What Every Attorney Needs to Know About Cybersecurity and Data Privacy
Attorneys in firms of all sizes – from solo practitioners to lawyers are multinational Big Law firms - face a number of ethical issues relating to cybersecurity, and preserving the confidentiality and security of their clients’ data. Contrary to what some lawyers may believe, law firms are often a valuable target for hackers because they can hold vast collections of sensitive and highly valuable client-related data. These cybersecurity threats come from individual hackers, international cybercriminals, and even a firm’s own attorneys and other employees. This program provides a basic primer on attorneys’ ethical obligations to understand and address the cybersecurity risks they face, and provides practical advice for attorneys in addressing issues that arise will undoubtedly arise in their legal practice.
Michael Riela: Hello everyone. And thank you for joining me today for this one-hour presentation about what attorneys need to know about data privacy and cybersecurity. My name is Michael Riela. I am a partner at the law firm of Tannenbaum Helpern Syracuse & Hirschtritt in New York City, where I focus among other things on data privacy and cybersecurity law.
The reason for this program is that attorneys in firms of all sizes, from solo practitioners, to lawyers in big law firms, as well as in-house counsel face a number of ethical and other issues relating to cybersecurity, particularly in these days of data being breached and hackers running wild with the data that does get breached.
It's very important for companies, law firms, lawyers to preserve the confidentiality and the security of their client's data. Companies and even law firms themselves are often valuable targets for hackers because they can hold vast collections of sensitive and highly valuable data such as IP data, non-public information relating to public companies, and other types of data.
There are security threats that come from all different sorts of places, including individual hackers and international cyber criminals, the types of bad actors that get a lot of press. But it's not just the outside world that companies and lawyers need to be concerned about. There's also a company's own employees that could internally breach data, either maliciously or negligently.
First, in connection with figuring out how lawyers should keep their clients and their companies and firms secure as reasonably possible, it first helps to understand what types of data needs to remain secure. There are data privacy laws and cybersecurity regulations that protect certain types of data. In addition, your company or your firm may have contractual obligations to keep other types of data secure, even if that type of information is not protected by laws or regulations.
As a lawyer, you'll have clients who share all types of data with you, whether it be protected data under law or data that the client itself needs to keep confidential from others.
First, let's dive into what types of information, what types of data needs to be protected. And the first area that I'll talk about is personally identifiable information, also known as PII or personal data. This type of data is very sensitive and is protected under law because that type of information could be used by a third party to commit identity theft.
And this type of personal identifiable information under normal or most state data breached notification statutes would be any information that would include social security numbers, driver's license numbers, or other governmental information identification card numbers, bank account or credit card numbers together with security code or some sort of access code to allow somebody access to a financial account. Debit card numbers, credit card numbers themselves, if circumstances exist where that number could be used to access the individual's targets bank account or credit card information.
There's also types of information called biometric information that under a number of state statutes these days are protected as well. Biometric information could be things such as fingerprints, voice prints, retinas, iris images, and the like, the type of information about an individual that they can't change themselves is part of their body. But given the way technology has evolved, that type of information about people can be used to identify them, such as on your phones and your computer these days, facial recognition technology can be used to authenticate your identity so that you can get into your iPhone or your Samsung for instance or your computer. That type of information is obviously very ... it's very important to keep private to the extent that that's possible.
There are specific state laws that go even further than that, and one in particular is called the California Consumer Protection Act or CCPA, which governs companies and individuals that businesses that collect the personal information of residents of the state of California. And that statute goes even further in defining what type of personal information gets protected.
So it's not just simply your driver's license number, your social security numbers and financial account information, but things like geolocation data, IP addresses, internet protocol addresses, audio, electronic, visual, thermal, olfactory and similar information, olfactory being how one smells, professional or employment related information and education information is also protected under the California law.
So it's important for lawyers who advise clients across state lines who do business in different jurisdictions, you'll need to know what types of personal information are protected by each state or territory where your client or law firm does business. Outside of the United States, in the European Economic Area, there is a different privacy law called the General Data Protection Regulation or GDPR, which also has a very broad definition of their term personal data. The GDPR defines personal data as any information relating to an identified or identifiable natural person who can be identified by information such as a name, identification number, location data, online identifiers, physiological, genetic, mental, economic, cultural, or social identity information.
