What to do After a Data Breach

A data breach is a traumatizing event, regardless of how it occurs, and this has been a particularly active summer for thieves and scammers.

In the past 12 months, Oregon lawyers have reported home and office break-ins, stolen laptops and mobile devices, and malware security intrusions.  If you experience a data breach, here are the key steps you must take:

  1. Contact an IT expert NOW before you pass go.  The scope of the intrusion may reach beyond your stolen mobile device or the specifically infected computer. Until you know better, assume that all connected devices are part of the data breach. This might include your desktop computer, your assistant’s computer, your server, mobile devices used to access your network, and your home computer if you connect remotely to your office.  Fixing security issues will require sleuthing, finding a solution to the problem, protecting existing data and devices not affected by the breach, testing security solutions, and potentially preserving forensic evidence.  Don’t try to DIY!
  2. Change vulnerable user names and passwords.  At the first indication of a data breach, you won’t know exactly what went wrong – only that your information, or your clients’ information, has been been compromised.  With your IT expert’s help, get access to a secure computer to change vulnerable user names and passwords.  [If you modify your login credentials while a keylogger resides on your system, you’ve made the situation worse by supplying the hacker with your newly replaced user names and passwords.]
  3. File a police report.  Realistically, this isn’t likely to help.  However, it may be required under the Oregon Consumer Identity Theft Protection Act [ORS 646A.600- 646A.628] or the terms of your insurance/coverage policy.
  4. Report the breach to your property manager.  If the breach occurred in connection with an office break-in, inform the property manager as soon as possible.  Broken windows and locks should be fixed immediately to avoid further loss.  If you believe inadequate security may have played a role in the break-in, it may be appropriate to assert a claim against the management or building owner. Research the issue or speak to outside counsel. Document your property loss and consider getting a commitment in writing about security improvements.
  5. File claims with commercial carriers.  Submit claims to any applicable insurance carriers: cyber liability and data breach, commercial liability, or others.
  6. Contact the Professional Liability Fund.  If you are an Oregon lawyer, contact the PLF. Beginning in 2013, the PLF added a Data Breach and Cyber Liability Endorsement to all excess coverage plans. The endorsement provides coverage for information security and privacy liability, privacy breach response services, regulatory defense and penalties, website media content liability, and crisis management and public relations services. The endorsement covers many claims that would otherwise be excluded.
  7. Contact the Oregon State Bar.  The OSB General Counsel’s office can give you advice about the ethical implications of a data breach.
  8. Report identity theft to the FTC.  If you are the victim of identity theft, file a report with the FTC as soon as possible.  Review the FTC website for other steps not discussed here [reporting a misused social security number, removing bogus credit charges, replacing government-issued identification cards].
  9. Freeze or place fraud alerts on credit accounts.  A freeze literally locks down your credit. No credit transactions can be authorized until you lift the freeze, temporarily or permanently.  Fraud alerts inform you if someone is attempting to obtain new credit in your name.  Learn more about credit freezes and alerts here.
  10. Protect bank accounts, credit cards, and debit cards.  If banking, credit card, or debit card information was exposed in conjunction with the data breach, you may want to freeze your bank accounts [personal, general, IOLTA]; arrange for fraud protection services; or close your accounts altogether.  Talk to your banks and credit/debit card providers.  If you have automated payments tied to former bank accounts, credit or debit cards, be sure to update your information.  This includes payment accounts associated with federal or state court eFiling systems.  Continue to monitor statements for unauthorized transactions.
  11. Notify clients.  This is never easy, but clients must be informed if confidential information has been compromised. A sample notification letter is available on the PLF website.  Select Practice Management > Forms > Client Relations > “Notice to Clients re Theft of Computer Equipment.”  If you have questions about your ethical duties toward clients, speak to OSB General Counsel [see step 7 above].  Additionally, client notification may be a statutory responsibility under the Oregon Consumer Identity Theft Protection Act [ORS 646A.600-646A.628].
  12. Begin reconstructing files if needed.  Lawyers who are straightforward about an office break-in or theft often find that clients are sympathetic, understanding, and more than willing to help.  With a bit of luck, you should be able to reconstruct most or all of your files from your backup or documents supplied by clients.
  13. Monitor your credit report.  Check your credit reports at annualcreditreport.com for signs of fraud.  Annualcreditreport.com is the only official source for free credit reports authorized by the Federal Trade Commission.
  14. Monitor Craigslist.  If you believe a thief has posted your property for sale, inform police.
  15. Start using encryption.  Read “Encryption Made Simple for Lawyers” as a starter, then check out these resources from the ABA Legal Technology Resource Center. For reviews of encryption products, check out LawSites.  [In the navigation pane on the right, scroll midway down the page to Search LawSites.]  If you want an encrypted password manager – a very good idea – see these top picks for 2015.  Shopping for a new laptop?  Don’t forget that hard drive encryption is automatically built into the MacBook.  Using Windows OS? Sorry, you’ll need to buy your own encryption software.  If all this seems overwhelming, talk to your IT expert.
  16. Backup, backup, backup!  Online backup services are a great way to automatically back up data.  Read more about backup protocols and available resources on the PLF website. Select Practice Management > Forms  > Technology > “How to Backup Your Computer” and “Online Data Storage.”
  17. No cyber liability or data breach coverage?  Buy it!  If your claims weren’t covered, purchase cyber liability and data breach insurance to protect against future loss – privately or through the PLF  as part of our excess program.  [See item 6 above.]
  18. Stay vigilant.  Fixing a data breach does not mean that scammers or hackers will stop.  Watch out for phishing attempts.  Don’t click on suspicious links in emails, texts, or social media messages.  I’ve written over 20 blog posts on the subject of scams. To find the posts, visit my blog’s landing page. In the search box in the upper right corner, enter “scam.”  You’ll also find seven In Brief articles on the PLF website.  Select Practice Management > Publications > In Brief and enter “scam” in the search by keyword or year box.  See also Jennifer Meisberger, “Sophisticated Scams: Protect Your Clients’ Money,” Oregon State Bar Bulletin (June 2015) and the PLF CLE, Protecting Your Firm and Your Client from Scams, Fraud, and Financial Loss.

