Is your firm the next Target? Cyber Liability Risks and Mitigation Tips

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.legalexaminer.com/miscellaneous/is-your-firm-the-next-target-cyber-liability-risks-and-mitigation-tips/

It seems like every morning Americans wake up to the news of major date
breach.  First Target then Home Depot and now mid-size to small companies.
It appears this is the new wave of liability for all businesses including
law firms.   There is yet to be much case law in terms of liability damages
against law firms, but what most business owners do not realize is how to
appropriately respond to a breach and the costs associated with the
notification and monitoring of a particular breach.   Each State has their
own definition of “Personal Information”.  Furthermore, each State, has its
own requirements as to whether notification is required to the Attorney
General or State Agency and a timeline associated with it.   There are many
states that have an Encryption Safe Harbor, as well as, a couple that
permit a private cause of action to be brought against the breached party.
One additional difference from State to State is how the Statute is
triggered in terms of the breach being  Electronic and/or Paper Records.

I think it is safe to say at this point, the risk and exposure is
imminent.  So the next question is how do you protect your firm from being
the next headline?  Given the legal and ethical implication for lawyers who
handle personal information from a client or adversary,  it is crucial to
make sure the appropriate steps are taken to not only secure the data, but
also prevent against potential inadvertent disclosure.   Obviously, no
business is immune to a breach, regardless of the implementation of various
protection software or company policies and procedures, but here are a few
suggestions for best practices that certainly help mitigate the risk in
some capacity.

- If and when possible, use encryption.  As mentioned above, most states
have an Encryption Safe Harbor under their breach laws which greatly
reduces the risk of a date breach.
- Monitor technology to keep current and up to date of any threats to
confidentiality of client data.
- Adopt a written information security plan and engage in implementing and
training associated with such plan. (Your IT personnel or company should be
able to assist)
- Carefully review and monitor your vendor agreement to ensure compliance
with your suggested and agreed upon data security agreements.

As of 10/7/2014, there were 589 data breaches reported affecting 76,681,707
records.  Now lets talk a little about the hard costs associated with a
breach, as well as, some trends and how that might impact your firm.   Then
I will touch a little on an emerging insurance product designed to protect
your firm from a number of these variables.  Presently the average cost of
a data breach is $188 per record ($128 being indirect costs).  In some
industries such as healthcare and financial services, that cost is even
higher.   Today, 35% of organizations had a breach due to a lost or stolen
mobile device such as a  tablet, smartphone, etc.  81% of employers permit
their employees to use their own mobile device to access their network or
enterprise system.   Many organizations are embracing the Cloud so global
exposure is only going to increase.   Here are a few more astounding
figures to consider.  For the first time ever,  the main cause of a data
breach is actually a criminal or malicious attack.  This accounted for 41%
of the data breaches last year.  Whereas a negligent employee was next at
33% and a system glitch accounted for 26%.

Do  you think your firm is protected?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!