So that is another statute that has a very, very broad definition of personal data that needs to be protected under the law. Particularly if you have clients that deal with customers in Europe, they should be aware of the GDPR and what types of information are protected under that statute. Now, the actual terms of the GDPR and the CCPA, what technically needs to be done to comply with those laws is outside the scope of this presentation. But I talk about it just to give you a flavor of what type of personal information, what kind of data is generally protected under various laws and regulations.
Now in the US, coming back to the US, there are also other types of data, personal information that is protected under US federal law. And in particular, one of those is health-related information under the Health Insurance Portability and Accountability Act also known as HIPAA. There is a privacy rule that governs covered entities such as doctor's offices, hospitals, insurance companies, that address the use and disclosure of individual's health information. Those entities that are covered by the privacy rule need to make sure that individual's health information is properly protected. And the privacy rule is really there to protect individual's personal health information, but also keep it reasonably accessible to healthcare professionals, insurance companies, and other covered entities that really do need to know your personal health information.
In addition to health information, there is a US law that governs the use and sharing of financial information that is called the Gramm-Leach-Bliley Act of 1999, which requires financial institutions to explain how they share and protect their customers' private information. In order to become compliant with the Gramm-Leach-Bliley Act, financial institutions must communicate to their customers how they share their customers' sensitive financial data, inform their customers of their rights to opt out if they wish to opt out of having certain types of financial information shared with third parties, and to apply specific protections to customers' private data in accordance with a written information security program that the financial institution must create.
So for companies and clients of yours in the healthcare and the financial services industry spaces in particular, you'll also need to make sure that the client complies with HIPAA or the Gramm-Leach-Bliley Act and the regulations under those.
There's other types of information that you will have an obligation to keep confidential and secure, even if they're not governed or protected by laws and regulations. These are things like your clients' or your company's trade secrets, types of information that no company will want to have disseminated to the entire world, particularly to companies who compete with them. The last thing that Coca-Cola wants is to have their secret formula disclosed to everybody, including to Pepsi and others, and vice-versa.
Beyond trade secrets, there's going to be other types of information that a client or a company will need to maintain confidential. This would include any types of information that the client has contractually agreed with a third party to keep confidential. There could be nondisclosure agreements that your law firm or your company client may be party to. And you'll have to make sure, again, not as a legal or regulatory matter, but more of as a contractual matter to keep that information as secure as possible, because you would not want to have your client in breach of their contractual obligations.
Now that we've talked about what types of information needs to be protected generally, let's talk about common causes of security breaches. First, the thing that comes to most people's minds are the outside hackers, the individuals or groups of criminals, nation states that try to get into a company's or others computer systems in order to do harm. And this really has been on the rise over the last several years. I'm sure many of you have read in newspapers and magazines and other sources of information that companies really and governments are really suffering from these types of outside attacks. And indeed, Forbes magazine has said that malware has increased by 358% overall over the last year, and ransomware, which is a different type of malware which we'll talk about a little bit, has increased by over 435%. This is 2020 numbers over 2019.
So these types of issues are very much on the rise. And there does not seem to be any abatement anytime soon. But although outside hackers probably get the most press, most data security breaches come from internally, a company's own employees or independent contractors, either acting maliciously or negligently. You can have one's own employees acting maliciously. For instance, if an employee decides to leave your company to join another company, a competitor, and decides to take your company's confidential information with them, client records with them, maybe to help the competitor get an advantage over your company. You may have other employees who are disenchanted with your company for one reason or another, and may decide to publicize information that your company holds, confidential information that your company holds, disclose that to the public in order to carry out some sort of vendetta one way or the other.
Another way that employees or independent contractors can be a source of data breaches is if they act negligently. I'm sure many of you get emails from unknown persons or those that pretend to be somebody else inviting you to click on a link to open up a website or open up a document where in fact those links, all they do is install malware, ransomware, or some other sort of virus into the computer system.
Another way that employees can act negligently, beyond just clicking on a link that they should not have done so is they may be responding to emails that purport to come from somebody that the employee knows. This is much more prevalent these days. For example, an employee could get an email that purports to be from the Chief Financial Officer of the company, asking the employee to wire money out of the company's account to a third party account where in fact the CFO sent no such email, or certainly did not intend for funds to be wired to a third party, but somebody else got the CFO's credentials or was able to spoof the CFO's email address and tricked an employee into wiring money somewhere else.
