September 18, 2024
Over the summer, a global IT outage served as a stark reminder of our collective reliance on technology and the abundance of confidential and sensitive data that our clients trust us to protect. Around the country, wide-ranging industries, including law firms, found themselves simply without computer access. Many were at a standstill. Thankfully, this was not the result of a cyberattack, and the problem was quickly identified and addressed. That said, it raises the question – are each of us, as the holders of confidential client information, doing enough to protect it?
While I am by no means a cybersecurity expert, there are some basic steps that anyone with client information should consider and that most are already familiar with: ensuring that all devices, including laptops, smartphones, and tablets, are encrypted, strong passwords are used and changed frequently, and two-factor authentication is enabled.
Additionally, we should all ensure we are following protocols and have proper controls implemented to protect information stored and processed on cloud-based systems, such as Dropbox, Sharefile, and Google Drive. It perhaps goes without saying that it is important to keep devices in compliance with the latest operating system updates and security/anti-malware software to protect against vulnerabilities.
But there are a host of other considerations as well. For example, do you have a plan ready should your work phone or other device be lost or stolen? Have you considered encryption tools for email communications and file sharing, especially when handling sensitive client information?
With remote work here to stay, there are even more potential vulnerabilities and consequent security considerations. Many of us now use virtual private networks, but taking it a step further and utilizing secure messaging applications that can encrypt data and protect it from interception is worthy of consideration. Likewise, we know data should also be stored in secure, centralized systems where it is easier to control access and security measures.
If you or your firm experience a data breach or a device is stolen, it is critical that you take quick action to protect client confidentiality and comply with legal and ethical obligations. If a device is stolen, it is good practice to immediately report the theft to local law enforcement and obtain a police report to document the incident.
Let your firm’s IT department or security team know about the theft so they can take immediate action, such as wiping the device remotely or tracking it. Change your passwords on all accounts accessible from or logged into by the stolen device and notify your firm leadership.
Keep in mind also that New Hampshire has data breach notification laws requiring businesses, including law firms, to notify affected individuals if their personally identifiable information has been compromised. Also, depending on the nature of the data, federal laws such as HIPAA (for health information) or the Gramm-Leach-Bliley Act (for financial information) may also require notification to affected parties and regulatory authorities.
If the stolen technology contained regulated information (e.g., healthcare or financial data), you may be required to notify regulatory bodies, such as the New Hampshire Attorney General’s Office or the Department of Health and Human Services for HIPAA breaches.
While the world of cybersecurity is constantly evolving and fast changing, it is our duty to stay engaged and up to date, not just in the areas of law we practice, but in all areas that implicate the trust afforded to us by our clients.
The Bar Association is here to assist with these challenges. As part of our TechConnect benefit, we have access to many whitepapers from Affinity Consulting.
You can find more than 20 whitepapers on cybersecurity at nhbar.org/whitepapers-techconnect. You can also join us at the Midyear Meeting on February 21 to hear national expert Mark Lanterman’s “Cybersecurity, AI, and Deep Fakes” presentation.
New Hampshire Bar News, October Issue | President’s Perspective
