Data Security and Privacy Risks for Law Firms · • Jesse Raymond Gilsdorf uploaded videos of...

Data Security and Privacy Risks for Law Firms

PRESENTED BY: Lisa Jaffee and Theresa Garthwaite

2

Data Security and Privacy Risks for Law Firms

Presenters

• Lisa Jaffee • CNA Specialty • (914) 524-5660 • [email protected]

• Theresa Garthwaite • CNA Risk Control • (312) 822-1622 • [email protected]

3

Disclaimer

The purpose of this presentation is to provide information, rather than advice or opinion. It is accurate to the best of the speaker's knowledge as of the date of the presentation. Accordingly, this presentation should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites. To the extent this presentation contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice. CNA is a registered trade mark of CNA Financial Corporation. Copyright © 2016 CNA. All rights reserved.

3

4

Outline for Cyber Presentation

I. Understanding Cyber Risks of Law Firms

II. Lawyers’ Duty to Provide Data Security

III. Opportunities to Advance Law Firm Security

4

5


Overview of Data Risks for Law Firms:

Why are law firms a target?

Rich collection of confidential information

Sub-standard security

Frequency of law firm data breaches

Lack of reporting requirements

Failure to detect a breach

5

Thinkstock

6


Business Reasons to Address Information Risk:

Increased cyber security regulation of law firms and clients

Clients increasingly making excellent data security a key criterion for their vendor relationships

Examples

Requirement of information security compliance programs before carriers will place cyber liability insurance coverage

6

Thinkstock

7 I. Understanding Cyber Risks Percentage of Data Breaches by Cause of Loss

7 Source: NetDiligence Cyber Claims Study 2014

http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf

8 I. Understanding Cyber Risks of Law Firms

Lawyers’ Use of Data Security Tools Spam Filters – 85% Firewalls – 71% Virus Scanning for PCs – 66% Bring Your Own Device (BYOD) access

with restrictions - 66% Virus scanning for emails – 65% File encryption – 33% E-mail encryption – 24% Full-disk encryption – 16%

8

Source: ABA TECHREPORT 2013, Legal Technology Resource Center, Security Snapshot: Threats and Opportunities

Thinkstock

9 II. Lawyers’ Duty to Provide Data Security

Ethical Obligations o MRPC 1.6* – Confidentiality

o Comment 18

o MRPC 1.1 – Competence

o Comment 8

Common Law Duties o Restatement (3rd) of the Law

Governing Lawyers (2000).

9

Thinkstock

* All references to MRPC in the presentation refer to the ABA Model Rules of Professional Conduct

10


State Regulations and Statutes

General security laws

Protect defined categories of personal information

State data breach notification requirements

Enacted in 47 states

Compliance may be complex.

10

Thinkstock


Federal Statutes Health Insurance Portability and

Accountability Act of 1996 (“HIPAA”)

The Health Information Technology for Economic and Clinical Health Act (“HITECH”)

Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)

Gramm-Leach-Bliley Act (“GLBA”)

Other cybersecurity legislation

11

Thinkstock

12


What to Protect Protected health information (PHI)

Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual

Personally identifiable information (PII) – Generally, name plus: SSN Driver’s license/ government ID # Credit/debit card # Financial account information Medical insurance/health information Passwords with usernames (few states, ie. CA and FL)

Information related to a representation And more

12


“Resolved, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” [Emphasis Added]

–ABA Resolution 109 - adopted 08/12/14

13


Potential Risks for Law Firms Security/ Privacy Civil Claims

Network damage claims

Regulatory Investigations

Reputational risk

Financial risk

Lost billable time

Breach response costs

Risks to computer systems

14

Thinkstock


Cost of a Potential Data Breach

Average claim payout : $733,109

$366,484 (48%) on Crisis Services*

$109,966 (15%) on Legal Defense

$73,310 (10%) on Legal Settlements

$73,310 (10%) on Regulatory Defense

$43,986 (6%) on Regulatory Fines

$80,641 (11%) for PCI** Fines

15

*Crisis Services include forensics, notification, and legal guidance ** PCI – Payment Card Industry Source: NetDiligence 2014 Cyber Claims Study

