data security

The Connecticut Law Tribune published my piece this week about the risk law firms, including small ones, face from data breaches:

In recent months, corporate America has been shaken by several headline-grabbing data breaches.

Retailer Target's first quarter profits were down 16 percent after credit card and personal information of millions of its customers was stolen. Daily-deal website LivingSocial was hacked with more than 50 million users impacted. Last week, hackers gained access to the personal data of 145 million of online eBay's customers.

Lawyers are among the specialists called in to help with these security crises. But data breach risk doesn't belong to clients alone. Law firms of all sizes risk having client data and other sensitive materials exposed, legal and technical experts say.

In Massachusetts, state officials felt so strongly about the threat to law firms that they've planned a seminar for May 29. In an email pitching the program to the state's lawyers says: "Hackers are now targeting small law firms because of the wealth of info in client files that can be used for identity theft – in family law, estate planning, real estate, elder law and other matters. And Mass. law requires you to notify clients of a data breach – do you really want to have to do that?"

Anthony Minchella says Connecticut lawyers shouldn't feel any more comfortable.

The owner of Minchella & Associates in Middlebury and the vice-chair of the Connecticut Bar Association's small firm practice management section, said in an email that "small firms or solos sometimes feel safe from cybersecurity threats, but that is completely false. No business is safe. Practices that obtain sensitive information, such as credit card numbers, often have the entire package of information a cyber-thief would need to steal an identity."

Monique Ferraro, a general practitioner in Waterbury who also runs a forensic technology business and lectures on IT security, said data breaches can be as simple as the loss of a lawyer's laptop or smartphone that isn't protected by a password. "I see a lot of lawyers who are not securing their data appropriately," Ferraro said.

Connecticut has put businesses of all types on notice that they have to take safeguards to prevent data breaches. Unfair trade practice charges can be brought against companies and organizations if they expose personal information like social security numbers, credit card numbers and driver's license numbers. And lawyers must provide notice to their clients and the Office of the Attorney General if they've suffered a data security breach.

There are at least three other ways that data breaches can occur, says Ellen Giblin, lead privacy and data security counsel with the Ashcroft Law Firm in Boston and manager of the data breach response teams for clients.

Hackers can keep pinging away at a law firm's information security apparatus until they break in. They can use an insider to provide them with sensitive information. Or they can "socially engineer" their way past IT security protocols by using phishing scams that entice lawyers to respond to fraudulent e-mails which, in turn, provide entree to their firms' electronic data.

Under the law, law firms are considered to be vendors, and vendors are required to have the appropriate "administrative, physical and technological safeguards in place" to ensure data security, Giblin said.

"It's important for law firms to always safeguard and keep confidential their client information, whether it's to protect attorney-client privilege" or to follow federal, state or other laws enacted to protect privacy and confidential information.

Not even the experts agree on how to best protect client data.

Lawyers Dan Siegel and Molly Gilligan, whose company, Integrated Technology Services, advises small and mid-sized law firms, said the best practice is to store client data with a cloud vendor on the web and on a hard drive in one's legal office.

It's the practice they use in their own businesses. Siegel, who is based in the Philadelphia suburbs, and Gilligan, a Quinnipiac University School of Law graduate now based in Maine, are using a remote case management system so they can work together in a law practice as well as in their technology business.

Cloud vendors can provide better security than a smaller law firm typically can come up with on its own, Siegel said.

But lawyers must do their due diligence and ensure that the vendor's terms of service acknowledges that the data belongs to the client, and not the vendor or the law firm, Siegel said. Lawyers should only use vendors that store the data in the U.S., he said.

The agreement with a cloud vendor also should cover what happens if the vendor goes out of business, Siegel said. If a vendor does go out of business, Siegel's firm has the encrypted data backed up on a hard drive, he said.

Connecticut bar officials have not issued an ethics opinion on whether its appropriate for lawyers to entrust client data to a cloud computing service where the data is accessed over the Internet via a web browser, according to a tally by the American Bar Association. New York and Massachusetts have released ethics opinions on the topic; both jurisdictions require that lawyers exercise reasonable care in putting client data on the cloud.

Ferraro, however, does not recommend using cloud vendors, saying that law firms should be leery about trusting an outside company with such sensitive client information. "If you have control of your data," she said, "you have control over your data."