Another way that employees could act negligently, they lose their own laptops, company issued laptops, iPhones, or thumb drives that contain confidential or personally identifiable information, particularly if those devices are not encrypted. Anybody can find that lost device on the street or in a taxi cab or on a bus, and then be able to access confidential information that way.
I talked a little bit before about what malware or ransomware is. And maybe it makes sense to talk a little bit more about what that is. Malware is a type of computer application that could perform a variety of malicious tasks within a computer system. It may give third parties access to a network, for instance, allowing unknown or unauthorized third parties to obtain data that is stored on a computer system.
There's also something called ransomware, which is a form of malware, which basically would encrypt the files, the computer files of the victim. And the only way that a victim would be able to get those files back would be to pay a ransom, usually in Bitcoin or gift certificates to the individual that loaded the ransomware onto the system. It's basically a way for criminals to make money.
Another type of way that malicious third parties or insiders could get access to a computer system is sending a link. As I mentioned before that's called a phishing scam, P-H-I-S-H-I-N-G. You're basically trying trick somebody into doing something that would allow the malicious actor to gain access to a computer system. If clicked, the link would load malicious software, computer code into the system, and will usually either allow somebody access to the computer system that shouldn't have it, or may download malware.
Business email compromises. I gave you the example of the CFO that purported to send an email now to an employee telling them to wire money out of a company account to a third party. That's a situation where a specific individual will be the target of that email. And usually, these types of attacks can be done because somebody has either infiltrated the computer system already and knows who has the authority to do the types of transactions that the third party, the malicious actor wants them to do, or they'll know a little bit about the company, either through social media, through online, or again, through having gone into the system.
These are all types of attacks that can be made and things that all companies and lawyers should be aware of. Now, it may occur to some lawyers, law firms, would I be as a law firm, really be all that valuable of a target? Certainly, the law firm has money and could have funds diverted from them. But cyber criminals also find lawyers and law firms to be valuable targets, mainly because they have access to confidential or what I call market moving data from their clients. And that confidential information could certainly be useful to a third party. There could be intellectual property information, patents type information that could be of use to a competitor of a law firm's clients. There could be information about wealthy or famous client that could be of interest to people. One example of that is the so-called Panama Papers, which some of you may have heard about.
This was a leak of millions of files about five years ago from the database of a Panamanian law firm called Mossack Fonseca. And turns out that those files showed that wealthy, famous individuals used shell corporations and other methodologies to try to avoid taxes in countries such as the United States, where people were trying to avoid taxes from. That situation happened because somebody got access to the documents from the law firm. The law firm was not the source of revenue or money that hackers were getting, but they were trying to get confidential information that the law firm happened to have. And as a result of this widely publicized hack, the law firm shut down its operations two years later because of the blow back from that data breach.
So it's very important for law firm's lawyers to know that they are going to be a target, potential target for cyber criminals. It's not a matter of, "Look, I'm just a lawyer. I'm not interesting to people." You are interesting to people for those types of reasons.
Another thing that should also be kept in mind, I've been talking a lot about keeping computer systems secure. But data privacy and data security also includes maintaining the security of paper documents. And these days, most things are kept electronically, but still a lot of information is kept on paper as well. And it's important to keep paper that includes sensitive or confidential information locked up somewhere in a file cabinet or a locked drawer, a safe, what have you. You certainly do not want to have papers that have confidential information, proprietary information just out on a desk somewhere, or in common areas, or anybody who passes by may have access.
You'll also want to make sure that any office space that you have where you keep such papers and computer systems are kept secure as well and locked, so that just not anybody can have access to that area. So is very important to also keep paper documents secure, just like your computer systems secure.
Now, I alluded a little bit earlier to the types of duties that lawyers have, whether it be contractual, whether it be kind of client relationships. But it goes further than that. There are affirmative ethical duties that companies, I'm sorry, that lawyers have that relates to cybersecurity. And to the extent that you are in breach of those ethical obligations, you can end up being in trouble with your state bar. And there are four key rules that I want to talk about in a little bit of detail.
