We have all tried to ignore the warnings about our ethical duty to be competent in the technology we use:
- The articles and emails about data breaches and hacking of law firms
- Texas Ethics Opinion 680 with its (incredibly long and seemingly impossible to achieve) laundry list of “reasonable precautions” Texas lawyers should take in order to meet our duties of confidentiality and competence and
- Comment 8* to Rule 1.01, which makes it crystal clear that Texas lawyers are required to be competent in all forms of technology that they (and their firms) utilize
But no longer.
The headline last week from Law.com announcing that a well-known hacker group had obtained and then released a small Texas law firm’s data, including the firm’s personal injury client’s “pain diaries” and HIPPA consent forms, should be a wakeup call to all Texas lawyers.
Here is how it can happen.
A hacker targets a law firm and then uses ransomeware to gain control of the firm’s data (i.e. confidential client information). They then publish the firm name and, if the law firm does not pay the demanded ransom (say, a million dollars) they will publish the firm’s data. Sometimes, as was the case with the recent hack of a Texas firm, the hacker publishes a sample of the firm’s data as proof that they can deliver on their threat if the law firm does not pay. Presumably if the firm pays the hackers release the data and remove the firm’s name from their published list of targets.
If this happens to you, it will not be a secret.
Texas law has for some time required any entity whose suffers a data breach to notify any individual who’s “sensitive personal information” may have been acquired by an “unauthorized person”. So yes, the clients will know. In addition, as of January 1, 2020, Texas law requires any business who experiences a data breach affecting 250 or more Texans to provide notice of that breach to the Office of the Texas Attorney General. Find the law in the Texas Business and Commerce Code, Title 11 Chapter 521 (Sec. 521.053) and forms for reporting to the AG here.
There is no excuse for delay.
No firm wants to admit that their data storage system has been hacked, which is why the answer to questions by the media is usually “no comment”. As a PR strategy—that is the way to go. However, if all of your clients’ personal data has been published on the internet—no PR strategy can save you. At that point, a disciplinary violation for breaching the duty of confidentiality and/or competence is going to be your last concern—and a massive number of lawsuits your first.
We must become the experts.
We may not be able to thwart a determined hacker; data security is a moving target due to the fast pace of technological advances. But being overwhelmed is not an excuse for ignoring our ethical duties with respect to technology.
Don’t know where to start?
Here is a short list to begin: know and educate your staff about your ethical duties with respect to technology. Do what you need to in order to put protections in place to secure your firm’s data. Make sure that your Wifi security and software is up to date. Put a data privacy plan in place and replace weak passwords. Educate your staff to recognize phishing emails. Put all of it in your firm’s policies and procedures handbook, make sure everyone in the firm reads and understands the handbook and keep it up to date.
More information can be found online at the American Bar Association’s cybersecurity legal task force, including security resources and CLE links to articles aimed specifically at small firms. The ABA has also recently issued a the 2nd edition of their publication The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals a review of which is posted on the SBOT website.**
*Comment 8 to Rule 1.01:
8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated wtih relevant technology. . . .
**By my former Winstead colleague, Texas attorney Shawn Tuma.