From one lawyer to others: cyber, privacy and technology best practices (Part II)

By Richard Bortnick on May 30, 2014

This is the second of a three-part series by Richard Bortnick, senior counsel at Traub Lieberman Straus & Shrewsberry, who litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

Read the first part HERE.

The Impact of the 2011 SEC CPT Disclosure Guidance on Attorneys

richard-bortnick-200x2002

Richard Bortnick

In October 2011 the Division of Corporation Finance of the Securities and Exchange Commission issued CF Disclosure Guidance:  Topic No. 2 addressing cybersecurity (“SEC Guidance”). The SEC Guidance presented, for the first time, disclosure recommendations for public companies relating to their cyber-security risks and exposures. A description of “relevant insurance coverage” is specifically identified as a recommended fact to be disclosed.

“Given the increased prevalence and effectiveness of cyber attacks and breaches, and in light of the Disclosure Guidance, it would be difficult to justify why proper protective measures – including sufficient cyber insurance – were not put in place, and why the risks were not disclosed to the investing public.” Those who ignore the Disclosure Guidance do so at the risk of an action by the SEC or by shareholders if a cyber incident occurs. Moreover, “although the Disclosure Guidance is only directed at public companies under the SEC’s jurisdiction, it can be expected to have far-reaching implications for non-public companies and even individuals doing business with public companies.”

A prudent public company subject to SEC reporting requirements will require its business partners, suppliers, vendors and others (i.e., professionals) to provide it with parallel disclosures in order to avoid direct (or even vicarious) liability to those with whom it is in privity.  As such, professionals might find themselves required to perform the analyses and assessments suggested by the Disclosure Guidance, albeit indirectly, simply to maintain their competitive footing in the market.

To illustrate, if you sought to represent a public company impacted by the SEC Guidance, wouldn’t it be logical to assume that the public company will require you and its other vendors and service providers to describe the existing cybersecurity protections, procedures and best practices, regardless of whether the SEC Guidance applies to them? Wouldn’t you specifically counsel them to do so as part of their best practices?

As a private company (or professional) submitting a business proposal to a prospective client who asks for such information, would you refuse? Of course not. The only practical solution is to evaluate your own cyber risks and exposures – and be in a position to address them, including by way of insurance.

It does not stop there. We have heard of several instances where lenders, investment bankers and others have required privately-held entities to disclose their CPT-related risks and exposures in conjunction with a debt or equity offering.

Why Best Practices? 

Whether we acknowledge it or not, a breach (or negligent loss of information) is more than possible: as observed by FBI Director Muller, it’s virtually inevitable. Leading to the loss of personally identifiable information, personal health information and/or confidential commercial information. And, in many instances, the follow-on lawsuit.

Additionally, state ethical rules apply. Among other matters, the Rules of Professional Conduct prohibit attorneys from revealing “information related to the representation of a client unless the client gives informed consent,” subject to certain exceptions.  ABA Rule of Professional Conduct 1.6. LPL

Twenty-nine states and the District of Columbia have added comments to Rule 1.6 which address an attorney’s obligation to act competently to preserve confidentiality:

When transmitting a communication that includes information relating to the representation of a client, the attorney must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  This duty, however, does not necessarily require that the attorney use special security measures if the method of communication affords a reasonable expectation of privacy.  Special circumstances, however, may warrant special precautions.  Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.  A client may require an attorney to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

Client-Lawyer Relationship, Rule 1.6 Confidentiality Of Information – Comment.

In light of this, it is not an overstatement that the most effective defense to a CPT-related lawsuit, whether brought by a private or public entity, might be best practices.  Needless to say, a favorable outcome is more likely if a professional can demonstrate that he or she implemented prudent security procedures in advance of an incident (or, better yet, state of the art security procedures, although the cost might be prohibitive for small and mid-sized companies), than it would be if a plaintiff was able to show the deficiencies and flaws in a professional’s risk management plans and procedures and how the professional could have employed best practices at a reasonable cost.  If the professional can demonstrate the use of appropriate best practices, the plaintiff’s case potentially falls apart.

