Over the last few weeks I’ve reported on the presentations given at the first ever Solo & Small Firm Conference in Bend, Oregon. As noted previously, the lineup included several Oregon-based experts, including the incomparable David Elkanich of Holland & Knight.
David was the closer on day one, and conference organizers couldn’t have chosen a better speaker. The topic: Legal Ethics for the Solo and Small Firm Practitioner.
David touched on client screening, fee agreements, engagement/disengagement/nonengagement letters, referral fees, data privacy and security, use of contract lawyers, supervision of lawyer and non-lawyer staff, IOLTA, mobile devices, and office sharing. Click here to see a complete review of David’s spot-on advice.
A data breach is a traumatizing event, regardless of how it occurs, and this has been a particularly active summer for thieves and scammers.
In the past 12 months, Oregon lawyers have reported home and office break-ins, stolen laptops and mobile devices, and malware security intrusions. If you experience a data breach, here are the key steps you must take:
Contact an IT expert NOW before you pass go. The scope of the intrusion may reach beyond your stolen mobile device or the specifically infected computer. Until you know better, assume that all connected devices are part of the data breach. This might include your desktop computer, your assistant’s computer, your server, mobile devices used to access your network, and your home computer if you connect remotely to your office. Fixing security issues will require sleuthing, finding a solution to the problem, protecting existing data and devices not affected by the breach, testing security solutions, and potentially preserving forensic evidence. Don’t try to DIY!
Change vulnerable user names and passwords. At the first indication of a data breach, you won’t know exactly what went wrong – only that your information, or your clients’ information, has been been compromised. With your IT expert’s help, get access to a secure computer to change vulnerable user names and passwords. [If you modify your login credentials while a keylogger resides on your system, you’ve made the situation worse by supplying the hacker with your newly replaced user names and passwords.]
Report the breach to your property manager. If the breach occurred in connection with an office break-in, inform the property manager as soon as possible. Broken windows and locks should be fixed immediately to avoid further loss. If you believe inadequate security may have played a role in the break-in, it may be appropriate to assert a claim against the management or building owner. Research the issue or speak to outside counsel. Document your property loss and consider getting a commitment in writing about security improvements.
File claims with commercial carriers. Submit claims to any applicable insurance carriers: cyber liability and data breach, commercial liability, or others.
Contact the Professional Liability Fund. If you are an Oregon lawyer, contact the PLF. Beginning in 2013, the PLF added a Data Breach and Cyber Liability Endorsement to all excess coverage plans. The endorsement provides coverage for information security and privacy liability, privacy breach response services, regulatory defense and penalties, website media content liability, and crisis management and public relations services. The endorsement covers many claims that would otherwise be excluded.
Freeze or place fraud alerts on credit accounts. A freeze literally locks down your credit. No credit transactions can be authorized until you lift the freeze, temporarily or permanently. Fraud alerts inform you if someone is attempting to obtain new credit in your name. Learn more about credit freezes and alerts here.
Protect bank accounts, credit cards, and debit cards. If banking, credit card, or debit card information was exposed in conjunction with the data breach, you may want to freeze your bank accounts [personal, general, IOLTA]; arrange for fraud protection services; or close your accounts altogether. Talk to your banks and credit/debit card providers. If you have automated payments tied to former bank accounts, credit or debit cards, be sure to update your information. This includes payment accounts associated with federal or state court eFiling systems. Continue to monitor statements for unauthorized transactions.
Notify clients. This is never easy, but clients must be informed if confidential information has been compromised. A sample notification letter is available on the PLF website. Select Practice Management > Forms > Client Relations > “Notice to Clients re Theft of Computer Equipment.” If you have questions about your ethical duties toward clients, speak to OSB General Counsel [see step 7 above]. Additionally, client notification may be a statutory responsibility under the Oregon Consumer Identity Theft Protection Act [ORS 646A.600-646A.628].
Begin reconstructing files if needed. Lawyers who are straightforward about an office break-in or theft often find that clients are sympathetic, understanding, and more than willing to help. With a bit of luck, you should be able to reconstruct most or all of your files from your backup or documents supplied by clients.
Backup, backup, backup! Online backup services are a great way to automatically back up data. Read more about backup protocols and available resources on the PLF website. Select Practice Management > Forms > Technology > “How to Backup Your Computer” and “Online Data Storage.”
No cyber liability or data breach coverage? Buy it! If your claims weren’t covered, purchase cyber liability and data breach insurance to protect against future loss – privately or through the PLF as part of our excess program. [See item 6 above.]
Attorney General Ellen Rosenblum is urging the Oregon legislature to update Oregon’s data breach law:
“Data breach and the distribution of personal information is a growing risk for Oregonians. Nationally, data breaches in 2013 exposed an estimated 546 million piece of personal information. The Oregon Identity Theft Prevention Act of 2007 requires businesses and governmental agencies to notify consumers of digital data breaches and develop safeguards for personal information but provides no protection for medical, insurance or biometric information. By extending enforcement power to the Oregon Department of Justice, Oregon will be able to use the effective enforcement tools of the already-existing Unlawful Trade Practices Act .” Read more here.
Track the status of legislative action on this issue and in other areas that affect your practice by using the Oregon State Bar 2015 Regular Session Bill Tracking tool.
The 2015 Oregon State Bar Law Improvement Proposals are found here. The 2015 Oregon State Bar Legislative Priorities include improvements to court funding in general, eCourt funding in particular, and legal services to the poor. Read more here.
To be safe, download an alternate browser like Firefox or Chrome and avoid Internet Explorer until Microsoft issues a patch. UPDATE: a patch is now available for all Windows users, even XP. Run Windows Update to verify the patch has been installed. in my case, I found it had been downloaded but not installed.
Update Adobe Flash Player A second security bug involves Adobe Flash Player. This vulnerability permits remote code execution, potentially giving hackers access to your computer. (For those who are curious, the result is the same as the Internet Explorer vulnerability, but the two security issues are unrelated.)
With data breaches in the news on an almost daily basis, how do you protect your law firm’s assets? What advice should you give to your clients?
The FTC offers a list of 13 data security resources to help you get started. From mobile apps to digital copiers and shutting down spam, there is a ton of good advice to be culled from these posts and PDFs: Continue reading →