Law Firm Cyber Security & Compliance Risks

Transcription

1 ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS

2 Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014 (PRC) 85% of breaches are at small businesses (VISA) 59% of breaches caused by employees Shifting Accountability: Execs under increased scrutiny Third party vulnerabilities (vendors, service providers)

3 How Law Firms are Doing Law firms are in the crosshairs of hackers. Back in 2011, the U.S. government labeled New York City s 200 largest law firms the soft underbelly of hundreds of corporate clients. The good news in 2015 is: Almost 80% of law firms increase consider data security and privacy a top 10 risk Source: Marsh s 2014 Global Law Firm Cyber Survey

4 How Law Firms are Doing The bad news is: 72% of law firms have not assessed how much a breach would cost them with the type of data they retain 62% have not calculated the effective lost revenue following a breach incident Less than 50% said their firm was insured against this risk Source: Marsh s 2014 Global Law Firm Cyber Survey

5 Increasing Pressure on Firms Pressure from Clients: Clients vetting their service providers Example: GMR Transcription Services directly liable in FTC suit for failing to adequately verify that its law firm implemented appropriate security measures to protect personal information. (Jan 2014) 5 years ago, we didn t have client security audits. We ve had 15 so far this year. - Law firm Reed Smith

6 Increasing Pressure on Firms Pressure from Clients: Big banks and other clients are demanding their law firms do more to protect sensitive information [including] detailing their cybersecurity measures and onsite inspections

7 Increasing Pressure on Firms Pressure from Regulators: HIPAA-HITECH enables direct enforcement by DHHS (OCR) over business associates of HIPAA covered entities including law firms State laws 47 states with breach notification law Many states have minimum data security requirements Firms must consider the laws in all states where affected persons reside New data security regulations coming Federal, State Expanded definition of protected data New minimum data security standards

8 Increasing Pressure on Firms Pressure from Industry: ABA Rule 1.6 Professional Conduct, lawyers must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. ABA Resolution 109 calling for firms to develop, implement, and maintain an appropriate cybersecurity program.

9 What s the Risk? $201 est. cost per record lost/stolen $134 direct cost for customer losses $67 direct cost for customer remediation expenses Customer breach notification costs Fines and penalties Up to $1.5 million for HIPAA violation State penalties can be $500+ per record exposed Example: 5,000 records compromised: $335,000 in customer remediation $1 million total breach cost Source: Ponemon Institute Study 2014

10 What s the Risk? Forensic investigation, business interruption Civil lawsuits Reputation harm/ lost business

11 What Firms Should be Doing Prevention & Compliance Basics

12 What Firms Should be Doing 1 2 Encourage investment into a breach prevention & compliance program. Advise partners, board on risks and liabilities Assign responsibility and centralize the administration of your breach prevention & compliance program. Compliance Administrator or Information Security Officer All departments, functions collaborate

13 What Firms Should be Doing 3 Implement complete Information Security Compliance Program. Formalized Information Security Plan (policies & procedures) Administrative, Physical and Technical Safeguards Risk assessments (find vulnerabilities, compliance gaps) Implement updated security and privacy measures Training all personnel, ongoing Assess and manage service provider relationships Create incident response plan Consider Cyber-Liability Insurance

14 What Firms Should be Doing 4 5 Audit and legal defensibility readiness. Information Security & Compliance reports, documents Regular program updates (keep it current) Client privacy assurance. Client information privacy notice Client information security report 3 rd party certification

15 Thank you! Q & A