Ping Service
Feedback Forms

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

PDF Converter    Send article as PDF   

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The Insurance Industry: In Regulators’ Sights

If you’re an insurance company, it may be time to open your cyber-related checkbooks if you haven’t done so already. New York Governor Andrew Cuomo’s Department of Financial Services (“NYSDF”) soon may be watching you. They’re already asking questions as if certain insurers were “persons of interest,” just as it did earlier this year with certain of the larger banks.

On May 28, the NYSDF sent what are referred to as “308 letters” to 31 regulated health, life and general liability insurance companies (seemingly those with the highest premium revenue). The NYSDF’s letters request information on (1) the insurers’ existing IT-related management policies and procedures with respect to the prevention of cyber attacks, (2) actual cyber attacks occurring within the past three years, (3) the quantum of funds and resources dedicated to cybersecurity, and (4) how they safeguard customers’ and business entities’ health and personally identifiable information (the letters specifically identify financial information as a subject category).

Read the rest of this entry »

The Posts have Come Back… To Cyberinquirer


Since last we visited, your humble Publisher has moved on to the Law Offices of Richard J. Bortnick, where I am Managing Director (very European, if I do say so myself). A number of dedicated readers and friends (you know who you are) have asked what had become of me and why my old email address was no longer effective.

The answer my friend (apologies to Peter, Paul and Mary) is the Law Offices of Richard J. Bortnick. At the risk of having this viewed as attorney advertising, I will stop there other than to say I also will be signing as a free agent with a Consulting Firm to be named later (but not much later).

So, please feel free to contact me if you want to catch up, engage in intellectual banter (with the exception of Philadelphia sports, where the banter will all be negative) or have some worthwhile humor you’d like to pass along (although it can’t be as good as the material I get from my good friend Jeff). My new email address is rjbortnick@comcast.net (at least for the short term… stay tuned on that too).

Its good to be back. And thanks for all of your kind wishes.

Rick

Fax Online    Send article as PDF   

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

The Queen v. Cole: Privacy Protection for Employer-Issued Equipment in Canada

The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.

The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.

Read the rest of this entry »

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

Human Error: The Greatest Risk and Root Cause of Data Security

Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

WARNING: HHS Now Combating HIPAA Violations With HITECH Weaponry

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).


The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

Read the rest of this entry »

Access to Insured’s Social Media Accounts: No Friend Request Necessary

The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »