Last week the American Bar Association adopted a new resolution urging all organizations in the  private and public sector to enhance their cybersecurity protocols. Resolution 109 recommends several cybersecurity standards and notes that security failures often arise when these standards are not fully implemented or maintained.

This is particularly timely in light of the recent data breach at Community Health Systems (CHS) the day before the ABA passed Resolution 109. CHS is a leading operator of general acute care hospitals around the nation. It owns, operates, or leases 206 hospitals in 29 states with approximately 31,100 beds. On August 18, CMS reported to the Securities Exchange Commission that hackers using malware stole the personal data of nearly 4.5 million patients. The stolen patient data included birth dates, names, social security numbers, and addresses. News reports indicate that the cyberattack was initiated via the OpenSSL Heartbleed vulnerability that also led to the exposure of over half a million secure servers earlier this year.

In the case of CMS, highly sensitive medical data was not stolen, but this does not mean that the personal data stolen does not put its patients in danger. Hackers collect and sell personal information through black markets until they have enough information about an individual to open up new credit cards, redirect mail, drain bank accounts, and perform many other illegal acts through identity theft. A large data breach can also jeopardize an organization’s reputation and the trust of its clients, patients, and customers. The infamous Target Corp. data breach has cost the company over $200 million in expenditures, has led to a $1.02 billion drop in net earnings, and has caused a major restructuring of company’s leadership.

Resolution 109 urges all organizations to reexamine their cybersecurity standards and practices, but it calls particular attention to the vulnerability of law firms to cyberattacks. Law firms often retain very sensitive client information, and the ABA notes the significant risks facing law firms as technology progresses and hackers become more sophisticated. The ABA Model Rules of Professional Conduct note that “a lawyer’s duty of competence includes keeping abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” As law firms continue innovating with new technologies they are increasingly at risk of exposure to new and unexpected malwares and hacker technologies, like the CMS was last week. Law firms must diligently maintain, reassess, and update security measures to protect clients’ personal information.

Cybersecurity is not something to be taken lightly and recent data breaches have shown how vulnerable large and sophisticated organizations can be to cyberattack. The ABA’s Resolution 109 does not solve the problem, but it does serve as a timely reminder of how important cybersecurity is to all industries, including the legal industry.

Edmund Semmes

Image Source

Comments are closed.