This is a Directors Report from our partners Cyber Security Intelligence:  This Premium article is free to view temporarily. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

While Accountability starts with the CEO and corporate board, Cyber Security should be a shared responsibility across every function and level of an organisation. Cyber security should also be a practiced culture within the organisation that starts at the top, because if management does not take cyber security seriously, neither will the front-line employees. 

Any organisation can have all of the latest tools in the world, but without human participation, the ROI of implementing them will never be fully recognised.

It is also easy to blame the IT department, who, like the quarterback, often gets blamed for performances beyond their control. Often-times, internal IT is restricted to the tools they have at hand. While the IT department can implement industry-leading email security solutions, they cannot hold the hand of every employee each time he or she feels tempted to click an embedded link that got through the filter. 

According to the Identity Theft Resource Center the number of US data breaches tracked in 2021 hit a new all-time high of 1,862 surpassing the 2020 total of 1,108. Hacking was the primary attack method, followed by phishing emails, malware, and often employee errors or negligence. 

In the legal sphere alone, cyber security firm Mandiant estimated that at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. The number of breaches, attempted breaches, as well as the sophistication of hackers is growing each year. No amount of security can perfectly seal off a system from intruders. The question is, who is ultimately responsible for the integrity of the customer’s Personal Information (PI) if a breach occurs?

Data Is Becoming More Vulnerable: Cloud & Big Data

Organisations once exclusively relied on their own server infrastructure residing in on-site, proprietary data centers. Data storage has been increasingly shifted off site to third-party public cloud providers. In a cloud-based environment there are generally three parties involved: 

  1. The Customer or End user of the service (an individual or an organization. 
  2. The Data Owner – business that provides service or products to customer (for example Target, PayPal, Macys, any law firm); and 
  3. The Data Holder – a third-party cloud service provider that provides hosting, storage, application, hardware, for the data owner such as IBM Cloud, Microsoft Azure Cloud Storage, Amazon Web Services (AWS).

Data involving PI is especially vulnerable in the cloud due to a variety of unique threats: lack of transparency of operations, remote and indirect management, external threat enhancement since anyone can obtain an account to the cloud provider’s environment, increased malicious insider threats as the data owner does not have direct control over who can access or administer the data, and insecure Application Programming Interfaces (APIs) which are completely open to the Internet.

In a big data environment, PI is spread across a large storage network (generally, but not always, in the data owner’s own data center) with many points of vulnerability due to the scale of data, velocity of information movement, and many distributed data devices.

Invoice Fraud

An invoice fraud scheme usually involves a cybercriminal masquerading as a trusted supplier, and sending a fake invoice to that supplier’s customers. In these scams, the cyber criminal often has control of the supplier’s email account and can access legitimate invoices. The cyber criminal changes these invoices to include new bank account details and then sends the invoices to customers from the supplier’s email account. The customer pays the invoice into the cyber criminal’s bank account, and the actual supplier’s invoice for services provided or goods delivered remains outstanding.

What Is The Legal Position Of  A Businesses Where Email Is Compromised?

The general position at law is that the hacked party is usually the one at fault. There is, however, a distinction between cyber crime carried out through:

  • An actual hack of a business’s server (and sending an email from that server): Or
  • Spoofing a business’s email address.

Impact Of A Data Breach For Law firms & Corporate Legal Departments

Data owners of any firm or organisation are responsible for the PI of customers and clients. A data intrusion may affect the PI of a law firm’s employees and clients with whom a law firm is working.

Luke Dembosky, a cyber security and litigation partner at Debevoise & Plimpton, assesses law firms as having peculiar target vulnerabilities. “As vendors, law firms are attractive targets. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems,” he says.  “Second, law firms are seen as high-value targets for the rapidly growing use of ‘ransomware’ and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.”
The question of legal responsibility for an affected organisation however is not cut and dry.

Who Is Legally Responsible For A Breach?

With growing and increasingly severe intrusions such as those that recently occurred involving Target, Chase, Anthem and others, Congress, regulators and state governments are looking at how to protect PI from unauthorised access. There is no current US Federal mandate that covers data breaches affecting personal information. However, all US states require organisations to notify customers and in some cases regulators if a data breach occurs impacting residents.