Thinkstock

16

III. Opportunities to Heighten Law Firm Security

1. Encrypt, encrypt, encrypt

2. Use Caution in the Cloud

3. Beware of BYOD

16

ThinkStock

17


4. Vet Your Vendors

5. Staff Training is Critical

6. Be Wireless Savvy

17

ThinkStock

18


7. Have a Password Policy

8. If All Else Fails, Be Prepared

9. Consider Cyber Liability Insurance

18

ThinkStock

19 CNA Lawyers’ Risk Control Resources

Go to www.cna.com

Click on Find Resources to Manage & Reduce Risk

Click on Professional & Management Liability

Article: Safe and Secure: Cyber Security Practices for Law Firms

Article: Caution in the Cumulus: Using the Cloud in Law Practice

And more

19

20

Trends in Social Media for Lawyers

21

Social Media Defined

Social media is defined as “forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content…”

- - Source: http://www.merriam-webster.com/dictionary/social%20media

22

Examples of Social Media

• Facebook® • MySpace® • LinkedIn® • YouTube® • Twitter®* • Legal OnRamp®* • Blogs • Texting

*All of the Trademarks listed above are the property of

their respective owners

22

23

US Law Firm Blog Use

Source: 2013-2015 American Bar Association Legal Technology Survey Report

14% 15%

22%

27% 24%

26%

Year 2010 2011 2012 2013 2014 2015

24

Law Firm Social Network Presence

Source: 2013-2015 American Bar Association Legal Technology Survey

17%

42%

55% 59% 62% 61%

2010 2011 2012 2013 2014 2015

25

Law Firm Social Media Presence

Source: 2015 American Bar Association Legal Technology Survey

0% 10% 20% 30% 40% 50% 60%

LinkedIn

Facebook

Google Plus

Avvo

LawLink

None

Don't Know

26 Reasons for Social Media Use

Source: 2015 American Bar Association Legal Technology Survey

0% 10% 20% 30% 40% 50% 60% 70% 80%

Case Investigation

Education/Current Awareness

Client Development

Career Development/Networking

27 Lawyers are using social media to:

Convey value of services

Reach and connect with potential clients

Attract and retain talent

Monitor issues of interest to the lawyer and his/her clients

Keep tabs on competitors

Stay abreast of trends and news in the industry

Access information about defendants, plaintiffs, witnesses and potential jurors

Other uses

28 Social Media: Impacting Your Public Reputation

How you use social media directly affects your public reputation. Even your “lack of use” counts. What does this say?

Your competition is using social media and so are your clients!

Potential for public embarrassment

Possibility of ethical missteps

29

Recent Model Rule Revisions

“A lawyer shall provide competent representation to a client. Competent

representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”

- Model Rule of Professional Conduct 1.1

“To maintain the requisite knowledge and skill, a lawyer should keep abreast

of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

- Comment [8] to Rule 1.1

30

Social Media & Prospective Clients

ABA Model Rule 1.18: Prospective Clients Clarifies that the rule applies even in the absence of an oral discussion Comment 2: “…Whether communications, including written, oral, or

electronic communications, constitute a consultation depends on the circumstances. For example, a consultation is likely to have occurred if a lawyer, either in person or through the lawyer’s advertising in any medium, specifically requests or invites the submission of information about a potential representation without clear and reasonably understandable warnings and cautionary statements that limit the lawyer’s obligations, and a person provides information in response.”

31 Uh-Oh….

CONTACT US!! Name: Address: Phone: A brief description of your legal issue (How can we help you?) Attach relevant

documents:

32

Mitigating the “Uh-Oh…”

• [Firm] (1) does not guarantee the confidentiality of any

communications sent by e-mail or through its website, or left in voicemail messages on firm telephones. Unsolicited information and material may not be treated as (2) confidential and will not be protected by any attorney-client privilege and may be unsecured. Accessing or using this website does not create an (3) attorney-client relationship. Although the use of the web site may facilitate access to or communications with members of [firm] by e-mail or voicemail, receipt of any such communications or transmissions by any member of [firm] (4) does not create an attorney-client relationship, unless our firm formally agrees to represent you in writing.

33

Social Media & Prospective Clients,cont.

• Chatroom discussions

• Commenting on Facebook posts, etc.

34

Social Media & Confidentiality

ABA Model Rule 1.6: Duty of Confidentiality

In re Disciplinary Proceedings Against Peshek, 798 N.W.2d 879 (Wis. 2011)(IL Supreme Court suspended assistant public defender from practice for blogging personally identifiable about clients, including confidential information).

Wisconsin Supreme Court imposed reciprocal discipline on the same attorney for the same misconduct.

35

Social Media & Confidentiality, cont.

Responding to Negative Reviews on social media: • Any public response to a negative review online must not “disclose

confidential information,” must “not injure the former client in any matter involving the prior representation” and must be “proportionate and restrained.”