All Rights Reserved [2015] Beverly Michaelis

Are Changes Coming to Oregon’s Data Breach Law?

Attorney General Ellen Rosenblum is urging the Oregon legislature to update Oregon’s data breach law:

“Data breach and the distribution of personal information is a growing risk for Oregonians. Nationally, data breaches in 2013 exposed an estimated 546 million piece of personal information. The Oregon Identity Theft Prevention Act of 2007 requires businesses and governmental agencies to notify consumers of digital data breaches and develop safeguards for personal information but provides no protection for medical, insurance or biometric information. By extending enforcement power to the Oregon Department of Justice, Oregon will be able to use the effective enforcement tools of the already-existing Unlawful Trade Practices Act .” Read more here.

Track the status of legislative action on this issue and in other areas that affect your practice by using the Oregon State Bar 2015 Regular Session Bill Tracking tool.

The 2015 Oregon State Bar Law Improvement Proposals are found here. The 2015 Oregon State Bar Legislative Priorities include improvements to court funding in general, eCourt funding in particular, and legal services to the poor. Read more here.

Cyber Security and Data Breach Response

lock“Cyber threat is one of the most serious economic and national security challenges we face as a nation.”  Barack Obama, President of the United States

The Identity Theft Resource Center has documented over 500 data breaches in 2014 through early September.  This represents a 26.2% increase over the same time period last year. The news isn’t any better for the legal profession.

The latest ABA Legal Technology Survey Report notes that “Nearly half of law firms were infected with viruses, spyware or malware last year.”  Fourteen percent of law firms “experienced a security breach last year in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit.”

Where to Start

With such staggering numbers, it is easy to become overwhelmed.  If you are concerned about cyber security but don’t know where to start, begin here at the ABA Web site. If you are a prolific user of mobile devices, be sure to check out the ABA’s suggestions for Security on the Go.  To understand the state of security in US law firms, read this post by Bob Ambrogi.

Make Encryption Your Best Friend

Encryption is a powerful way to protect sensitive data belonging to you and your clients. The ABA post Playing it Safe provides a good overview.  Since TrueCyrpt is no longer available, check out the following reviews of encryption software: LIfehacker, GFI, PC World, and Gizmo.

You’ve Heard it Before: Use Strong Passwords

It seems we are reminding lawyers every other day about the importance of using strong passwords unique to each account or Web site.  See these recent posts on the ABA Law Technology Today blog:

Firewalls, Anti-Spam, Anti-Virus, Malware Protection

The best protection is comprehensive.  This excerpt from The 2014 Solo and Small Firm Technology Guide provides guidance.  Don’t be afraid to hire an IT expert to help.

Purchase Cyber Liability and Data Breach Coverage

The Professional Liability Fund (PLF) Excess Claims Made Plan automatically includes a cyber liability and data breach response endorsement with these features:

  • Forensic and legal assistance to determine compliance with applicable law
  • Notifications to individuals as required by law
  • 12 months credit monitoring to each notified client
  • Loss mitigation resources for law firms

If you aren’t eligible or don’t wish to purchase excess coverage through the PLF, contact a commercial carrier.

Protect Yourself Against Scams

The security measures outlined above are a good start toward protecting your firm and your clients from scams.  For more complete protection, get educated.  Order the free PLF CLE: “Protecting Your Firm and Your Client from Scams, Fraud, and Financial Loss,” and talk to your bank about fraud protection services.

[All Rights Reserved – 2014 – Beverly Michaelis]



The State of Law Firm Security

Viruses are More Common at Law Firms than Encryption, ABA Survey Shows


“Nearly half of law firms were infected with viruses, spyware or malware last year, according to the latest ABA Legal Technology Survey Report. At the same time, only a quarter of law firms had any kind of email encryption available for their lawyers to use, the survey found.

