Whether you are a 40-year veteran or a brand new lawyer, you know that you knew more current black letter law upon graduation than you would ever know again. The one constant was that everything changes. Everything changes faster in the law than cell telephone technology or prices at Wal-Mart. Even knowing that the case law, statutory law and rules are always changing, it is still difficult to keep up with the increasing duties of lawyers.
For example, HIPPA [Health Insurance Portability and Accountability Act of 1996] requires that a “covered entity” maintain the privacy of personal health information (PHI). Covered entities can include healthcare providers, health plans and health clearing houses and their business associates such as lawyers. We are routinely asked to sign Business Associate Agreements binding ourselves to protect patient information when we get it from another source. The 2009 HiTech Act provides Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules. It also applies to lawyers and we are subject to fines and penalties when we have a data breach and have large reporting and remedial responsibilities if we do. The costs of such can be most significant and would not generally be covered by a professional liability policy or even a commercial general liability policy. So, law firms are now looking at “cyber-insurance” to cover data breaches and fines for such. These policies require strict physical security and adequate and commercially reasonable computer security policies. The loss of a mobile device with patient records that is not encrypted could trigger some real expense.
Lawyers now also have to be trained to know about Medicare Set-Aside rules or they or their clients may have to pay more than once when they are settling a case for a client.
The ABA recently reported that hackers used a Trojan banker virus to replicate a web page for a law firm's actual bank. Then, when the bookkeeper entered the law firm's password, as prompted, the hackers, who were watching through their computer program, obtained it in real time and very soon logged onto the firm's actual trust account themselves. A six-figure loss was reported, so now there is a need to be wary of seeming emails from banks you know.
Therefore, each lawyer must use their common sense about all types of non-legal things such as not allowing visitors unescorted on the firm’s premises at any time. This extends to protecting the firm’s online systems from even friendly outsiders who want to use our system just for X. That is tantamount to giving free access to everything and could expose the firm to penalties. Most firms provide internet access for visitors using their own devices or an independent computer not in their system. Just say no if asked to briefly use the firm system. “No” can be a complete sentence.
Lawyers must use more than just normal diligence to protect their mobile devices. Think more than loss of property, but rather meeting professional duties. We must also use common sense to prevent the obvious “phishing” on computers with the usual scams and specific “spear-phishing” with things like: “Mike wants to meet you at 4:00 p.m. to review the attached financials” to access your system. So the message this month is situational awareness is now part of a lawyer’s basic duties. Lawyering is like any other skill. You learn basics and then keep layering on new skills and polishing old ones constantly. Security of a law firm’s data is a new and required skill in order to practice.