- Los Angeles County Bar Association, Formal Ethics Opinion #525 (12/06/12).

36 Social Media & Confidentiality, cont.

Responding to Negative Reviews on Social Media: In re Skinner, Ga., No. S13Y0105, 3/18/13 Key Holding: Stronger sanction than reprimand is called for where lawyer

posted confidential information about former client in response to negative online reviews.

Significance: Case of first impression in Georgia and one of only a few to

address this issue.

37 Social Media & Confidentiality, cont.

Posting Case Information to Websites: • ABA Formal Ethics Opinion 10-457: Attorney needs client’s consent to

disclose information about their case on websites.

• In some states, it is even prohibited to use or reveal publicly available information without client’s informed consent

38

Social Media & Confidentiality, cont.

Posting to YouTube:

• Jesse Raymond Gilsdorf uploaded videos of client obtained in discovery on YouTube entitled “Cops and Task Force Planting Drugs”, and then posted the video to his Facebook page

• The video was viewed more than 2,000 times • When viewed on a larger screen, the videos clearly showed client

dealing drugs. • The ARDC found a violation of Rule 1.6 and suspended the lawyer

for 5 months. - Illinois Bar Journal; Janan Hanna, “Lawyer Sues After his YouTube Post of Client

Leads to Suspension,” May 2014.

39 Social Media & Candor Toward a Tribunal

• Model Rule 3.3: Candor Toward a Tribunal

• Were you at a funeral or really at a party?

• One judge in Galveston, Texas, utilized Facebook to catch an

attorney who requested a continuance, allegedly because of the death of her father. The attorney, however, had recently posted a string of status updates on Facebook portraying a week of drinking and partying.

• In a separate incident, the same judge caught another attorney griping about having to handle a motion before her.

- See M. McDonough, “Facebooking Judge Catches Lawyer in Lie, Sees Ethical Breaches #ABA Chicago” (July 31, 2009).

40 Social Media & Investigating Witnesses

• A lawyer may view a witness's social media website … if the website is publicly accessible; doing so does not constitute a “communication” within the meaning of Rules 4.2 and 4.3. If the lawyer sends a request to an unrepresented witness in order to access the witness's private social media information, the request must clearly state the lawyer's name and position as a lawyer and must explain the lawyer's involvement in the matter for which the lawyer seeks the witness's information….*

New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13) *See Also San Diego County Ethics Op. 2011-2, and Philadelphia Ethics Op. 2009-2

(consistent with this requirement); but see New York City Ethics Op. 2010-2 (there is no ethical obligation to affirmatively disclose the reason for such request).

41 Social Media & Investigating Witnesses, cont.

• …A lawyer may not send a request to follow or friend a witness's restricted social media account under a false name or using another person's account and may not direct a client or nonlawyer assistant to do so, but the lawyer may receive information from a client who has accessed such an account without direction from the lawyer. As part of the duties of competence and diligence, a lawyer who represents a client in litigation must keep abreast of, understand, and be able to effectively use investigatory tools such as social media .

New Hampshire Bar Ass’n Ethics Comm., Opinion 2012-13/5 (6/20/13)

42 Social Media & Investigating Witnesses, cont.

• A lawyer may not send a “friend” request to high-ranking employees of a litigation adversary in order to access their private Facebook pages in search of evidence if the employees are considered to be represented persons—for example, if they exercise substantial authority over the organization's policy decisions. Even if the employees are not considered to be represented persons the lawyer may not send the request without disclosing its purpose.

San Diego County Bar Association Ethics Op. 2011-2.

43 Social Media & Supervision of Non-Lawyers

• ABA Model Rule 5.3: Supervision of Non-Lawyers

– Large NJ law firm: Attorneys asked paralegals to scour the internet and to “dig up anything they could” on plaintiff.

– Paralegals sent “friend request” to plaintiff to access private information

– Violates N.J. Rule 4.2: communication with represented parties

44 Social Media & Investigating Jurors

Lawyers may have duty to investigate jurors online during the voir dire process:

Johnson v. McCullough, 306 S.W. 3d 551 (Mo. 2010) (lawyers must use

reasonable efforts to research jurors litigation history online during the voir dire process).

Ass’n of the Bar of the City of N.Y. Comm. On Professional Ethics, Formal Op. 2012-2 (standards of competence and diligence may require doing everything reasonably possible to learn about jurors).