If lawyers choose to go the cloud route, Ferraro says they should get client consent before storing their data remotely. She prefers that lawyers stores their own files, making sure they are encrypted. She recommends that attorneys install a self-encrypting hard-drive on their computers.

Heidi Alexander, a law practice advisor with the Massachusetts Law Office Management Assistance Program, said that Dropbox, one of the most popular cloud providers, may not be the safest and most secure vendor to use because it has experienced some data breaches of its own. She, too, said that encryption is the best way to protect documents. She added that attorneys should make sure that passwords are strong and unique.

Both Ferraro and Giblin recommend a number of other data security policies. They said law firms should have policies that forbid the use of computers for personal purpose. Along the same lines, Ferraro said lawyers should have separate business and personal smartphones. Those phones should be password-controlled and include features that allow their digital contents to be erased from a remote location in case they are lost or stolen.

A law firm is going to be experience a data breach and get into hot water, Ferraro and Giblin predicted.

Even though lawyers are supposed to notify their clients of data breaches under Connecticut law, "they don't do it and it's just a matter of time before this implodes upon itself," Ferraro said. There will be a class action lawsuits or criminal investigations, she said.

Giblin predicts federal action at some point against a law firm. The Federal Trade Commission has prosecuted data security breaches as an unfair trade practice, she said. "If they haven't gone after a law firm, they will," Giblin said.

Gilligan said that there is a balance to be struck between security and efficiency with technology. Lawyers need to take reasonable steps to use technology to protect their clients' data, Gilligan said, but technology also is about "making your office more efficient and better able to serve your clients. There is a trade-off."

Consent does not protect privacy in the era of big data because it is not meaningful in an era of giving permission through clicks on a screen, said Kate Crawford, a researcher at Microsoft Research and MIT, at the Social, Cultural & Ethical Dimensions of 'Big Data' held last night.

Big data analytics are being sliced and diced to create personalization and segmentation, Crawford said. But predictive analytics can create "predictive privacy harms" under the "rubric of personalization," Crawford said.

Instead of using consent to cure potential harms, there should be a data due process framework "placing accountability at the very end of the chain," Crawford argues. When data about a person is being used to make a decision that would affect their lives, disclosure should be mandated so that he or she can have the opportunity to respond, she further argues.

There should be more protection when the decisions involve important matters like health and employment, and there could be weaker protection when the decisions involve less weighty matters like advertising, Crawford said.

Even the most sophisticated systems can leak privacy information, Crawford said. The combination of private signals with public signals can be combined so that people's privacy is deeply violated, Crawford said.

"We need to be a little bit more skeptical when people tell us data is going to be secure," Crawford said. 

Steven Hodas, a consultant who has worked on data projects for educational systems, said that the backlash against the InBloom, the company trying to collect, store and share student data with the support of the Gates Foundation, was because parents felt that their kids were being reduced to algorithms and they did not want teaching reimagined as educating a cohort.

Personalization does not mean more human interaction, but better data configuration, he said. We are "headed for dissonance with dissidence not too far behind," he said.

Parents want teachers to be "analog craftsmen, not maker bots," Hodas said.

The blowback against InBloom might have been averted if there had been portals for parents to access parent-oriented data, Hodas added.

Columbia University scholar Alondra Nelson said that data about genetics is a disproportionate issue for minorities because more minorities are arrested or convicted and have their DNA uploaded into criminal justice system databases. Blacks make up 13 percent of the American population, but they are 40 percent of felony convictions, she said. Even innocent people who are not ultimately convicted have their DNA included in the databases, she added.

In another example of how genetic data implicates privacy, sequencing the genome of the HeLa cell line and uploading it on-line meant that personal information about Henrietta Lacks, the woman from whose cervical cancer cells the cell line was developed, and her family could be identified, Nelson said. That included genetic markers for physical appearance and disposition for diseases.

The event was cohosted by the Data & Society Research Institute, the White House Office of Science and Technology Policy, and New York University's Information Law Institute. 

Nicole Wong, a former legal director at Twitter and now a deputy U.S. chief technology offer working in the White House' big data workgroup, said we need to "lean into those hard questions" about the issues of technology, privacy and individual liberties.