No one is immune. Every industry and business sector—including the legal profession—is a target for hackers and cyber criminals. Just ask the leaders of the prominent businesses and government agencies that have been victimized in recent years.
What's more, by the very nature of what we do, law firms accumulate highly sensitive and confidential information from clients. Law firms are increasingly being requested to allow their lawyers to work remotely (and, often, on personal, possibly unsecure devices), while at the same time being required to verify the integrity and security of their networks and information systems. Like participants in other industries, law firms also are subject to breach notification laws. And the dollars and cents do not stop there. Clients increasingly are mandating their outside counsel meet strict standards for data security.
But law firm practice groups devoted to helping law firms manage cyber-related risk and address breaches are few. And those that do exist often are set up to address only some of the important issues at play.
Hinshaw's Cyber Security for Law Firms practice group is the exception. The practice includes members from Hinshaw's leading lawyers' professional liability and risk management, legal malpractice defense, class action defense, and insurance law practices as well as others from the firm's robust intellectual property and technology, business and commercial litigation, and commercial transactions groups. The Cyber Security for Law Firms group has both the comprehensive tools and the vast experience needed to help law firms protect data; prevent or limit exposure to cyber security breach claims; and, where it is too late for that, to successfully defend them.
Services Available to Help Avoid a Breach
- Compliance counseling and breach prevention
- Review and evaluation of a law firm's data inventory and treatment, including sensitive/confidential information and existing vendor agreements
- Drafting, evaluating and updating privacy and security policies for:
- Cloud computing/storage
- Email and wifi
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Mobile device management and "bring your own device" (BYOD)
- Network security
- Physical security
- Privacy notices and policies
- Review and provide advice on cyber insurance policies to ensure adequate and appropriate coverage
- Review and evaluation of data destruction and disposal practices
- Evaluation of existing cyber liability coverages and options
- Preparation of incident response plans and evaluation of existing plans
- Counsel on applicable ethical, privacy and data security considerations
- Coordination of necessary security, forensic and incident response vendors
- Coordination of vulnerability and penetration testing, assessment of outcomes and development of remediation strategies
- Development and provision of education and training for attorneys and employees
In the Event of a Breach
- Coordination of the response to achieve compliance with applicable ethical obligations and data breach notification laws
- Coordination of initial incident assessments, the securing of networks, and evidence preservation
- Counsel on ethical issues related to data incidents and data breaches
- Coordination of vendors, call centers, and third-party forensic teams
- Lead/assistance with crisis management efforts
- Counsel on remediation strategies
- Defend litigation/government investigations and develop regulatory responses
- Privacy/consumer class action litigation
- Regulatory investigations
- Legal malpractice suits
- Lawyer disciplinary actions
Nationally Recognized Leader in Comprehensive Law Firm Representation
A Leader in Ethics and Professional Responsibility Law and Legal Malpractice Defense
Hinshaw is a firm of first choice in providing comprehensive risk management, regulatory and litigation defense representation to law firms, whether those firms are among the world's largest, midsized outfits or boutiques. Among our honors and recognitions, Hinshaw was ranked by U.S. News - Best Lawyers as the 2014 "Law Firm of the Year" in the area of Ethics and Professional Responsibility Law. And as noted in the Law360 article "6 Firms to Have on Speed Dial If Malpractice Trouble Hits," Hinshaw is one of the "few firms [that] have emerged as the go-to advocates for lawyers who find themselves facing a potentially devastating complaint" and is "a leader in defending legal malpractice cases."
Host of the Industry-Leading Legal Malpractice & Risk Management Conference
Hinshaw also has hosted since 2002, the Legal Malpractice & Risk Management Conference (LMRM), the premier event focused on current and important developments in the law and litigation of malpractice claims, legal malpractice, insurance and risk management strategies. Attendees and speakers include leaders and general counsel from the most prestigious law firms and companies. Presentations in past years have included, "Enhancing Your Data Protection and Mitigating Your Cyber Risk," "On the Horizon: Enterprise Risk Management—Welcome to Your Future," and "Maintaining Your Firm's On-Line Reputation—Ethical and Liability Issues in the Internet Age."
