health information
 Passwords with usernames (few states, ie. CA and FL)
 Information related to a representation
 And more
12
II. Lawyers’ Duty to Provide Data Security
13
“Resolved, That the American Bar Association
encourages all private and public sector
organizations to develop, implement, and
maintain an appropriate cybersecurity program
that complies with applicable ethical and legal
obligations and is tailored to the nature and
scope of the organization and the data and
systems to be protected.” [Emphasis Added]
–ABA Resolution 109 - adopted 08/12/14
13
14
II. Lawyers’ Duty to Provide Data Security
Potential Risks for Law Firms
 Security/ Privacy Civil Claims
 Network damage claims
 Regulatory Investigations
 Reputational risk
 Financial risk
 Lost billable time
 Breach response costs
 Risks to computer systems
Thinkstock
14
15
II. Lawyers’ Duty to Provide Data Security
Cost of a Potential Data Breach
 Average claim payout : $733,109
 $366,484 (48%) on Crisis Services*
 $109,966 (15%) on Legal Defense
 $73,310 (10%) on Legal Settlements
 $73,310 (10%) on Regulatory Defense
 $43,986 (6%) on Regulatory Fines
 $80,641 (11%) for PCI** Fines
Thinkstock
*Crisis Services include forensics, notification, and legal
guidance
** PCI – Payment Card Industry
Source: NetDiligence 2014 Cyber Claims Study
15
16
III. Opportunities to Heighten Law Firm Security
1.
Encrypt, encrypt, encrypt
2.
Use Caution in the Cloud
3.
Beware of BYOD
ThinkStock
16
17
III. Opportunities to Heighten Law Firm Security
4.
Vet Your Vendors
5.
Staff Training is Critical
6.
Be Wireless Savvy
ThinkStock
17
18
III. Opportunities to Heighten Law Firm Security
7.
Have a Password Policy
8.
If All Else Fails, Be Prepared
9.
Consider Cyber Liability
Insurance
ThinkStock
18
CNA Lawyers’ Risk Control Resources
19
 Go to www.cna.com
 Click on Find Resources to
Manage & Reduce Risk
 Click on Professional &
Management Liability
 Article: Safe and Secure:
Cyber Security Practices for
Law Firms
 Article: Caution in the
Cumulus: Using the Cloud in
Law Practice
 And more
19
20
Trends in Social Media
for Lawyers
21
Social Media Defined
Social media is defined as “forms of
electronic communication (as Web
sites for social networking and
microblogging) through which users
create online communities to share
information, ideas, personal
messages, and other content…”
-
- Source: http://www.merriam-webster.com/dictionary/social%20media
22
Examples of Social Media
•
•
•
•
•
•
•
•
Facebook®
MySpace®
LinkedIn®
YouTube®
Twitter®*
Legal OnRamp®*
Blogs
Texting
*All of the Trademarks listed above are the property of
their respective owners
22
23
US Law Firm Blog Use
27%
22%
Year
14%
15%
2010
2011
2012
Source: 2013-2015 American Bar Association Legal Technology Survey Report
2013
24%
2014
26%
2015
24
Law Firm Social Network Presence
55%
59%
62%
61%
2014
2015
42%
17%
2010
2011
2012
Source: 2013-2015 American Bar Association Legal Technology Survey
2013
25
Law Firm Social Media Presence
0%
10%
20%
LinkedIn
Facebook
Google Plus
Avvo
LawLink
None
Don't Know
Source: 2015 American Bar Association Legal Technology Survey
30%
40%
50%
60%
Reasons for Social Media Use
26
Career Development/Networking
Client Development
Education/Current Awareness
Case Investigation
0%
10% 20% 30% 40% 50% 60% 70% 80%
Source: 2015 American Bar Association Legal Technology Survey
Lawyers are using social media to:
 Convey value of services
 Reach and connect with potential clients
 Attract and retain talent
 Monitor issues of interest to the lawyer and his/her clients
 Keep tabs on competitors
 Stay abreast of trends and news in the industry
 Access information about defendants, plaintiffs, witnesses and potential
jurors
 Other uses
27
Social Media: Impacting Your
Public Reputation
 How you use social media directly affects your public reputation.
