DBCI: Kim Brown and Josh Scorziello on Cyber Security in Delaware – What’s a Lawyer Gotta Do?
In the September 22, 2021 edition of the Delaware Business Court Insider, LRC attorneys Kim Brown and Josh Scorziello write on a lawyer’s ethical and legal obligations as it relates to Cyber Security.
With data and other electronic security breaches on the rise and work from home being part of the new “normal,” there is no better time to make sure you are satisfying your ethical and legal obligations as a Delaware lawyer to protect your client’s confidential information.
By Kim Brown and Joshua Scorziello
Cyber Security in Delaware: What’s a Lawyer Gotta Do?
With data and other electronic security breaches on the rise and work from home being part of the new “normal,” there is no better time to make sure you are satisfying your ethical and legal obligations as a Delaware lawyer to protect your client’s confidential information.
So, what are those obligations?
The Delaware Lawyers’ Rules of Professional Conduct (the “Rules” or individually, a “Rule”) identify a Delaware attorney’s ethical obligations with regard to, among other things, the protection of a client’s electronic confidential information. Specifically, Rule 1.1 requires a lawyer to competently represent a client with the requisite legal knowledge, skill, thoroughness, and preparation. A lawyer must maintain competence in legal practices including the risks and benefits associated with the technology used in the representation of a client. A lawyer must competently preserve the client property and confidential information he or she has been entrusted with while using technology. To this end, lawyers may maintain competence through training or employing staff who are competent regarding the use of technology.
Rule 1.6(c) requires that a “lawyer shall make reasonable efforts to prevent unauthorized disclosure of, or access to, information relating to the representation of a client.” However, when reasonable steps are taken to preserve client information, no violation of Rule 1.6(c) occurs. Reasonableness factors considered under Rule 1.6 include, but are not limited to, the sensitivity of the client information, likelihood of unauthorized disclosure had safeguards not been in place, the cost of additional safeguards, and the difficulty of implementing such safeguards.
When transmitting data that includes confidential client information, a lawyer must take reasonable steps to prevent inadvertent disclosures to unintended recipients. However, if the method of communication provides a reasonable expectation of privacy, then no special security measures are necessary. Factors considered in determining whether there is/was a reasonable expectation of privacy include the sensitivity of the data or information transmitted and the extent to which the transmission is protected by law or a confidentiality agreement.
Under Rule 5.3, the ethical duties related to the protection of confidential client information under the Rules are imputed to nonlawyer professionals employed, retained or associated with a lawyer. In other words, a lawyer with managerial authority over law firm staff and nonlawyers outside the firm who work on firm matters has a duty to ensure such individuals are compliant with the Rules – in this case, that they are competent regarding the use of technology and taking the appropriate actions to safeguard confidential client information and communications.
Rule 1.4 requires a lawyer to keep the client informed about the status of a matter including significant developments affecting the timing or the substance of the representation. Under this requirement, a lawyer has a duty to inform his or her client of any unauthorized or inadvertent disclosure of information relating to the representation or material breaches of confidential client information.
In 2018, the Delaware Attorney General’s Office amended the Delaware security breach notification law through Title 6 § 12B-101 et. seq. of the Delaware Code (the “Delaware Notice Laws”). The amended Delaware Notice laws require any person or entity that conducts business in Delaware and owns, licenses or maintains personal information to provide notice to the person whose information was compromised in the event of a data security breach. A breach of security means the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of [a client’s] personal information.” No breach of security occurs if the data in question is encrypted unless the information accessed by an unauthorized party includes, or is reasonably believed to include, the encryption key which could render the personal information readable or useable.
In Delaware, “personal information” generally consists of a Delaware resident’s name in combination with any one of the following: a social security number[1]; driver’s license number or identification number; account, credit or debit card number; passport number; username or email address with the corresponding password[2]; any medical history; health insurance policy number; biometric data; or taxpayer identification number. Information that is easily accessible by the general public or widely disseminated by the media or social media does not qualify as personal information under this definition. For example, one’s name appearing on public documents related to a civil court proceeding is not “personal information.” Whereas a copy of a client’s driver’s license that is not already in the public domain would constitute “personal information” that must be safeguarded under Delaware law.
In the event of a security breach, a business (which would include a law firm) must provide notice to and cooperate with any Delaware resident whose personal information was breached. Notice of the security breach must be given to the affected resident without unreasonable delay but not later than sixty (60) days. If a business has a widespread breach with more than five hundred (500) Delaware residents affected, the business must provide notice to both the Delaware residents and the Delaware Attorney General’s Office.