N.H. Bar Ass’n, Op. 2012-13/05 (lawyers “have a general duty to be aware of social media as a source of potentially useful information in litigation, to be competent to obtain that information directly or through an agent, and to know how to make effective use of that information in litigation”)

45 Social Media & Investigating Jurors

But: Avoid prohibited juror communications! 3 types of lawyer review of juror’s Internet presence: Passive lawyer review of juror’s website or social media available

without an access request X Active lawyer review where lawyer requests access to the juror’s

social media; and Passive lawyer review where the juror becomes aware of the identity

of the viewer (ie. Linked In notification).

Source: ABA Formal Opinion 466 (April 24, 2014)

46 Counseling Clients on Social Media Use

Lester v. Allied Concrete Court imposed sanctions of $522,000 against an attorney and

$180,000 against his client for following the attorney’s advice to delete Facebook account postings.

Attorney was concerned that pictures of the plaintiff-husband on his Facebook account drinking beer and announcing “I (HEART) HOT MOMS!” could hurt his case.

On July 17, 2013, the Virginia State Bar Disciplinary Board suspended Matthew B. Murray’s license to practice law for five years for violating professional rules that govern candor toward the tribunal, fairness to opposing party and counsel, and misconduct


Mark Niesse, Twitter Sunk Woman’s Award after Car Crash, N.J. Law Journal (Jan. 2, 2013) (court reduced jury award after defendant introduced Twitter messages from plaintiff discussing traveling and partying after car accident).

David Smiley, Daughter’s Facebook boast costs former Gulliver Prep headmaster $80,000 discrimination settlement, Miami Herald (February 26, 2014)(court tossed out discrimination settlement ruling the ex-employee and his daughter breached the confidentiality agreement when she took to social media to brag about it).


New York County Lawyers Ass'n Comm. on Professional Ethics, Op. 745, 7/2/13

An attorney may advise clients to keep their social media privacy

settings turned on or maximized and may advise clients as to what should or should not be posted on public and/or private pages…. Provided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, an attorney may offer advice as to what may be kept on “private” social media pages, and what may be “taken down” or removed.

An attorney's duty to represent clients competently could, in some

circumstances, give rise to an obligation to advise clients, within legal and ethical requirements, concerning what steps to take to mitigate any adverse effects on the clients' position emanating from the clients' use of social media .

49

Counseling Clients on Social Media Use, cont.

Offering a list of ethically permissible actions, the committee concluded that a lawyer may: counsel witnesses to publish truthful information favorable to a client; discuss the content and advisability of social media posts; review posts that may be published and that have already been

published; discuss the possibility that a legal adversary may obtain access to

“private” social media pages through court orders or compulsory process;

advise clients how social media posts may be received or presented by adversaries and review how the factual context of the posts may affect their perception; and

discuss possible lines of cross-examination.

50 LinkedIn & Attorney Advertising

A law firm may not describe its services under a section on LinkedIn devoted to “Specialties,” but an individual lawyer may do so if she has been appropriately certified and complies with the disclaimer requirements that apply to communications about practice area specialization. New York State Bar Ass'n Comm. on Prof'l Ethics, Op. 972, 6/26/13.

A lawyer may advertise through LinkedIn and may list general areas of practice under the site's “Skills and Expertise” section but may not use the service's subjective designations “expert” or “experienced” unless in compliance with Rule 7.4. The lawyer must monitor any comments posted to the page and should immediately remove comments that are misleading or that convey unreasonable or unquantifiable expectations. Professional Guidance Committee of the Philadelphia Bar Association Opinion 2012-8 (11/12).

A problematic feature on LinkedIn allows members of the public to add

endorsements of a lawyer's “expertise” to the lawyer's online profile. The endorser's comments then appear on “an as-yet unremovable section on each lawyer's page” entitled “Skills & Expertise.” This placement creates a Rule 7.4 problem even though it was a third party, and not the lawyer, who added the offending language. The bar group directed lawyers to a temporary fix: instructions on how to hide third-party endorsements on a LinkedIn profile.

51

Risk Control Resources

Lawyers’ Toolkit 3.0: A Guide to Managing the Attorney-Client Relationship

Creating a Document Retention and Destruction Policy

The Conflicts Conundrum: Avoiding and Managing Conflicts of Interest

Client Intake Procedures: Avoiding Problematic Clients

Wills, Trusts and Estates Practice: Minimizing Exposure to Claims from Third-Party Beneficiaries

Risk Control Hotline: 1-866-262-0034

Data Security and Privacy Risks for Law Firms · • Jesse Raymond Gilsdorf uploaded videos of...

Documents

Transcript of Data Security and Privacy Risks for Law Firms · • Jesse Raymond Gilsdorf uploaded videos of...