Now, keep in mind here, what we're talking about here are the American Bar Association model rules. And each state has its own rules of professional conduct or professional discipline, some of which, many of which derive from these ABA model rules. But please be aware that as I'm talking about these model rules, you'll need to make sure that you are aware of the rules that apply in the state or states where you practice. But again, given that these are ... what I'll be talking about here are model rules that are designed to guide states in setting forth their own rules, I think these are going to be useful for every attorney to know about.
The first model rule I want to talk about is ABA model rule 1.1, which deals with competence. It provides a lawyer shall provide competent representation to a client, which requires a legal knowledge, skill, thoroughness, and preparation that's reasonably necessary for the representation. Now, within the rule itself, it doesn't say anything about data security or cybersecurity, but there's a comment to that rule, 1.1. It's comment number eight. And it says there that in order to maintain the requisite knowledge and skill, lawyers must keep abreast of changes in the law or its practice and its practice, including the benefits and risks associated with relevant technology.
So there, within that comment, in order to have the knowledge and skill to undertake a representation, you also have to be knowledgeable about the benefits and risk of the technology that you use. And that's not necessarily just email, but also file sharing applications that may be used and things along those lines. So you cannot stick your head in the sand as a lawyer and say, "Look, I'm not an information technology person. I don't know anything about this. I don't have to know anything about this." In fact, you have an affirmative obligation to know about these things in order to retain or to be competent so to speak.
Another model rule that I'll talk about here is model rule 1.6, dealing with confidentiality. And what that says is that a lawyer shall not reveal information relating to the representation of a client unless a client gives informed consent and that the ... or the disclosure is impliedly authorized to carry out the representation. It goes further to say rule 1.6 in subsection C, that a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of the client.
So you have to have reasonable security efforts to maintain the confidentiality of information. And there are usually a number of factors that you'll have to take into account in determining what types of security arrangement you ought to have, what types of safeguards you ought to have. But it is certainly not enough to say, "Look, I'm not in charge of determining safeguards here." You need to keep the information reasonably secure and confidential. And if you do not, then you may be in violation of rule 1.6.
So when you put the confidence and the confidentiality requirements together, I think really what it comes down to is if the attorney is not competent to decide whether or not the use a particular technology such as cloud storage or public Wi-Fi or anything along those lines, allows reasonable measures to protect confidentiality, you need to get help. And that may be hiring somebody who knows about information technology. Whether you hire them directly or whether you contract with an outside part, IT services provider, for instance, that could help you configure computer system that is reasonably secure, you need to do that. You need to be advised about how best to keep that information confidential.
Now, there are a couple other rules that I'll talk about as well, but confidentiality and confidence are really the big ones. Hopefully, you're not going to be in this situation, but unfortunately with respect to data breaches, it's really not a question of if, but when. There's another rule, model rule 1.4(B) that deals with a duty to inform a client. And that provides that a lawyer must explain a matter to a client to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. That includes informing a client if a data breach relating to their information occurs. The client themselves may need to comply with data privacy, industry regulations, the types of things I discussed a little bit earlier.
If a client has given you sensitive information, protected information, and that information was unauthorizedly disclosed because of something you did, you're going to need to tell your client what happened so that the client can protect themselves and do what they need to do under the law. Because as a general matter, information that clients give to you is going to be the client that has obligations to provide perhaps notifications or otherwise comply with laws. And if you sweep under the rug some sort of data breach that you suffered, your client could end up being in trouble. So you yourself would end up being in even more trouble than if you do what you were supposed to do and make the necessary disclosures to your client.
And the last ethical obligation that I'll talk about here is the duty to supervise junior attorneys and staff. And these are ABA model rules 5.1 and 5.3. 5.1 says that a partner in a law firm and a lawyer who individually or together with other lawyers possesses managerial authority in a law firm, must take reasonable steps to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the rules of professional conduct. So because lawyers themselves have obligations of confidentiality, of confidence, the law firm itself must make sure that there are efforts being put in place to make sure that the firm can also comply with those things, with those rules.
There's rule 5.3 also dealing with the obligation to supervise non-lawyer staff, such as paralegals, legal assistants and the like. And the law firm there must make sure that it has in effect measures to give reasonable assurance that paralegals and other non-attorney staff are complying with the professional obligations of the lawyer as well.