In a cloud environment, under US law (except HIPAA which places direct liability on a data holder), and standard contact terms, it is the data owner that faces liablity for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). Typically, standard vendor agreement contracts exclude consequential damages and cap direct damages.

In most cases, all damages flowing from a data breach of the data holder will be considered consequential damages and barred by a standard provision disclaiming all liability for consequential damages. 

If sensitive or regulated data such as personal health information (PHI) under HIPAA is stored in the cloud and a breach occurs, the data owner required to disclose the breach and send notifications to potential victims. A law firm holding PHI is defined as a “business associate” under HIPAA and subject to its legislation. Agreements typically require by the data holder to report the data breach to the data owner and assist in the investigation.

If the breach involves a cyber attack in a traditional data owner’s proprietary network & data centre, the data owner is obviously potentially liable.

However, how liable can an organisation be in the event of a breach? State and federal data privacy laws in the US do not impose civil liabilities carte blanche in the event of a cyber intrusion. Liability is imposed generally if the following conditions exist:

  • An entity failed to implement safeguards required by statute or reasonable security measures.
  • An entity failed to remedy or mitigate the damage once the breach occurred.
  • Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.

In effect, negligence must be proven in any litigation. However, liability can also exist if contractual indemnification or service agreements are in effect towards affected individuals or between business entities.

The Damages Of An Intrusion

The costs & liability of a data breach to a law firm or company may include all or some of the following:

  • Individual & class action lawsuits by customers & shareholders, settlement payments, legal expenses. Liability can include, depending on the case, civil monetary compensation for any economic losses incurred by the victim. 

It can also include reimbursement to victims for out-of-pocket expenses to restore the integrity of the compromised personal information. Emotional distress of victims may also come into play.

  • Government investigations and potential penalties. 
  • Outside response teams and audits being required.
  • Digital investigation and forensic services.
  • Remodeling of information infrastructure. 
  • Implementing new or enhanced identity theft protection services.
  • Identity theft insurance impacts.
  • Potential malpractice.

Collateral damage can include damage to reputation, consequential loss of business and revenue, and replacement of management.

Data Breach Response & Mitigation: For any firm or organisation the nature of a data breach can vary widely. The severity of data breach is contingent on numerous factors:

Nature of the infringement – number of people affected, damaged they suffered, duration of infringement, and purpose of processing.

Intention – whether the infringement is intentional or negligent.

Mitigation – actions taken to mitigate damage to data subjects. 

Preventative measures – how much technical and organisational preparation the firm had previously implemented to prevent non-compliance.

Past relevant infringements – has there been a pattern of negligence or incidents. 

Cooperation – how cooperative the firm has been with the supervisory authority to remedy the infringement.  

Data type – what specific information was compromised.

Notification – whether the breach was timely reported to the supervisory authority by the firm or a third party.

Certification – whether the organisation had qualified under approved certifications or adhered to approved codes of conduct

A Strong Defense Is Always A Good Offense

Having an effective breach management processes is key to mitigating a serious intrusion and reassuring clients:

  • Incident preparation and risk management, including incident response planning. 
  • Organisations should implement infrastructure for preventing, detecting, and responding to security incidents. 

This includes not only anti-malware, firewall software and hardware implementations, but threat analysis, incident training, response protocols and standards, Agile management, and remediation policies and procedures. 

Incident investigation and legal assessment:  An incident investigation team or individual should be designated and an organisations legal responsibilities known and documented ahead of time.

Notification of affected individuals and other entities, if required:  Breach communications should be developed ahead of time and customer/client lists should be kept in secure off line or backup locations.

Post-incident review and management:  Assess the vulnerability, other contingent factors that resulted in the data compromise, and if necessary, hire a third-party cyber security organisation to help secure data from future threats.

Law firms and other legal providers should undergo regular security assessments and penetration testing using third-party vendors to minimise the breach potential. This includes external tests to see what part of the system is vulnerable on the Internet as well as testing the vulnerabilities in web and mobile applications. Another proactive measure to mitigate data breach fallout is to invest in the appropriate cyber liability insurance. 

A layered approach to data protection can improve resilience  so much that trying to get in may not be worth the effort.

References:  ABA Journal:    Mondaq:     Salerno Law:     Security Magazine:    Thomson Reuters

Source: Cyber Security Intelligence