Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one instance – and likely more to follow – client concerns resulted in litigation between firm and client over the adequacy of the firm’s cybersecurity safeguards.

We updated that primer (download here). We also prepared a two-part webinar series to help firms think through their cybersecurity risks. Part One provides an overview of the legal, contractual and ethical risks firms face. Part Two discusses some best practices for navigating client service agreements, breach response and assessments.

The recent global ransomware attack should spur all organizations to think about what they are doing to safeguard their systems and data. Of course, doing something now and leaving those efforts on the shelf is not the right approach. The process of evaluating risks and implementing steps to address those risks is ongoing.

President Trump’s Executive Order on Cybersecurity…

On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order is a virtually complete re-cast of the draft Executive Order, with everything but the General Provisions in new format, structure and language.  The core concepts that were included in the prior draft, however, appear to be consistent in the final EO (with the promised tweaks).

The EO is intended to modernize, improve and maintain the infrastructure of federal agency information technology and coordinate the efforts of these agencies, and thereby provide for increased risk management. The heads of federal agencies will

be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.

These measures must be taken in accordance with the NIST cybersecurity standards (or any successor thereto).  Risk management reports detailing measures taken to date and action plans for implement the NIST cybersecurity standards must be provided to the Office of Management and Budget and the Secretary of Homeland Security within 90 days of the EO (or, at light speed for government). Within 60 days of these reports, the Director of OMB and his designated posse must report to the President on whether the agency reports are appropriate and sufficient, together with a plan to implement through policies and additional measures that may be needed (aligned with the NIST cybersecurity standards), as well as budgetary needs.

The EO also covers cybersecurity of critical infrastructure, building upon Executive Order 13636, ordered by President Obama in 2013. Headed by the Secretary of Homeland Security, a designated group of agencies will collaborate to tag measures that could be taken by federal agencies to support the cybersecurity of critical infrastructure in collaboration with identified critical infrastructure entities.  This group must provide a report to the President within 180 days of the EO.  Additionally, an “open and transparent” process will be used to foster collaboration among agencies and other stakeholders to reduce botnet threats.  A cast of agencies is designated to lead this effort, work with the stakeholders, and provide a report which would be publicly available in preliminary format within 240 days after the EO and final within one year of the EO.  (The term “appropriate stakeholders” is defined as “any non-executive branch person or entity that elects to participate in an open and transparent process” as established by the Secretaries of Homeland Security and Commerce.)

The third and final topic covered by the EO addresses cybersecurity for the nation, to address “strategic options for deterring adversaries and better protecting the American people from cyber threats,” a means to address international cybersecurity priorities, and workforce development in the cybersecurity field.   Assigned groups of agencies will submit reports to the President on these matters in 90 days, 90 days and 120 days, respectively.

We will look forward to more on the reports under the EO, as they inform the direction ahead.

Company Awarded Damages After Former Employee Hacks Its Systems and Hijacks Its Website

A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017).

The Defendant worked as a patrol officer for a security company. The company noticed that its payroll system indicated that the Defendant was working substantial overtime hours that were inconsistent with his scheduled hours. Upon further investigation, the company learned that that the Defendant accessed the payroll system without authorization from the laptop in his patrol car. When the company confronted him, the Defendant claimed a competitor hacked the payroll system as a means to pay him to keep quiet about his discovery that the competitor had taken confidential information from the company. A few months later, shortly after the Defendant left the company, the company’s computer system was hacked and its website was hijacked. The company later filed suit against the Defendant alleging he was responsible for the hack and the hijacking.

Following a bench trial, the court concluded the Defendant had used an administrative password the company had not given him to inflate his hours in its payroll system. The court also found the Defendant hijacked the company’s website and posted an unflattering image of the company’s owner on the website. In addition, the court found the Defendant engaged in a conspiracy to steal confidential files from the company’s computer system by accessing it remotely without authorization and destroyed some of the company’s computer files and servers.

The court concluded that the aim of the conspiracy in which the Defendant was engaged was twofold: first, to damage his former employer in an effort to reduce its competitive advantage; and second, to obtain access to those files that gave his former employer its business advantage, and use them to solicit its clients on behalf of a company he started. The court also found that by accessing the company’s protected network to artificially inflate his hours and by participating in the conspiracy to hack the company’s systems, the Defendant was liable for violations of the Computer Fraud Abuse Act, the Stored Communications Act, the California Computer Data Access and Fraud Act, and the California Uniform Trade Secrets Act.