 Even your “lack of use” counts. What does this say?
 Your competition is using social media and so are your clients!
 Potential for public embarrassment
 Possibility of ethical missteps
28
29
Recent Model Rule Revisions
“A lawyer shall provide competent representation to a client. Competent
representation requires the legal knowledge, skill, thoroughness and
preparation reasonably necessary for the representation.”
- Model Rule of Professional Conduct 1.1
“To maintain the requisite knowledge and skill, a lawyer should keep abreast
of changes in the law and its practice, including the benefits and risks
associated with relevant technology, engage in continuing study and
education and comply with all continuing legal education requirements to
which the lawyer is subject.”
- Comment [8] to Rule 1.1
30
Social Media & Prospective Clients
 ABA Model Rule 1.18: Prospective Clients
 Clarifies that the rule applies even in the absence of an oral discussion
 Comment 2: “…Whether communications, including written, oral, or
electronic communications, constitute a consultation depends on the
circumstances. For example, a consultation is likely to have occurred if a
lawyer, either in person or through the lawyer’s advertising in any
medium, specifically requests or invites the submission of information
about a potential representation without clear and reasonably
understandable warnings and cautionary statements that limit the
lawyer’s obligations, and a person provides information in response.”
Uh-Oh….
CONTACT US!!
Name:
Address:
Phone:
A brief description of your legal issue (How can we help you?) Attach relevant
documents:
31
Mitigating the “Uh-Oh…”
32
• [Firm] (1) does not guarantee the confidentiality of any
communications sent by e-mail or through its website, or left in
voicemail messages on firm telephones. Unsolicited information and
material may not be treated as (2) confidential and will not be
protected by any attorney-client privilege and may be unsecured.
Accessing or using this website does not create an (3) attorneyclient relationship. Although the use of the web site may facilitate
access to or communications with members of [firm] by e-mail or
voicemail, receipt of any such communications or transmissions by
any member of [firm] (4) does not create an attorney-client
relationship, unless our firm formally agrees to represent you in
writing.
33
Social Media & Prospective Clients,cont.
• Chatroom discussions
• Commenting on Facebook posts, etc.
34
Social Media & Confidentiality
 ABA Model Rule 1.6: Duty of Confidentiality
 In re Disciplinary Proceedings Against Peshek, 798 N.W.2d 879 (Wis.
2011)(IL Supreme Court suspended assistant public defender from practice
for blogging personally identifiable about clients, including confidential
information).
 Wisconsin Supreme Court imposed reciprocal discipline on the same
attorney for the same misconduct.
35
Social Media & Confidentiality, cont.
Responding to Negative Reviews on social media:
•
Any public response to a negative review online must not “disclose
confidential information,” must “not injure the former client in any matter
involving the prior representation” and must be “proportionate and
restrained.”
- Los Angeles County Bar Association, Formal Ethics Opinion #525 (12/06/12).
Social Media & Confidentiality, cont.
36
Responding to Negative Reviews on Social Media:
In re Skinner, Ga., No. S13Y0105, 3/18/13
 Key Holding: Stronger sanction than reprimand is called for where lawyer
posted confidential information about former client in response to negative
online reviews.
 Significance: Case of first impression in Georgia and one of only a few to
address this issue.
Social Media & Confidentiality, cont.
Posting Case Information to Websites:
•
ABA Formal Ethics Opinion 10-457: Attorney needs client’s consent to
disclose information about their case on websites.
•
In some states, it is even prohibited to use or reveal publicly available
information without client’s informed consent
37
Social Media & Confidentiality, cont.
Posting to YouTube:
• Jesse Raymond Gilsdorf uploaded videos of client obtained in
discovery on YouTube entitled “Cops and Task Force Planting
Drugs”, and then posted the video to his Facebook page
• The video was viewed more than 2,000 times
• When viewed on a larger screen, the videos clearly showed client
dealing drugs.
• The ARDC found a violation of Rule 1.6 and suspended the lawyer
for 5 months.