What Are Some of the “Best Practices” To Be Considered?

In many ways, cyber-related best practices are similar to those employed in other contexts.  Formulate and implement an avoidance/loss mitigation strategy, put into place a crisis response plan, and buy insurance.  Of course, the devil is in the detail, particularly when the devil is sitting at a computer terminal half-way around the world outside the reach of law enforcement authorities.

There is no panacea to entirely avoid CPT events.  Human beings, being human beings, sometimes make mistakes. And the loss of a laptop and/or cellphone, for example, is a mistake made more frequently than one would like to think.  You can teach, coax, cajole and use all of the tools at your disposal to keep employees (or yourself) from committing human error.  It isn’t possible to eliminate the risk entirely, though.  Negligence happens.

Similarly, if a sophisticated and intrepid hacker wants to get in, he or she will.  There is no magic bullet to prevent it. Ask the FBI. Or the CIA. Or Scotland Yard. They all have been breached.

So, what can an attorney do in an effort to protect himself or herself from a CPT incident or a post-incident lawsuit?   It would be trite to say that every situation is unique and that every profession has its own set of best practices.  But that doesn’t change the dynamic that this statement is accurate.  The nature and breadth of risk management, loss avoidance and mitigation, and breach response plans depend on the sector involved, the size of the company, the ubiquity of its technology and office locations, the sophistication of its legal, risk management, IT and other related personnel (if any), and other factors.  Still, there are common themes that apply.

The following suggestions should be considered in conjunction with a law firm’s analysis of its CPT risks and exposures:

(1) At the outset, allocate a portion of your firm’s budget to IT and data security.  You need to determine how much financial, human and technical resources you can deploy so you can spend them wisely;

(2) Appoint a trusted individual to oversee privacy and security development and compliance as an express component of his or her job responsibility. This person should monitor things such as:  (a) applicable laws; (b) contractual obligations; (c) internal policies (email and network integrity, Bring Your Own Device (BYOD) policy and oversight, information security, social media, human resources issues, etc.); (d) compliance programs in which you participate; and (e) industry best practices;

(3) Retain experienced legal counsel with the all-important attached legal privileges to “quarterback” the development of cyber incident avoidance, loss mitigation and breach response plans, provide updates on legal developments, monitor competitors’ and others’ security practices and procedures, report on significant and specific threats, risks and loss events;

(4) Identify and coordinate your plans with computer forensic consultants and other risk avoidance/crisis management consultants;

(5) Work with your legal advisors and human resources personnel to develop written cybersecurity policies and procedures, then communicate them to and train employees, vendors, etc. in their use and application.  Issues to be addressed include statutory and legal responsibilities, privacy and security rules and guidelines for employees and third-party business partners, and encryption (this is essential);

(6) Perform periodic analyses of your security plans, procedures and systems to ensure that they are current and appropriate for your business and business sector.  You don’t want to enable a competitor to get ahead of you and distinguish the breadth of their security processes and procedures from yours;

(7) Periodically audit your administrative, technical and physical infrastructure, among other assets, to reaffirm that they are properly protected;

(8) Implement a protocol that requires senior management to receive and meaningfully review periodic reports on your firm’s current information and technical plans and procedures, security issues, and related matters;

(9) Work with counsel to develop templates and information security tools for use with employees, vendors, and third-party business partners, among others.  Such documents could include Non-Disclosure Agreements, Business Associate Agreements under HIPAA, indemnity and insurance agreements, and other legal instruments intended to mitigate or avoid economic loss.  These documents should be disseminated to all personnel with contracting authority, who also should receive training; and

(10) Treat your clients’ and your own trade secrets, “Big Data,” and other critical proprietary information with the same level of care and attention you devote to the preservation and growth of other core assets.

These examples are simply the first steps to properly secure and protect your clients’, employees’ and your own personally identifiable information, personal health information and confidential commercial information.  And, of course, your reputation and the continuing viability of your business.

Next week: The Economics of “Best Practices”; How Does CPT Insurance Factor Into Best Practices?; Conclusion

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.