As a result of Defendant’s misconduct, the court awarded the company $318,661.70 in actual damages, including damages for the inflated wages the company paid the Defendant, the cost of consultant services to repair the damage from the hack, increased payroll costs for time spent by employees rebuilding records and databases destroyed in the hack, the resale value of the company’s proprietary files, and lost profits caused by the hack. The court declined to award punitive damages under the California Uniform Trade Secrets Act, but left open the possibility that the Plaintiff may recover its attorneys’ fees at a later date.

Take Away

Companies are reminded that malicious insiders, in particular disgruntled former employees, with access to areas of the system external hackers generally can’t easily access, often result in the most costly data breaches.

Steps should be taken to mitigate insider threats including:

  • Limiting remote access to company systems
  • Increased monitoring of company systems following a negative workplace event such as the departure of a disgruntled employee
  • Changing passwords and deactivating accounts during the termination process

BTI Names Jackson Lewis one of the Top Cybersecurity Firms

The BTI Law Firms Best at Cybersecurity 2017, a report issued by the BTI Consulting Group (pdf), lists Jackson Lewis as one of the country’s top law firms for cybersecurity and data privacy. The report was compiled “based solely on in-depth telephone interviews with leading legal decision makers,” representing more than 15 different industry segments in organizations with $1 billion or more in annual revenues. Our cybersecurity team is grateful for the recognition from our clients.

Cybersecurity and privacy issues are among the most challenging for virtually all of our clients. Today, organizations contend with vast amounts of data, an expanding, multi-layered regulatory environment, technology that evolves at a blistering pace, and sophisticated cybercriminals who can wreak havoc from thousands of miles away. Our Privacy, e-Communication and Data Security Group is committed to helping our clients navigate these cybersecurity challenges through a variety of services, such as:

  • workthruITtm. Our online applications provide helpful resources including a data breach readiness assessment, a data security assessment and a comprehensive survey of the country’s data breach notification laws. And, there are more cybersecurity and privacy apps coming. Learn more about workthruITtm here.
  • Data Incident Response Team. A tidal wave of ransomware attacks, spearphishing scams and other forms of data breach have victimized thousands of organizations. Having handled more than 500 data incidents, and as part of our commitment to client service, we announced recently a 24/7 Data Incident Response Team to be available on a moment’s notice in the event of a security incident. Learn more about our Data Incident Response Team here.
  • Prevention and Compliance: Assessments, Policies and Training. Of course it is better to avoid a breach than to experience one. So, our team works with clients to assist them with conducting risk assessments, developing policies and procedures, and training their workforce. We strive to understand our clients’ industries because not only is there likely to be different legal requirements, the customary practices and expectations in the industry also are different.
  • Vendor Selection and Management. A cybersecurity program is only as strong as its weakest link and that link could be an organization’s third party service provider. We help organizations assess their vendors’ cybersecurity capabilities, as well as negotiate and draft cybersecurity agreements including business associate agreements to help our clients minimize the risks their vendors present.
  • Government Inquiries and Litigation. We represent our clients before federal and state agencies as well in litigations to respond to claims, inquiries, investigations and compliance reviews involving cybersecurity and privacy.

Cybersecurity and privacy are necessary considerations for doing business today, and we are excited to partner with our clients to help them safely and efficiently maximize the opportunities that information and technology present. Artificial intelligence, internet of things, and “Big Data” present even greater opportunities ahead, with an even greater need to supply adequate time, resources and effort toward cybersecurity and privacy.

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.” According to the resolution agreement, OCR apparently learned of the missing BAA while investigating CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI. Responsible for enforcing the privacy and security rules under HIPAA, OCR then commenced a compliance review of CCDH. It reported finding that neither CCDH nor FileFax could produce a signed BAA applicable to periods that CCDH had shared PHI with FileFax.  Without an admission of liability, CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes to HIPAA, including to the rules concerning “business associates.” Among those changes were updates to BAAs that the HIPAA rules require covered entities to maintain with their business associates. A covered entity’s business associates include third-party service providers, such as: claims administrators, accounting firms, law firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are directly subject to many of the HIPAA privacy and security requirements, BAAs remain necessary for compliance. A starting point for BAA compliance is the set of sample provisions posted by the OCR. However, there are other issues that parties to a BAA will want to address, such as: specificity concerning the safeguards that should be in place, data breach coordination and response, indemnity, cybersecurity insurance, and agency status. More information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not the only rules that require written assurances from third-party service providers concerning security of personal information. A number of state laws (e.g., California, Massachusetts, Maryland, New Mexico, New York, Oregon) require businesses to have contracts with third-party service providers to safeguard personal information. Of course, even in the absence of a federal or state law, taking steps to ensure vendors secure the confidential information they are provided, such as through a detailed data security agreement, is a prudent practice.