- Illinois Bar Journal; Janan Hanna, “Lawyer Sues After his YouTube Post of Client
Leads to Suspension,” May 2014.
38
Social Media & Candor Toward a Tribunal
• Model Rule 3.3: Candor Toward a Tribunal
• Were you at a funeral or really at a party?
• One judge in Galveston, Texas, utilized Facebook to catch an
attorney who requested a continuance, allegedly because of the
death of her father. The attorney, however, had recently posted a
string of status updates on Facebook portraying a week of drinking
and partying.
• In a separate incident, the same judge caught another attorney
griping about having to handle a motion before her.
- See M. McDonough, “Facebooking Judge Catches Lawyer in Lie, Sees Ethical Breaches #ABA
Chicago” (July 31, 2009).
39
Social Media & Investigating Witnesses
40
• A lawyer may view a witness's social media website … if the
website is publicly accessible; doing so does not constitute a
“communication” within the meaning of Rules 4.2 and 4.3. If the
lawyer sends a request to an unrepresented witness in order to
access the witness's private social media information, the request
must clearly state the lawyer's name and position as a lawyer and
must explain the lawyer's involvement in the matter for which
the lawyer seeks the witness's information….*
New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13)
*See Also San Diego County Ethics Op. 2011-2, and Philadelphia Ethics Op. 2009-2
(consistent with this requirement); but see New York City Ethics Op. 2010-2 (there is
no ethical obligation to affirmatively disclose the reason for such request).
Social Media & Investigating Witnesses, cont.
•
41
…A lawyer may not send a request to follow or friend a witness's restricted
social media account under a false name or using another person's
account and may not direct a client or nonlawyer assistant to do so, but the
lawyer may receive information from a client who has accessed such an
account without direction from the lawyer. As part of the duties of
competence and diligence, a lawyer who represents a client in
litigation must keep abreast of, understand, and be able to effectively
use investigatory tools such as social media .
New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13)
Social Media & Investigating Witnesses, cont.
•
42
A lawyer may not send a “friend” request to high-ranking employees of a
litigation adversary in order to access their private Facebook pages in
search of evidence if the employees are considered to be represented
persons—for example, if they exercise substantial authority over the
organization's policy decisions. Even if the employees are not considered to
be represented persons the lawyer may not send the request without
disclosing its purpose.
San Diego County Bar Association Ethics Op. 2011-2.
Social Media & Supervision of Non-Lawyers
•
43
ABA Model Rule 5.3: Supervision of Non-Lawyers
– Large NJ law firm: Attorneys asked paralegals to scour the internet and
to “dig up anything they could” on plaintiff.
– Paralegals sent “friend request” to plaintiff to access private information
– Violates N.J. Rule 4.2: communication with represented parties
Social Media & Investigating Jurors
44
Lawyers may have duty to investigate jurors online during the voir
dire process:
 Johnson v. McCullough, 306 S.W. 3d 551 (Mo. 2010) (lawyers must use
reasonable efforts to research jurors litigation history online during the
voir dire process).
 Ass’n of the Bar of the City of N.Y. Comm. On Professional Ethics,
Formal Op. 2012-2 (standards of competence and diligence may require
doing everything reasonably possible to learn about jurors).
 N.H. Bar Ass’n, Op. 2012-13/05 (lawyers “have a general duty to be
aware of social media as a source of potentially useful information in
litigation, to be competent to obtain that information directly or through an
agent, and to know how to make effective use of that information in
litigation”)
Social Media & Investigating Jurors
45
But: Avoid prohibited juror communications!
3 types of lawyer review of juror’s Internet presence:

X

Passive lawyer review of juror’s website or social media available
without an access request
Active lawyer review where lawyer requests access to the juror’s
social media; and
Passive lawyer review where the juror becomes aware of the identity
of the viewer (ie. Linked In notification).
Source: ABA Formal Opinion 466 (April 24, 2014)
Counseling Clients on Social Media Use
46
Lester v. Allied Concrete
 Court imposed sanctions of $522,000 against an attorney and
$180,000 against his client for following the attorney’s advice to
delete Facebook account postings.