Now, given the persistence of insider and outsider threats and the obligations, the ethical obligations that attorneys have, it's important to make sure that your firms or company's employees are trained to recognize a potential attack such as phishing or business email compromise attacks. Again, because the employees are going to be on the front lines, and all it takes is one mistake, one slip up, and you could have a data breach. You want to make sure that your employees know what to do if they receive a suspicious email or a suspicious request. And two things that always should be done are: a suspicious email, that should be reported to the information technology person or whoever you have at your firm or company who's in charge of dealing with those issues so that it could be addressed promptly.
To the extent that you get or one of your employees gets an email that purports to be from somebody or a message that purports to be somebody, don't just follow that message if it looks suspicious. And certainly, don't reply directly to the email, because it would go to the third party attacker, as opposed to the person who you think sent the email. Always good to pick up the phone and call the person. Almost invariably, the email's going to say, the suspicious email's going to say, "I'm busy and I can't talk right now." That is a ploy to have the person not pick up the phone. Always good to have the person pick up the phone and call a person from who the email was purportedly from and say, "Hey, did you really send that email?" It could solve a lot of potential headaches later.
Now I'd like to turn to security measures that companies and law firms should have in place. And as an illustrative example, I'll talk about the requirements under New York state's so-called SHIELD Act, S-H-I-E-L-D, which stands for Stop Hacks and Improve Electronic Data Security Act, which was implemented early last year, early 2020.
What the SHIELD Act provides is that any business that has the private information of New York state's residents, regardless of whether the business has any physical presence within New York state in the first place needs to have a written information security or data security program in place. This is a written policy or program that deals with the measures that the company is going to take to ensure, or at least maximize the potential that personal information remains secure.
Now, what the SHIELD Act requires is that companies in these data security programs contain technical, physical, and administrative safeguards. So three different things, technical, administrative, and physical safeguards. The technical safeguards that need to be dealt with are assessing risks in the network and software design of the company's computer systems, assessing risks in information processing, transmission and storage, detecting, preventing, and responding to attacks or system failures, and regularly testing and monitoring the effectiveness of key control systems and procedures.
The administrative security measures that the data security program needs to implement or have in place are designating employees to coordinate the security program. So you need to have somebody whose job it is, whose responsibility it is to maintain and coordinate the security program. It needs to reasonably ... I'm sorry, identify reasonably foreseeable internal and external risks to the company. It needs to assess the sufficiency of safeguards in place and identified risk control in place. It needs to make sure that the company selects service providers, third party vendors who are capable of maintaining appropriate safeguards, such to the extent that your company provides personal information to third parties, vendors in connection with the work that they're doing for you. You need to make sure those third party vendors also have appropriate safeguards in place. And you need to be able to adjust the security program in light of business changes or new circumstances.
Another thing that the physical safety, I'm sorry, the physical security measures that need to be in place include assessments of risks of information storage and disposal. And this would be both for computerized data and paper data. You need to detect, prevent, and respond to physical intrusions onto the property, and need to protect against unauthorized access or use of private information during the collection, transportation, or destruction of the data.
So again, this is a document that needs to be in place. And to the extent that any business has personal information of New York state residents, there is a similar type of obligation in Massachusetts that's been around for at least over 10 years now, similar to the New York state obligation.
Under the New York state SHIELD Act, there are certain exclusions of businesses that need to follow Gramm-Leach-Bliley, or HIPAA, or the New York state Department of Financial Services cybersecurity requirements do not need to have a special data security program in place under the SHIELD Act because they already have that obligation under those other acts. For instance, financial institutions already need to have written information security program under the GLB Act. Same thing for covered entities for healthcare under HIPAA. So just because there are exclusions from the New York SHIELD, that doesn't mean that these companies don't need to have one in place. In fact, there are exclusions because these types of companies already needed to have an information security program in place.
Now, under the SHIELD Act, a business that fails to comply with the SHIELD Act requirements can be fined by the New York state attorney general. And the New York state attorney general can also bring a civil action to seek injunctions against any further violations of the SHIELD Act. So this is a very important and very serious law to take into account, particularly given the current environment of data breaches and the focus that law enforcement and attorneys general are going to have with respect to the repercussions of data breach incidents. So definitely a good idea to have a written security program or data security program in place.
