Do Law Firms have Data Security Liability?

July 19th, 2013

As of 2010, 91% of all law firms have 10 or fewer employees; 99.6% have less than 100 employees1.  The smaller the firm, the less likely they are to have a strong IT department and are much more likely to be focused on case load rather than on current changes in the compliance landscape that are now impacting them.  Indeed, one of the largest segments of new law firms are small practices run by folks that have left larger firms … and such folks arguably have less time to spend on such considerations with the amount of legal work per lawyer in the United States becoming increasingly less.

Email and messaging — more and more information is sent digitally.  For the legal profession, this is also increasingly true due to the time saving nature of such communications, the high time cost associated with legal work, and the ever-present push to get things done faster.

Times have changed

They really have.  HIPAA has introduced the Omnibus rule which forces all vendors of medical industry companies to treat any medically sensitive information with extreme care, preserving the privacy requirements of HIPAA.  Law firms are now directly liable for HIPAA with respect to client data.

Similarly, law firms are subject to other data privacy and security regulations from local and state laws and broader laws and standards such as Payment Card Industry (PCI) standards regarding credit card payment data, Social Security Number protection laws, etc.

What does this mean?

This means that firms must be very careful with how they treat personal, corporate, and health care related sensitive information.  E.g.

  1. Access Controls: Ensuring that only appropriate parties can access the data
  2. Encryption: Ensuring that transmitted data cannot be eavesdropped upon and  data stored in insecure locations is protected
  3. Email: Sensitive data sent to and received from clients is protected
  4. Backups: Secured archives kept to protect copies of data in case of loss, theft, disaster, or other issues

Indeed, these same things apply to text and video messaging (e.g. Skype), collection of data from web sites, client-access to data in members’ web sites, internal systems for data storage and retrieval, etc.

It is critical that every law firm have policies, processes, and technology to proactively handle all sensitive data and that all staff are trained to use these properly.  This limits liability, improves integrity, and reassures clients that you are serious about confidentiality.

What do do?

What not to do is implement a bunch of knee-jerk policies.  We have seen that many places have implemented policies that are for better security, which actually both worsen security and drain more time from staff days.  For example:

  1. Restricting staff from accessing personal email on company computers. Resulting in staff just using smartphones for this … and spending more time at it due to the inefficiency of such devices.   A better solution would be to better harden the corporate systems that are being used anyway.
  2. No Internet — send it all over postal mail.  It turns out that “snail mail” is less secure than secure email.  Its counter intuitive in this age were we hear about all of the electronic threats, but old school snail mail is still being intercepted in the US Postal Service and the mail “metadata” (all the “to” and “from” and such) are all being saved and recorded for analysis.
  3. Having good passwords — and writing them down.  People get that password strength is important and they need to change them, but they are still writing them down on post-it notes and in little “password books” sitting on their desks.  This is bad news and there are much better ways to handle your password libraries or memorize your passwords.

So … that is what not to do.  What to do includes:

  1. Training: Having at least one person on staff who is familiar with and keeps abreast with IT security and the compliance needs of your organization. You can’t just “buy stuff” without knowledge of what is required for you in particular … that would be considered negligence if it turns out that you bought the “wrong stuff” or never bother to set it up in a proper manner.
  2. Secure Email: Subscribe to a Secure Email service that allows you to send encrypted email messages … the more the policies can fit your business requirements, the more accurate they will be and the less painful they will be:
    1. On demand – check a box when sending any message that contains sensitive data
    2. By rule – setup rules to match certain words, phrases, and patterns (like social security numbers) and have such messages automatically encrypted.
    3. By force – if some staff send mostly sensitive email, can you have it so all their email is encrypted by default?  Maybe they can just “opt out” as needed.
    4. To anyone – the ability to send a secure email to anyone, no matter what their email address
    5. From anyone – the ability for your clients to send you secure email messages quickly and easily, no matter what system they normally use
  3. Secure Web: Audit your web sites and see where sensitive data resides. Start with the same procedures that would make your web site HIPAA compliant to thoroughly protect your sensitive data.
  4. Backups: Ensure that you have secure off-site electronic archives for all email (inbound and outbound), client data, and other communications.

Is HIPAA Compliance enough?

We see many law firms coming to us and signing up for HIPAA compliant accounts, even if they do not deal directly with the health care community.  Why?  Because HIPAA has gone through a number of iterations recently so that the security and privacy requirements are now quite robust.  Getting their email and web sites HIPAA compliant goes a very long way in ensuring the privacy and confidentiality of client data.  In fact, for many, the HIPAA requirements are stronger than the “minimum” they would need to do … and that is good – you don’t want to do just the minimum as the minimum keeps changing, for a reason.

In some cases, HIPAA compliance may not be enough to satisfy your complete compliance needs.  For example, if you are holding on to credit card payment information of a customer (or a library of such information for all of a client’s customers), then you must/should abide by the PCI security standards, which are significantly stricter than those of HIPAA.

In these cases, it is generally best to segregate the more sensitive data from the rest of your communications and data storage and treat that data as special with the security requirements it is due.  Segregation like this helps isolate the especially sensitive data (enhancing security) and allows your staff to continue to use a less secure, less expensive, and generally more usable technology system for more day-to-day communications and data access/storage.

What are your next steps?

If your firm has not thought about these issues recently (e.g. in the last year), then:

  1. Designate someone who will be in charge of information security and compliance.
  2. Research and determine what your exact compliance requirements are, based on they type of work that you do, who your clients are, who you want your clients. to be, and the kinds of information communicated and stored.
  3. Review your current IT infrastructure, outsourced services, and policies regarding information storage, access, and communication.
  4. Make a risk analysis to see what things are out of compliance and what risks there are for data breach.
  5. Revise your infrastructure and policies and subscribe to new services that will help ensure that you meet all of your compliance requirements.
  6. Repeat yearly.