 Attorney was concerned that pictures of the plaintiff-husband on his
Facebook account drinking beer and announcing “I (HEART) HOT
MOMS!” could hurt his case.
 On July 17, 2013, the Virginia State Bar Disciplinary Board
suspended Matthew B. Murray’s license to practice law for five years
for violating professional rules that govern candor toward the tribunal,
fairness to opposing party and counsel, and misconduct
Counseling Clients on Social Media Use
47
 Mark Niesse, Twitter Sunk Woman’s Award after Car Crash, N.J. Law
Journal (Jan. 2, 2013) (court reduced jury award after defendant introduced
Twitter messages from plaintiff discussing traveling and partying after car
accident).
 David Smiley, Daughter’s Facebook boast costs former Gulliver Prep
headmaster $80,000 discrimination settlement, Miami Herald (February 26,
2014)(court tossed out discrimination settlement ruling the ex-employee and
his daughter breached the confidentiality agreement when she took to social
media to brag about it).
Counseling Clients on Social Media Use
48
 New York County Lawyers Ass'n Comm. on Professional Ethics, Op.
745, 7/2/13
 An attorney may advise clients to keep their social media privacy
settings turned on or maximized and may advise clients as to what
should or should not be posted on public and/or private pages….
Provided that there is no violation of the rules or substantive law
pertaining to the preservation and/or spoliation of evidence, an attorney
may offer advice as to what may be kept on “private” social media
pages, and what may be “taken down” or removed.
 An attorney's duty to represent clients competently could, in some
circumstances, give rise to an obligation to advise clients, within legal
and ethical requirements, concerning what steps to take to mitigate any
adverse effects on the clients' position emanating from the clients' use of
social media .
Counseling Clients on Social Media Use, cont.
49
 Offering a list of ethically permissible actions, the committee
concluded that a lawyer may:
 counsel witnesses to publish truthful information favorable to a client;
 discuss the content and advisability of social media posts;
 review posts that may be published and that have already been
published;
 discuss the possibility that a legal adversary may obtain access to
“private” social media pages through court orders or compulsory
process;
 advise clients how social media posts may be received or presented by
adversaries and review how the factual context of the posts may affect
their perception; and
 discuss possible lines of cross-examination.
LinkedIn & Attorney Advertising
50
 A law firm may not describe its services under a section on LinkedIn devoted
to “Specialties,” but an individual lawyer may do so if she has been
appropriately certified and complies with the disclaimer requirements that
apply to communications about practice area specialization. New York State
Bar Ass'n Comm. on Prof'l Ethics, Op. 972, 6/26/13.
 A lawyer may advertise through LinkedIn and may list general areas of
practice under the site's “Skills and Expertise” section but may not use the
service's subjective designations “expert” or “experienced” unless in
compliance with Rule 7.4. The lawyer must monitor any comments posted to
the page and should immediately remove comments that are misleading or
that convey unreasonable or unquantifiable expectations. Professional
Guidance Committee of the Philadelphia Bar Association Opinion 2012-8
(11/12).
 A problematic feature on LinkedIn allows members of the public to add
endorsements of a lawyer's “expertise” to the lawyer's online profile. The
endorser's comments then appear on “an as-yet unremovable section on
each lawyer's page” entitled “Skills & Expertise.” This placement creates a
Rule 7.4 problem even though it was a third party, and not the lawyer, who
added the offending language. The bar group directed lawyers to a
temporary fix: instructions on how to hide third-party endorsements on a
LinkedIn profile.
51
Risk Control Resources





Lawyers’ Toolkit 3.0: A Guide to Managing the AttorneyClient Relationship
Creating a Document Retention and Destruction Policy
The Conflicts Conundrum: Avoiding and Managing
Conflicts of Interest
Client Intake Procedures: Avoiding Problematic Clients
Wills, Trusts and Estates Practice: Minimizing Exposure to
Claims from Third-Party Beneficiaries
Risk Control Hotline: 1-866-262-0034