The Delaware Attorney General’s Office offers sample notice forms for individual notices and notice to the Attorney General’s Office in the event of a data security breach.[3] These notice forms contain information relating to the breach including, but not limited to, a description of the incident, nature of information compromised and best practices to mitigate future breaches.
How can you mitigate the risk of confidential information falling into the wrong hands?
In 2014, the Delaware Supreme Court Commission on Law and Technology released a directive regarding data security principles.[4] The directive explained that a client’s confidential information in a lawyer’s representation creates the risk that such information may fall into the wrong hands. Thus, under the Rules, it is a lawyer’s duty to mitigate data breach risk.
As explained above, lawyers, law firm staff and third parties who work on law firm matters are governed by the Rules which impose duties to take “reasonable measures” to protect confidential client information. While there are many options in implementing protective measures, two general principles govern data security: (1) implementation of a data security plan (“Data Security Plan”) and (2) development of a cyber incident response plan (“Cyber Incident Response Plan”).
The purpose of a Data Security Plan is for a firm to assess its current risk and implement measures to manage and reduce such risk. A Data Security Plan should be proportionate regarding the size and complexities of a law firm in relation to the frequency with which the firm deals in confidential client information. Additionally, Data Security Plans should identify all risks including computer networks, electronic devices, cloud computing, and third-party services to take appropriate reasonable protective measures.
While there are many accepted ways to manage cyber security risk, the Delaware Supreme Court Commission on Law and Technology recommends, among other things, that a Data Security Plan include the following action items:
- conducting a risk assessment that includes identifying data to be protected, as well as likely threats and vulnerabilities relating to that data,
- evaluating the likely impact to the lawyer, the legal organization, clients, and others if the identified threats materialize,
- implementing security safeguards and user training to protect against identified threats,
- monitoring the use and effectiveness of selected security safeguards,
- preparing a Cyber Incident Response Plan for data breaches and other cyber events, and
- making appropriate adjustments in response to changes in the above factors.
Once a Data Security Plan is implemented, law firms should create a separate Cyber Incident Response Plan to outline procedures in preparation of future threats and incidents. In the event of a cyber security breach courts will look to a law firm’s Data Security Plan and Cyber Incident Response Plan to determine whether reasonable measures were in place to prevent a breach.
There are many different defensive measures a firm can adopt. Cyber Incident Response Plans should be memorialized in writing and readily available to all employees. Additionally, each employee should be trained on various thresholds so they may appropriately comply with notification obligations and duties based on the threat presented. Additionally, threshold training will allow employees to identify and report cyber security incidents as they arise.
A Cyber Incident Response Plan should, among other things, identify a designated cyber-event coordinator or team that is proportional to the size and needs of the law firm. Each cyber event team member should have a clear understanding of their role and responsibilities. This person or team should remain current on the obligations and procedures mandated by applicable law regarding a cyber security breach. Any updates on procedures or change in laws should be shared firm-wide in future trainings. Additionally, the person or team should develop an event notification and subsequent communications plan after a cyber security breach has occurred.
While the Delaware Notice Laws are not specifically referenced by the Rules, Rule 1.6 cmt. 19 instructs that lawyers may be required to “take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information.” As such, even though Delaware law firms are not required to create a Data Security Plan or a Cyber Incident Response Plan, best practices suggest that these plans should be implemented as such procedures are strong evidence of reasonable measures taken to protect a client’s confidential information as required throughout the Rules and Delaware Notice Laws.
[1] Additionally, in the event that an individual’s social security number is compromised, the person or entity must offer each affected individual free credit monitoring service for one year. Del. Code Ann. Tit. 6 § 12B-102(b) (2018).
[2] Note, in the event that an individual’s email and password are compromised and notice cannot be given via email, the person or entity may provide notice to the affected individual via mail at the address listed on the IP address. Del. Code Ann. Tit. 6 § 12B-102(b) (2018).
[3] To view or obtain these notice forms, visit: https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/
[4] General Principles of Data Security Planning, Delaware Supreme Court Commission on Law and Technology, Jun. 20, 2014 (https://courts.delaware.gov/declt/blogspot/datasecuritygeneralprinciples.aspx.).
Reprinted with permission from the September 22, 2021 issue of the Delaware Business Court Insider. © 2021 ALM Media Properties. Further duplication without permission is prohibited.