As a practical matter, what should a good written information security program data security program do? There are a number of things. One, it should designate an employee to maintain the program, have somebody in charge of maintaining and coordinating and changing the program as necessary.
You need to identify reasonably foreseeable internal and external risks to the securities, confidentiality, and integrity of both electronic and paper documents that contain personal information. You need to do an assessment of the likelihood and potential damage that could happen if you suffer a data breach, or if any of the internal/external risks that you identified actually occur. You'll want to identify and evaluate the sufficiency of the company's existing policies and procedures, and make sure that those existing policies and safeguards are good enough and that they are actually in place to control the specified risks.
You'll want to prevent terminated employees from accessing the company's information and their database going forward. If you ask somebody to leave the company, or if an employee voluntarily quits, they should no longer have access to your company's information.
You want to make sure that you provide for the oversight of third party vendors and service providers, to whom you provide personally identifiable information or other confidential information. And you want to make sure that this security program is consistently updated and tested. You don't want to have a program that's written, and then you put up on a shelf and it just gathers dust, never to be seen again. This is a program that needs to be a living document. And somebody needs to be in charge of making sure that is updated and modified as needed.
So now separate and apart from information security programs that we've just discussed, there are other types of documentation that companies should have available and prepared already to deal with potential risks and breaches of data security. One such other additional document is called an Incident Response Plan or an IRP. Now these are different from the information security programs that we talked about.
An Incident Response Plan, IRP, is a document that ensures that in the event of a data security breach, the right personnel and procedures are in place to effectively deal with that breach or potential breach. Having an Incident Response Plan in place will help ensure that there's a structured investigation into the breach and that all appropriate remedial measures are taken to deal with the threat.
Now, an Incident Response Plan is not just simply something that an IT professional should have sole authority and control over. There certainly are many technical aspects that need to be dealt with in an Incident Response Plan, but there are others such as senior management, lawyers, legal department, either inside or outside, human resources. There's also going to be public relations or client relations people that should have a part in and help prepare the Incident Response Plan because a well-drafted Incident Response Plan is going to be a holistic plan to deal with what everybody needs to do in case something happens.
Let's talk a little bit about what would be included within a good Incident Response Plan. Well, first of all, what it needs to do, it needs to identify the members of the incident response team and what their responsibilities are. You want to call out people by name, as well as what their role in the organization is.
As an aside, it's going to be important, just like for the written information security programs, to make sure that the Incident Response Plan is consistently updated. I've dealt with many Incident Response Plans of clients. Once something happens, the plan would call for somebody in particular, a specific person to be notified. It ends up that particular person left the company years ago. So you'll want to make sure that the people who are named in the Incident Response Plan that's updated so that you're dealing with the current people who need to be contacted. And you want to have their contact information there, both daytime and nighttime as needed, so that that person can be contacted, those people can be contacted because a lot of data breaches are uncovered outside of business hours.
What you also want to do as part of a good Incident Response Plan is identify any third parties who are going to assist with the incident response. And that could include outside information technology providers who may help with remediation of any breach of the computer system, outside counsel who will help lead the incident response overall. And by the way, having an attorney handling the incident response, or at least overseeing the incident response is going to be critical because that would maximize the chances that any communications would fall within the attorney client privilege. That's going to be important if there are any regulatory actions or litigation that comes out of a data breach.
Now, not everything that touches an attorney or that an attorney sees or writes would be privileged, but having the attorney there will at least increase the chances that at least legal advice that the attorney provides would be privileged in connection with the incident response.
The plan should also talk about what and who will be dealing with investigating the problem and remediating the problem. Again, that's generally going to be from a technological standpoint. If somebody gets access to a computer system, figure out whether that bad actor is still there, what information has been exfiltrated, if anything, you'll want to make sure that the appropriate people are investigating and remediating the problem.
You'll also want to make sure that any additional data loss gets stopped. You don't want to have an incurrence of additional data being exfiltrated once you figure out that the breach has already occurred. To the extent that the company has cyber insurance, or potentially has other types of insurance that could cover the incident at issue here, you may want to notify that carrier sooner rather than later, so that you can maximize the chances of getting insurance coverage for any losses that your company suffers because of this incident.