Six Tips to Consider in Hiring Privacy and Data Security Experts

Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background to adequately assess whether such an individual has the right expertise, and later on how they are performing in the position. While there is no “one size fits all” checklist, the following are some factors to consider:

  1. Certification: Various certifications are available to privacy and data security experts. In evaluating whether a privacy or data security expert candidate has the necessary and appropriate knowledge and skills for such a position, companies should consider whether the candidate has received any relevant certifications. For example, professionals in these areas may have one or more certifications through the International Association of Privacy Professionals and/or the Information Systems Security Certifications Consortium, Inc. While not necessarily dispositive as to whether a candidate is qualified for a position, a certification in the areas of privacy and/or data security may evidence a candidate’s interest in, experience with, and maintenance of current knowledge about issues in these areas.
  2. Technical Knowledge and Practical Experience: A candidate with strong technical knowledge may be better positioned to identify potential threats to privacy and data security and to determine how best to prevent and address any such threats. Perhaps even more compelling than a candidate’s technical knowledge is his or her demonstrated practical experience in the application of such knowledge.
  3. Legal and Regulatory Knowledge: Another factor to consider is a candidate’s familiarity with and understanding of laws and regulations applicable to privacy and data security issues. A candidate who is well-versed in these areas may be more qualified to ensure compliance with pertinent laws and regulations in both domestic and international contexts.
  4. Policy: In addition to understanding applicable laws and regulations, privacy and data security experts should be able to understand, interpret, and prepare policies to best ensure compliance with such laws and regulations. Among other things, a strong candidate should possess knowledge about whether the company is legally permitted to use employees’ or customers’ personal information; whether specific information is subject to specific to more stringent rules based on the type of data involved; and whether personal information, if used, might lead to public relations issues or other business-related concerns.
  5. Networking: Expert candidates who engage in networking and attend conferences or similar events could be more up-to-date on relevant issues and laws in the areas of privacy and data security. Candidates who have presented at conferences or written articles about relevant issues may have a heightened commitment to their field, knowledge of pertinent subject matter, and understanding of the nuances of issues that can or may arise, as well as how to address any such issues if they do in fact occur.
  6. Independence and Analytical Skills: An expert who does not demonstrate independence and analytical skills may not be a good fit for an organization. Companies should look to an expert candidate’s ability to work independently and thoroughly analyze issues pertaining to overall privacy and data security issues and to particular incidents.

While these examples are not an exhaustive list of factors organizations should consider, they provide some important considerations for companies when interviewing and hiring privacy and data security experts.

New Mexico Enacts Data Breach Notification Act

On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law.  The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.

Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”).  We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.

The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.

Disposal of PII:

Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes.  Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII:

Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure.  Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices.  Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.

Notification of a Security Breach:

In the event of a breach, the Act provides:

  • Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach.  Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • A risk of harm trigger.  Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
  • The Act does not apply to a person subject to GLBA or HIPAA.

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses.  If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

Breach notification laws continue to evolve and it is imperative for organizations to be prepared to respond appropriately.  If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

A New Frontier In Law Firm Cyber Risk: Client Class Actions

That an actual breach of client information could expose your law firm to legal and business risks is unsurprising.  The risks posed by a potential breach, however, may be something your firm has not yet carefully considered – but needs to.  As we discussed during our recent webinar, law firms face a variety of cybersecurity-related risks.  Firms have been targeted by cybercriminals with increased frequency in the past few years, and clients are growing concerned.  In at least one instance – and likely more to follow – this concern has resulted in litigation between firm and client over the adequacy of the firm’s cybersecurity safeguards.

In April 2016, clients of a Chicago-based firm, Johnson & Bell, filed a class action lawsuit alleging that the firm failed to adequately safeguard their information.  The case, which was subsequently moved to arbitration, is now back in the news.  On March 28, 2017, Johnson & Bell sued Edelson PC, the firm representing the client class, for defamation.  In its complaint, Johnson & Bell alleges that “[t]he Edelson defendants have engaged in numerous violations of their ethical duties, have illegally abused the process of the courts to further their own self-aggrandizement, and have engaged in a self-serving publicity tour spreading their lies and defamatory statements about J&B.”  Perhaps ominously, Edelson has announced that the Johnson & Bell case is just its opening salvo; it plans to assert similar claims on behalf of clients of 15 other firms.

