By James M. Davis and Bradley H. Dlatt
Data breaches are everywhere, and they are expensive. In the first six months of 2019, there were more than 3,800 reported data breaches—a 54% increase from the same period last year—exposing more than 4.1 billion records. The average reported cost of a data breach for an American company is $8.2 million.
We work every day with individuals and businesses that face the real prospect of a network intrusion, a data breach or other cyber-related event that—if successful—comes with potentially staggering costs. Experts caution businesses to treat these attacks as inevitable. In addition to looking out for our clients, lawyers and law firms themselves need to be ready.
Last October, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483: “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” which acknowledged that lawyers and law firms are a target for hackers and addressed many of the key concerns lawyers and law firms must consider when responding to a breach of their own systems. The steps in this article apply equally to your own practice.
As counselors and trusted advisers, it is our job to ensure that our clients, and our own law firms, take the necessary precautions to prepare for a possible cyber-related event.
Our experience as insurance coverage counselors for individuals and businesses informs our holistic approach, based on the recognition that a data breach is not just an IT problem, a legal problem or a public relations problem—it is an organizationwide risk.
How to Prepare for a Data Breach
Step One: Understand your risks.
As a trusted adviser, you should guide your client through a detailed risk analysis, which should focus on issues such as (1) what types of data the client is collecting; (2) when and how that data is being collected; (3) where the data is being stored; (4) how the data is being used; (5) who has access to both the collected data and the other information technology systems that the client uses; (6) how data flows through the client’s various systems and who touches that data along the way; (7) what procedural safeguards are in place to protect the client’s systems and data; and (8) what your client’s legal obligations are with respect to its collection, use and storage of the various categories of data in the event of a breach.
The final item on this list—legal obligations—is connected to the rapidly changing areas of law affecting data. States like California have begun rolling out broad-based consumer data privacy laws that touch on data collection, use and storage. Federal law protects specified categories of data, such as health information. It would benefit you and your client to have a privacy law expert at the table in this stage.
Step Two: Build the right team.
With respect to data breach preparation and response, internal delays and communication breakdowns can mean the difference between a network intrusion that is quickly recognized and quarantined or a massive data breach that never seems to end and costs millions of dollars to resolve.
An effective team includes internal stakeholders in information technology, systems management, human resources, public relations, finance and accounting, as well as appropriate members of senior leadership. Your client’s team may also include outside experts such as counsel familiar with notification and disclosure obligations, a public relations firm, technical experts and security experts.
Step Three: Secure and monitor your data.
A client must think deeply about issues such as (1) IT protections surrounding the client’s data collection, use and storage; (2) the client’s policies and access points for its data; and (3) ways of improving the client’s incident detection capabilities.
Under a holistic approach, data security measures must also include taking steps to ensure that any individuals who have access to the client’s data are trained in data security best practices and understand how to recognize and respond to threats such as phishing attempts. While this step is more technical in nature, it is critical that lawyers approach these efforts with the big picture in mind and ensure that the client consults the right experts.
Step Four: Have a plan.
It is critical for clients to have a well-developed, tested, efficient breach response plan that, among other things, immediately mobilizes your client’s team to triage the breach, evaluate the extent of any exposure, begin preparing any necessary legal notices and manage internal and external messaging to maintain control of the situation.
It is critical that the client keep detailed records of the plan and any necessary documents such as insurance policies, systems information and regulations that will be required to execute the plan. It is equally important that the client practice and test its plan with some regularity.
Step Five: Have the right insurance.
Insurance can be one of your client’s most valuable assets in the event of a cyber-related event. Among other things, insurance may cover the cost of (1) investigating and remedying the technical causes of a data breach; (2) retaining legal counsel to respond to and defend against any investigations or demands arising out of the breach; (3) hiring public relations or crisis management firms to manage the client’s external messaging and response; and (4) resolving legal claims resulting from the breach. There are many types of insurance policies that may apply to a data breach.
In the Event of a Breach
Step One: Execute the plan.
In the event of a data breach, you must emphasize to your client and your client’s team the importance of trusting in the client’s plan (which, ideally, has been well-developed and tested) and executing it at a high level.
The proper legal response to a breach can dramatically mitigate the total response costs. In the event that your client disregarded our first few proposed steps and failed to plan for a breach, you as their counsel and trusted adviser should ensure that the right technical, legal and public relations personnel are immediately mobilized to respond to the situation.
Step Two: Get your insurers involved early and keep them involved.
Insurance policies often have strict notice provisions that require a corporate or individual policyholder to provide the insurer with notice of a claim or circumstances that may lead to a claim within a specific, limited time period. In certain jurisdictions, an insured’s failure to honor a sufficiently specific notice provision in its policy may bar coverage.
Because of this, even in the early stages of a data breach, when the extent of the client’s exposure may be unclear, it is important to have the client get its broker and insurance coverage counsel involved immediately. Data breaches often involve acts or events that occurred over an extended period of time but were only recently discovered.
Given the complexities of coverage, a policyholder must be careful to avoid characterizing the claim in a manner that takes the claim outside of coverage. Once your client’s insurers have been notified, the client should require each insurer to acknowledge its coverage obligations, and then the client should provide regular updates (as necessary) to the insurers on the status of the claim.
Step Three: Manage external response thoughtfully.
The client should be prepared to deliver any necessary notifications, both publicly and privately, and manage any external issues as they develop. It is important in these situations that the client team speak with one voice and present a unified, confident front.
James M. Davis is a partner in the insurance recovery practice in Perkins Coie’s Chicago and Seattle offices. Davis has more than 20 years of experience counseling corporate and individual policyholders on insurance issues coverage disputes, including coverage for data breaches, information privacy claims, first party property loss and claims under additional insured and vendor endorsements. He is a member of the American College of Coverage and Extracontractual Counsel.
Bradley H. Dlatt is an associate in the insurance recovery practice at Perkins Coie. Dlatt counsels corporate and individual policyholders on insurance issues and litigates insurance coverage disputes under most corporate insurance policy forms.
ABAJournal.com is accepting queries for original, thoughtful, nonpromotional articles and commentary by unpaid contributors to run in the Your Voice section. Details and submission guidelines are posted at “Your Submissions, Your Voice.”