Also, 14% of law firms experienced a security breach last year in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit.”

Bob Ambrogi

Read the full post here.

Critical Security Concerns for Internet Explorer, Flash, and AOL Users

On the heels of Heartbleed, more security concerns:

Stop Using Internet Explorer Now
By now you have likely heard about the security issues with Internet Explorer. However, you may not realize that the US government warned users to quit using IE until Microsoft fixes a security hole that could allow hackers to gain remote access to your computer.

To be safe, download an alternate browser like Firefox or Chrome and avoid Internet Explorer until Microsoft issues a patch. UPDATE: a patch is now available for all Windows users, even XP. Run Windows Update to verify the patch has been installed. in my case, I found it had been downloaded but not installed.

Update Adobe Flash Player
A second security bug involves Adobe Flash Player. This vulnerability permits remote code execution, potentially giving hackers access to your computer. (For those who are curious, the result is the same as the Internet Explorer vulnerability, but the two security issues are unrelated.)

Adobe has already pushed out an emergency security patch which all users should download immediately.

AOL Compromised
In a third security incident, AOL reported a security breach of its email servers. AOL users should change their passwords immediately.

Cyber Security – Horrifying Stats and Tips for Dropbox Users

For the last two weeks, I have been featuring a potpourri of posts gleaned from tweets posted during the ABA TECHSHOW.  Today we explore cyber security with extra bonus tips for good measure.

Cyber Security – Numbers, Trends, Protecting Your Firm

Tips for Dropbox Users

  • Dropbox security: use third party apps – like Viivo – to encrypt. You own the key. @VIIVOkey happens to be in attendance.… @MrsMacLawyer RT @rocketmatter
  • Dropbox security: use 2 step authentication but put recovery code in safe place. It’s not retrievable. @larryport RT @rocketmatter
  • Also see my post, The 7 Rules of Using Dropbox and search this blog for related Dropbox posts.

Thanks 2014 ABA TECHSHOW tweeters for the tips!  And check out these resources for lawyers posted by the author on Scribd.

All Rights Reserved – Beverly Michaelis [2014]

13 Resources for Protecting Data – Courtesy of the FTC

With data breaches in the news on an almost daily basis, how do you protect your law firm’s assets? What advice should you give to your clients?

The FTC offers a list of 13 data security resources to help you get started. From mobile apps to digital copiers and shutting down spam, there is a ton of good advice to be culled from these posts and PDFs: Continue reading

What Lawyers Can Learn from the Yahoo Email Hack

Yahoo, the second largest email service worldwide, reported a security breach last untitledweek which exposed personal information from sent email folders.

The Associated Press reports:

Yahoo Inc. said in a blog post on its breach that “The information sought in the attack seems to be the names and email addresses from the affected accounts’ most recent sent emails.”

That could mean hackers were looking for additional email addresses to send spam or scam messages.  By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.

If you correspond with friends, family, clients, or colleagues who use Yahoo’s mail service, scrutinize incoming e-mail carefully to avoid phishing scams. 

This breach has another takeaway for lawyers – you are only as secure as your third party vendors.  The Yahoo and Target breaches were both the result of third-party vendor hacks.  In the case of Yahoo, the information was collected from a third-party database.  In the Target hack, credentials were stolen from a third party vendor.

Lawyers should take this to heart when evaluating their own cyber liability and security – specifically with regard to HIPAA compliance.  If your servers are hosted in the cloud, or you use cloud-based practice management, accounting, or backup solutions, inquire into the security procedures of your vendors.  Remember that encryption is your friend.  All data stored in the cloud should be encrypted – minimally by your vendor.  Better yet: go the extra mile.  Seek out cloud providers who permit you to add your own third party encryption, like Viivo or TrueCrypt, so that you (and only you) hold the final encryption key.

All Rights Reserved [2014]

Beverly Michaelis

You and Your Clients Remain Vulnerable to Scams

In the July issue of the OSB Bulletin, Leonard DuBoff and Christy King offer new advice regarding the latest scams plaguing lawyers:

For example, one of the newer scams involves someone posing as a real estate buyer and contacting a mortgage broker or real estate houseagent instead of a lawyer. The broker or agent then refers the buyer to a lawyer, not realizing that the purported buyer is really a scammer. The attorney often knows the mortgage broker or real estate agent and so doesn’t question the legitimacy of the transaction. A variation on the scam occurs where the scammer asks a lawyer in one area of the country to provide a referral to a lawyer in a different region. Some scammers assume the identity of actual attorneys in order to perpetrate the fraud. They claim to be referring a client — often themselves — for claimed legal assistance.

Learning about the latest scams is one way to keep on your toes.  Here are some others:

All Rights Reserved Beverly Michaelis (2013)