Cybersecurity Cartoon

The Johnson & Bell Complaint, which was made public last December, is notable for a number of reasons.

  • First, it homes in on several of the potential vulnerabilities firm systems may be subject to, such as the high incident of employees working remotely, or the fact that less well-protected systems, like those for timekeeping or email, can serve as gateways to systems holding more sensitive data.
  • Second, the Complaint identifies categories of sensitive data that many firms are likely to maintain, such as financial records, trade secrets, sensitive communications, and personal information.
  • Third, it contends that there’s an “industry standard” level of data security that any firm charging and collecting market-rate attorneys’ fees must provide. This is significant because there are indications that the “industry standard” (or “reasonable”) level of protection that the law imposes on businesses is likely to become more expansive and onerous in coming years.
  • And fourth, in addition to seeking damages and attorneys’ fees, the Johnson & Bell Plaintiffs are seeking to compel a security audit by an outside auditor. This audit would, among other things, reveal whether the firm has conducted a thorough risk assessment, and whether it has developed a sufficiently robust data security plan that includes written policies and procedures, employee training, and vendor management processes.

The prospect of client lawsuits provides a compelling reason to take prompt and committed action on the cybersecurity front – even if your firm has not yet experienced a breach. For guidance on how firms can prevent and respond to cybersecurity incidents, please check out our past post on this topic, and please tune in for our upcoming webinar on April 19.

Association of Corporate Counsel Develops Model Information Protection and Security Controls for Outside Vendors, Including Outside Counsel

The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” safety guidelines to help “in-house counsel as they set expectations with their outside vendors, including outside counsel.” Firms concerned about facing these guidelines should review their cybersecurity risk management policies, procedures and practices [webinar].

The Controls

The Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (“the Controls”) were developed in a joint effort between in-house counsel members of the ACC together with several law firms specialized in data security related issues. This joint effort signifies the importance of cohesion between in-house and outside counsel when handling sensitive corporate data.  “We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, ACC vice president and chief legal strategist.

The Controls address a broad range of data security related measures including: data breach reporting, data handling and encryption, physical security, employee background screening, information retention/return/destruction, and cyber liability insurance. Particular measures may be too burdensome under the circumstances, while the Controls as a whole may not be sufficient to satisfy applicable legal requirements such as the HIPAA privacy and security rules for business associates. Still, the Controls include a number of measures firms will have to consider carefully. For example, the Controls suggest that outside counsel be required to maintain

logical access controls designed to manage access to Company Confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, [and] two-factor or stronger authentication for its employee remote access systems.

The Controls also would require outside counsel to be responsible for its subcontractors with access to confidential information, including by requiring those subcontractors to abide by the Controls. As for data breach notification, the Controls recommend a short time frame – under the Controls, outside counsel would be required to notify a client within 24 hours of discovering an actual or suspected incident.

It is the hope of the ACC that the Controls will serve as a “best practice”, standardizing the protocols companies implement when interacting with third-party vendors who may have access to sensitive corporate data, and ensuring that adequate protections are in place to prevent and respond to a data breach. Law firms should not be surprised to see these Controls, in one form or another, included in litigation and other guidelines mandated by their corporate clients.

Virginia Responds to W-2 Phishing Scams with First of Its Kind Notification Requirement

As previously highlighted, in early February, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. Since the IRS warning, this type of scam has taken numerous victims.  On February 15, 2017, Virginia Wesleyan College released a notice stating that the 2016 W-2 tax form information of its employees had been sent that day to an unauthorized third party as a result of an email scam.  The information was sent by an employee who believed a spear-phishing email was a legitimate request for W-2 forms.

In light of the IRS warning, together with the Virginia Wesleyan College phishing scam, on March 13, 2017, Virginia Governor Terry McAuliffe approved, a first of its kind, amendment to Virginia’s data breach notification statute. The new amendment requires employers and payroll service providers to notify the Virginia Office of the Attorney General of “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withheld for an individual”.  Notably, notice is required even if the breach does not otherwise trigger the statute’s requirement to notify affected residents of a breach.

Notice to the Office of the Attorney General of a breach of computerized employee payroll data must include the affected employer or payroll service provider’s name, and federal employer identification number. Following receipt of notice, the Office of the Attorney General is then required to notify Virginia’s Department of Taxation of the breach.

This amendment to the Virginia statute becomes effective July 1, 2017, and in light of the growing concern for W-2 phishing scams it would not be surprising if other states follow suit. Employers should advise their staff to exercise caution when responding to requests for W-2 forms and confirm verbally that the request is valid.

LexBlog