One of the major challenges for lawyers in the digital age is keeping case data out of the wrong hands. It is a staple of law practice and has been so since the dawn of the profession . Even before anyone ever heard of cybersecurity, Model 1.6 of the Rules of Professional Conduct required that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
I wrote about this problem recently when discussing a data breach that affected a law firm’s famous clients and their sensitive information. The problem of how to avoid data breach when YOUR data isn’t really YOURS, is an important one. Failing to get it right can mean malpractice, loss of clients, and possible disciplinary action.
Yet, there is another issue that gets far less attention:
What about my adversary’s private information?
For example, its quite common to request social security numbers from an adversary in personal injury matters. There are good reasons for this, mostly having to do with verifying an individual’s identify, authenticating medical records, and complying with various federal reporting requirements when settling personal injury matters. However, through the lenses of the NY SHIELD Act, this gets to be a tricky issue.
Under the SHIELD Act, a person’s name and social security number, when kept together, is considered to be “private information.” This definition is important because the Act goes on to require that:
“Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
So, taking a step back, this means that any law firm (law firms are businesses), that owns computerized data (in your phone, laptop, cloud, etc.) which includes private information (e.g., a word document with someone’s name and social security number on it), shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information…”
So, what are “reasonable” safeguards??? Ah, the million dollar question (perhaps literally).
Here, the SHIELD Act defines what it considers reasonable, but creates a caveat that “small businesses” need only to maintain “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
For all others (those with at least: 50 employees, $3 million in annual revenue AND $5 million in assets), reasonable administrative safeguards are met by:
- Designating one or more employees to coordinate the security program
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards in place to control the identified risk
- Training and managing employees in the security program practices and procedures
- Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
- Adjusting the security program in light of business changes or new circumstances
Reasonable technical safeguards are met by:
- Assessing risks in network and software design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to attacks or system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
And reasonable physical safeguards are met by:
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
In other words, mid-sided businesses and up must implement a bona fide data security program.
Small businesses are left to determine for themselves what is “reasonable” (until we see some caselaw on the subject). However, we can be certain that doing nothing is not going to cut it. Further, reasonableness for small business is going to be some sub-set of the enumerated safeguards mentioned above and will adjust depending on the context.
Herein lies one of the problems. There are few professions with more sensitive data than a law firm. So, what can we do about it?
There are a number of simple steps that go a lot way towards being reasonable here, especially when it comes to social security numbers. Here are a few ideas, as a starting point:
- Don’t collect the sensitive information until you actually need it.
- Dispose of the sensitive information quickly when you no longer need it.
- Do not store the sensitive information anywhere that is not encrypted and not protected with multi-factor authentication. (i.e., dont keep it on your harddrive if your harddrive isn’t appropriately protected)
- Do not email the sensitive information in an attachment.
- Practice “least privilege” by not allowing all users to access sensitive information.
Look, will these things, alone, constitute “reasonable safeguards” for a small business under NY SHIELD? I don’t know. No one does, yet. But, I can promise you that it is an excellent start while you are working on implementing your data security program.