According to the Identity Theft Resource Center’s (ITRC) 2017 Annual Data Breach Year-End Review, the number of U.S. data breaches tracked in 2017 hit a new all-time high of 1,579, up 44.7 percent over 2017’s record 1,091 breaches. These numbers came from the five categories assessed: banking, business, educational, government/military, and healthcare. Business led the numbers with 584 breaches. Hacking was the primary attack method, followed by phishing emails, malware, and employee errors or negligence.
In the legal sphere alone, cybersecurity firm Mandiant estimated that at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.
The number of breaches, attempted breaches, as well as the sophistication of hackers is growing each year. No amount of security can perfectly seal off a system from intruders. The question is, who is ultimately responsible for the integrity of the customer's personal information (PI) if a breach occurs?
Organizations once exclusively relied on their own server infrastructure residing in on-site, proprietary data centers. Data storage has been increasingly shifted off site to third-party public cloud providers.
In a cloud-based environment there are generally three parties involved: (1) the end customer or user of the service (an individual or an organization (2) data owner - business that provides service or products to customer (for example Target, PayPal, Macys, any law firm); and (3) the data holder- a third-party cloud service provider that provides hosting (storage, application, hardware) for the data owner such as IBM Cloud, Microsoft Azure Cloud Storage, Amazon Web Services (AWS).
Data involving PI is especially vulnerable in the cloud due to a variety of unique threats: lack of transparency of operations, remote and indirect management, external threat enhancement since anyone can obtain an account to the cloud provider's environment, increased malicious insider threats as the data owner does not have direct control over who can access or administer the data, and insecure application programming interfaces (APIs) which are completely open to the internet.
In a big data environment, PI is spread across a large storage network (generally, but not always, in the data owner's own data center) with many points of vulnerability due to the scale of data, velocity of information movement, and many distributed data devices.
Data owners (any firm or organization) are responsible for the PI of customers and clients. A data intrusion may affect the PI of a law firm's employees and clients with whom a law firm is working.
Luke Dembosky, a cybersecurity and litigation partner at Debevoise & Plimpton, assesses law firms as having peculiar target vulnerabilities. "As vendors, law firms are attractive targets. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems,” he says. “Second, law firms are seen as high-value targets for the rapidly growing use of ‘ransomware’ and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.”
The question of legal responsibility for an affected organization however is not cut and dry.
With growing and increasingly severe intrusions such as those that recently occurred involving Target, Chase, Anthem and others, Congress, regulators and state governments are looking at how to protect PI from unauthorized access. There is no current central federal mandate that covers data breaches affecting personal information. However, all states require organizations to notify customers and in some cases regulators if a data breach occurs impacting residents.
In a cloud environment, under U.S. law (except HIPAA which places direct liability on a data holder), and standard contact terms, it is the data owner that faces liablity for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). Why?
Standard vendor agreement contracts exclude consequential damages and cap direct damages. In most cases, all damages flowing from a data breach of the data holder will be considered consequential damages and barred by a standard provision disclaiming all liability for consequential damages. If sensitive or regulated data such as personal health information (PHI) under HIPAA is stored in the cloud and a breach occurs, the data owner required to disclose the breach and send notifications to potential victims. A law firm holding PHI is defined as a “business associate” under HIPAA and subject to its legislation. Agreements typically require by the data holder to report the data breach to the data owner and assist in the investigation.
If the breach involves a cyberattack in a traditional data owner's proprietary network & data center, the data owner is obviously potentially liable.
However, how liable can an organization be in the event of a breach? State and federal data privacy laws in the U.S. do not impose civil liabilities carte blanche in the event of a cyber intrusion. Liability is imposed generally if the following conditions exist:
- An entity failed to implement safeguards required by statute or reasonable security measures
- An entity failed to remedy or mitigate the damage once the breach occurred
- Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.
In effect, negligence must be proven in any litigation. However, liability can also exist if contractual indemnification or service agreements are in effect toward affected individuals or between business entities.
The damages of an unwanted intrusion
The costs & liability of a data breach to a law firm or company may include all or some of the following:
- Individual & class action lawsuits by customers & shareholders, settlement payments, legal expenses. Liability can include, depending on the case, civil monetary compensation for any economic losses incurred by the victim. It can also include reimbursement to victims for out-of-pocket expenses to restore the integrity of the compromised personal information. Emotional distress of victims may also come into play.
- Government investigations and potential penalties
- Outside response teams and audits being required
- Digital investigation and forensic services
- Remodeling of information infrastructure
- Implementing new or enhanced identity theft protection services
- Identity theft insurance impacts
- Potential malpractice
Collateral damage can include damage to reputation, consequential loss of business and revenue, and replacement of management.
Data breach response & mitigation
For any firm or organization the nature of a data breach can vary widely. The severity of data breach is contingent on numerous factors:
- Nature of the infringement: - number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention - whether the infringement is intentional or negligent
- Mitigation - actions taken to mitigate damage to data subjects
- Preventative measures - how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- Past relevant infringements - has there been a pattern of negligence or incidents
- Cooperation - how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type - what specific information was compromised
- Notification - whether the breach was timely reported to the supervisory authority by the firm or a third party
- Certification: - whether the organization had qualified under approved certifications or adhered to approved codes of conduct
A best defense is always a good offense. Having an effective breach management processes is key
to mitigating a serious intrusion and reassuring clients:
Incident preparation and risk management, including incident response planning. Organizations should implement infrastructure for preventing, detecting, and responding to security incidents. This includes not only anti-malware, firewall software and hardware implementations, but threat analysis, incident training, response protocols & standards, Agile management, and remediation policies and procedures. Costs for infrastructure can be a challenge for small law firms.
Incident investigation and legal assessment. An incident investigation team or individual should be designated and an organizations legal responsibilities known and documented ahead of time.
Notification of affected individuals and other entities, if required. Breach communications should be developed ahead of time and customer/client lists should be kept in secure off line or backup locations.
Post-incident review and management. Assess the vulnerability, other contingent factors that resulted in the data compromise, and if necessary, hire a third-party cyber security organization to help secure data from future threats.
Law firms and other legal providers should undergo regular security assessments and penetration testing using third-party vendors to minimize the breach potential. This includes external tests to see what part of the system is vulnerable on the internet as well as testing the vulnerabilities in web and mobile applications. Another proactive measure to mitigate data breach fallout is to invest in the appropriate cyber liability insurance. A layered data protection approach can tighten the drum so much that trying to get in may not be worth the effort.
- ABA Journal “Law Firms Must Manage Cybersecurity Risks” (March 2017) http://www.abajournal.com/magazine/article/managing_cybersecurity_risk