“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” FBI Director Robert Mueller
For hackers, lawyers represent a high value target. Billions of dollars flow through Alberta lawyers’ trust accounts every year ($173B reported in 2018) and lawyers’ files contain extremely valuable personal and commercial information. Robert Mueller’s comments apply with force to the legal profession.
It is also said that the weakest link in any security system lies somewhere between the office chair and the keyboard. Innocent mistakes are among the most common reasons why law firms suffer security breaches.
All of this requires law firms to be diligent in how they handle and protect their data. You are the last line of defence in data protection.
What is a Privacy Breach?
A privacy breach occurs when there is unauthorized access to, or loss or disclosure of, personal information.
Some examples include losing a client file, being hacked or downloading malware, and forgetting a laptop in an airport lounge or coffee shop.
When a privacy breach occurs, you may have to notify the Office of the Information and Privacy Commissioner (OIPC) of Alberta and the Law Society of Alberta. Alert your insurance agent to gain access to any cyber coverage you may have purchased. You may also have to notify any affected parties – including clients, if it is their data that has been breached.
Breach Reporting – OIPC
The Personal Information Protection Act (PIPA) governs the collection, use and disclosure of personal information by law firms in Alberta.
Under PIPA, law firms must report any privacy breaches involving personal information to the OIPC. Although PIPA doesn’t contain specific timeframes, you must alert OIPC “without unreasonable delay”.
The threshold test is whether there has been any unauthorized access to, or loss or disclosure of, personal information that has a real risk of significant harm to individuals. This applies if even only a single individual is affected. The following factors apply:
- the number of individuals affected
- the type of personal information disclosed
- the extent of the loss or disclosure.
When notifying OIPC, you must include the following:
- A description of the circumstances of the breach,
- The date or time period when the breach occurred,
- A description of the personal information involved,
- An assessment of the risk of harm,
- The number of individuals facing a real risk of significant harm,
- Steps taken to reduce the risk of harm,
- Steps taken to notify individuals of the breach, and
- Contact information of someone who can answer any questions from OIPC.
Although law firms must notify the OIPC of any breach that meets the threshold test, there is no automatic requirement for you to notify those affected. The OIPC may require you to do so.
Failing to report a breach can result in serious consequences, including fines of up to $10,000 for individuals and up to $100,000 for organizations.
For more information and the forms required to report a breach, visit How to Report a Privacy Breach on the OIPC website.
Breach Reporting – Law Society
Data breaches can also trigger consequences under the Code of Conduct.
Although the Code does not explicitly require you to notify clients or the Law Society when you suffer a breach, it is important to consider the ethical implications of failing to do so.
You must advise the Law Society of any situation in which clients are likely to be materially prejudiced (Rules 7.1-1(f) and 7.1-3(f)) and notify ALIA of any circumstances that could give rise to a claim (Rule 7.7-2).
If you discover a material error or omission that may be damaging to a client, you should promptly inform the client of the error or omission, recommend that they obtain independent legal advice and let them know you may no longer be able to act for them (Rule 7.7-1).
You must not disclose a client’s or former client’s confidential information to their disadvantage (Rule 3.3-2). A privacy breach could involve unauthorized access to, or loss or disclosure of, personal information which could engage this rule.
Further, you have an obligation to preserve client property, which includes client correspondence and files (Rule 3.5-1).
If a privacy breach involves disclosure of a client’s financial information, that may put your client’s funds and your trust account at risk. Should this happen, you should inform the Trust Safety department as soon as possible.
If you are unsure whether a report should be made, contact one of the Practice Advisors at 1.866.440.4640 for confidential guidance.
Breach Reporting – Cyber Insurance
As soon as you suspect the theft, loss or unauthorized disclosure of or unauthorized access to personally identifiable data within your custody, care or control, notify your insurance agent.
If you previously bought cyber coverage, this early notification will allow your insurance provider to develop a roadmap to investigate the technical components of the breach, craft a suitable response plan, and get the right resources in place to identify the extent and scope of any data compromise.
Try to preserve all evidence and secure IT systems and ensure that there is an appropriate chain of custody established to respond to the breach.
PIPA requires all law firms to follow reasonable policies and practices in order to meet their obligations under PIPA.
It is important to also remember that firms can only collect, use or disclose personal information for reasonable purposes.
All law firms should take steps to implement reasonable practices to minimize the risk of a privacy breach. Examples include:
- Disabling email address auto-fill and enabling automatic delay of outgoing email. See Two Email Tips to Save You from Heartache for instructions on how to do this
- Implementing office policies related to file retention and privacy
- Training to ensure that staff are aware of your policies, such as ensuring doors to the building are locked overnight
- Ensuring that appropriate safeguards are in place such as security software and a filing system
- Conducting regular cyber security tests and exercises to help identify security risks in scenarios relevant to your firm
Always remember – you are the human firewall.
For more information, visit Law Firms and Security Strategies for Today’s World, Top 10 Ways to Secure Your Online World, Trust Shortage and Reporting and Computer/Network Security Checklist on the Law Society website.
By: Len Polsky, Manager Practice Management and Eleanor Platt, Student-at-Law