Law360 (May 22, 2020, 9:04 PM EDT) -- The increased cybercrime threat during the COVID-19 pandemic has put added pressure on law firms — potential treasure troves of sensitive information — to be more upfront with clients about data security problems.
But cybersecurity discussions between attorneys and their clients often devolve into a chaotic mess, a coalition of industry lawyers, regulators and jurists says in a new report aiming to set realistic standards on the issue.
Among the takeaways in the report, released by the Sedona Conference, a nonprofit research and educational institute, is that law firms should tell clients if their sensitive data has been exposed even if it's unclear whether state or federal law requires them to.
"Firms that withhold early notification run the significant risk of alienating relationships, even if the strict letter of the law did not require disclosure," the report concludes.
Existing data breach notification laws in the U.S. largely deal with "personal data," a legal term that mostly applies to information like Social Security numbers that can be tied back to specific individuals. But such laws may not apply to trade secrets or other vital data likely to be damaging to companies if it is exposed, the Sedona coalition says.
The report's authors say they hoped to create a road map of what organizations and their law firms should expect from cybersecurity communications, based on input from a wide range of stakeholders, including in-house lawyers, outside defense counsel, and attorneys from both tiny firms and BigLaw giants.
"The biggest issue is figuring out how we can all speak the same language," said David Moncure, a vice president and associate general counsel at health care company DaVita Inc. and the report's co-editor-in-chief.
The report, which is open to formal public comment until June 8, was in the works long before the pandemic hit. But the issues it addresses are as relevant as ever, given a spike in cyberattacks that experts have attributed to the rise of remote work, potentially panicked employees and stretched-thin IT staffs.
Based on interviews with the report's editors, here are four tips on how best to navigate the thorny cybersecurity conversations that keep companies and their lawyers up at night.
Consider Worst Case Scenarios Early
Organizations and their law firms should have written protocols already in place for dealing with data security incidents, so they aren't sent scrambling in the event of a cybersecurity issue.
"This is absolutely something that should be discussed at the beginning of the engagement," said Sheryl Falk, co-leader of the global privacy and data security task force at Winston & Strawn LLP.
"Firms and clients need to have a conversation early about their expectations, and there ought to be an agreement that if a client's data is impacted then the client would be notified within a certain time frame," Falk said.
Creating a data breach response plan often takes considerable time and resources, which can put smaller law firms at a disadvantage. But even solo practitioners should be expected to have a plan for how they would respond to a suspected cyberattack, the report says.
"Not every firm needs to be an expert in cybersecurity," Falk said. "But if you're not an expert, you should at least know who to call."
Go Beyond Mandates in Breach Notification Laws
The Sedona report advises that "organizations are increasingly likely to demand that law firms go beyond any state or federal laws mandating disclosure of data breaches," and to ask firms to simply let them know if data that they are likely to consider sensitive has been stolen or exposed.
Law firms that only disclose data security events that they believe qualify as data breaches as U.S. law defines them run the risk of jeopardizing relationships with clients who later discover that their data was exposed, the report says. Clients "will want to learn early of any issues that might impact their data or interests," it says.
"When there is evidence of an exfiltration of data, or of some sort of unauthorized access outside of the people normally allowed to be in the four corners of your systems, it would probably be beneficial to tell your clients about that," Moncure told Law360.
These risks are not hypothetical. In April, for example, Hiscox Insurance Co. Inc. sued Kansas City personal injury law firm Warden Grier LLP, which Hiscox has hired to represent policyholders for more than 15 years, claiming that the firm breached its contractual, legal and ethical duties by quietly paying a ransom to a hacking gang that had infiltrated its systems without alerting Hiscox or any of the affected clients.
Give More Detail, but Not Too Much, on Past Episodes
It's natural for a client in 2020 to want to know about a law firm's history of data security issues, particularly given the degree to which the legal industry has found itself vulnerable to cyberattacks in recent years.
But law firms that disclose every data security "incident" run the risk of giving clients a false impression that their network is riddled with security flaws, the report says.
"The organization may conflate mere incidents with confirmed breaches or may struggle to identify and evaluate true causes of concern due to the sheer quantity of incidents," it says.
Law firms may also risk exposing key information about their own data security if they disclose too many details about past events, said Guillermo Christensen, a partner in the data security and privacy group at Ice Miller LLP.
"There is a lot of information that you can provide that falls far short of that," Christensen told Law360.
"We can summarize measures we've taken to mitigate issues we're discovered, but they aren't getting the whole pen test," Christensen added, referring to a penetration test, in which outside consultants are asked to test a network for security flaws.
Tailor Expectations for Small and Big Law Firms
Small law firms with big clients sometimes receive cybersecurity demands that don't make the same level of sense for them as they do at bigger law firms, said Neil Riemann, co-founder of Penry Riemann PLLC, a two-attorney practice in Raleigh, North Carolina, and the report's other editor-in-chief.
It may not be a good idea to ask a firm like Riemann's to prepare cybersecurity protocol materials containing as much detail as such documents requested from a BigLaw giant, the Sedona report says.
"Just like a big firm would benefit from having a dialogue rather than an arbitrary questionnaire sent to them, a small firm would benefit as well," Riemann told Law360.
Requiring a detailed office security plan, for example, might make more sense at a multinational law firm, the report says, than it does at Riemann's 1,000-square-foot law office, whose only full-time employees are the two attorneys and one assistant.
--Editing by Brian Baresch and Emily Kokoll.
For a reprint of this article, please contact firstname.lastname@example.org.