You'll also want to consider whether contacting law enforcement is necessary or required under data breach notification laws. And there's one such law in each of the 50 states and US territories. You may need to provide written notice to individuals whose data was affected by the breach. And you may also need to provide notice to state attorney general, state police and other law enforcement personnel.
You may also want to contact a local police to the extent that there was valuable information that was stolen. You also want to deal with mitigation and recovery. And that's going to be part of the overall process of making sure that any additional data loss gets stopped. You want to recover the system.
You'll also want to think about what types of communications need to go out over and above the required notifications under data breach notification loss. If clients' information was taken, if you're a law firm and clients' information was taken, you may need to, and very well may need to, as I discussed before, notify the affected clients, and you'll have to do that. But you may also want to have some sort of communication going out to clients whose information was not affected.
The last thing you want to have is to have data breach of your company or your firm publicized by somebody other than you. You usually want to be the first person to tell people about something that you suffered, because at least then you can provide as much information as you possibly can. And you could forestall any sort of rumor mongering or any inaccurate information that may be disseminated from news media or other parties.
I would say in closing here that there are a number of things that if you are a lawyer. So if you are called on to help a client remediate a data breach, or even if you're not the breach response attorney, you may be either in house, or you may be kind of the outside counsel that a business would trust to deal with just general business matters. If you get a phone call and your client says that they suffered a data breach, some of the things you'll want to tell them is they should activate their Incident Response Plan. And that means notifying and engaging their Incident Response team. Again, the attorney to direct the response. As I mentioned before, the attorney client privilege is going to be necessary here.
If you are not the attorney that's in the right position to do so, you should maybe be in a position to refer the client to another attorney who can help direct the response who knows about cybersecurity and data privacy law.
You'll want to make sure that the client identifies the nature and the scale of the breach. And to determine what systems may have been compromised or are at risk, they'll need to take immediate action to stop the source of the breach. And that's more of a technological issue.
You'll want to make sure that they notify key internal personnel, such as the board of directors or key executives of the company. You'll want to make sure that the client is thinking about if they have cyber insurance that they are going to notify their carrier for the reasons I mentioned before. To the extent that the carrier is not notified, or if there's a substantial delay in notifying the carrier, the carrier may use that as a basis or consider that a basis to deny coverage, which would be obviously not a good outcome for the client.
I should also tell the client they should notify or identify at least at this point, regulators that may need to be notified if they are in regulated industries. There may be an oversight regulatory authority that they will need to report to, or the very least they'll need to comply with the data breach notification laws of the various states in which they do business if personal information will was exfiltrated.
And this could be a big issue for companies that operate across state borders, because it's not just a matter of complying with the data breach notification law that your company is incorporated in, or has its headquarters in. If it has the personal identifiable information of people in all 50 states, they're going to need to look into all 50 states laws. And that could obviously be quite a challenging task. And there are some resources out there that at least will give you a summary of what the data breach notification laws are in each state.
The only thing that I would warn though, is that this is an area of law that is changing quite rapidly and changing more to be more restrictive and provide more obligations to companies. So you're not going to necessarily want to take a look at a summary of data breach notification laws from even just a couple of years ago, because they very well may have been amended. In the meantime, you may have more obligations currently than you already ... than you think you may have based an old provisions of the law.
You also want to tell your client to consider notifying law enforcement. And this particularly, maybe the case, if the breach at issue results in monetary losses. You also want to notify the banks to see if there's any chance, let's say for instance, one of the employees wires money out of the company, because they thought they were being instructed to do so. But in fact, that instruction came from a hacker. That money likely will be gone quite quickly because the money will be wired offshore very, very quickly. There may be a possibility that the bank may be able to freeze that transaction, but that can only happen if the bank is notified sooner rather than later. And to the extent that the Federal Bureau of Investigation may be of assistance, that could be something that should be looked into as well.
So this has just been a general overview of what attorney's ethical and contractual obligations are to keep sensitive data secure and keep it private and also a couple of things that lawyers should be thinking about when advising their own clients about their own obligations to keep information secure. So having an Incident Response Plan, having an information security program. I hope this hour has been helpful to you. If you have any questions, or if you'd like to discuss any issues arising from the topic here, please feel free to give me a call. I'm always happy to respond to questions. Thank you very much for your time today and enjoy the rest of your day.