Home to Leading Attorneys in the Field
In addition to providing advice, counsel and representation to law firms, and hosting the LMRM, our attorneys are internationally respected scholars and leaders in the field of the business of law, law firm risk management, law firm and lawyer duties to clients, and legal malpractice. Our team includes past presidents of the Association for Professional Responsibility Lawyers and state defense bars, and leaders of public entities addressing professional responsibility and conduct. We also have authored or significantly contributed to leading publications—such as the leading book on risk management, "Risk Management: Survival Tools for Law Firms" (American Bar Association)—and have handled more than 6,500 hotline consultations in the areas of risk management and professional responsibility.
Leading Insurance Attorneys Who Can Help Secure and Ensure Sound Coverage
Hinshaw also has one of the most accomplished and well-respected insurance services practices in the United States. Our experience helping draft policies, including cyber insurance policies, and litigate coverage disputes gives us valuable insights in representing insureds seeking adequate and appropriate insurance. What we bring to bear is an intimate understanding of well-drafted and effective policies and clauses, a knowledge of policies and clauses that have not withstood scrutiny, and an appreciation for the cyber insurance marketplace.
Publications of Our Practice Group Members Include:
- "Can't Live with Them, Can't Live without Them—Ethical and Risk Management Issues for Law Firms That Adopt a “BYOD” Approach to Mobile Technology," ABA Journal for the Professional Lawyer, November 2015
- "What Every Independent Agent Needs to Know about Cybersecurity," LifeHealthPro, June 2015
- "Read the Fine Print: Insurance Coverage Issues Implicated in Data-Breach Claims," For the Defense, March 2015
- "Cyber-Security Insurance," Chapter 54 (new), Insurance Law & Practice, LexisNexis, December 2014
- "Data Protection and Privacy in the United States." Book chapter published in Risk Management in Law Firms, Globe Law and Business, London, 2014
- "Mitigating Law Firm Cyber Risk." Book chapter published in Risk Management in Law Firms, Globe Law and Business, London, 2014
- "Can't Live With Them, Can't Live Without Them: Ethical and Risk Management Issues for Law Firms That Adopt a BYOD Approach to Mobile Technology." Originally presented at the 41st American Bar Association (ABA) National Conference on Professional Responsibility. An updated version will be published later this year in the ABA's Journal of the Professional Lawyer
- "Cyberattacks Push Companies to Specialty Insurance Policies," The Recorder, May 23, 2014
- "Deciphering the Cybersecurity Framework," Claims Journal, April 2014
- Bloomberg Discusses Steve Puiszis' Panel Presentation on "Ethics of Data Breach Reaction" at ABA Professional Responsibility ConferenceJune 13, 2018
- Media Coverage of Steve Puiszis' ABA Panel Presentation on Protecting Privileged Information in U.S. Border SearchesAugust 25, 2017
- Steve Puiszis Quoted in Bloomberg Article on NYC Bar Guidance Regarding U.S. Border E-Device Searches and Client ConfidentialityAugust 8, 2017
- Steven Puiszis Featured in Article Discussing the Growing Importance of Law Firm CPOs and Data Security OfficersAugust 1, 2017
- July 13, 2017
- May 30, 2017
- May 19, 2017
- October 11, 2016
- June 4, 2018Cyber Alert
- May 16, 2018Cyber Alert
- March 28, 2018Cyber Alert
- March 14, 2018
The Case of the Missing Laptop
Hinshaw was contacted by a law firm after one of its partners had an unencrypted laptop computer—which contained personally identifying information of individuals residing in multiple states—stolen. We: counseled the law firm on reporting the incident to its insurance carrier and to law enforcement; drafted a breach notification letter; advised on reporting obligations to state officials; and recommended and worked with the firm to hire a vendor to offer identity theft protection, issued the breach notifications, and set up a call center to handle questions from those persons who received the notification.
Hinshaw's Cyber Security for Law Firms practice group worked with a client that was the victim of an extortion attempt, which threatened the public release of personally identifiable information in the client's possession involving thousands of third parties, which we believed was sent by a former employee. We: assisted the client in making contact with federal law enforcement; worked with the client to hire forensic experts to investigate the incident and to confirm that its network was secure; coordinated the forensic evaluation of the client's network with the law enforcement investigation; hired a third-party vendor to offer credit monitoring and to set up a call center; and drafted the required breach notifications under state and federal (HIPAA) law.
After being contacted by a client's information technology department about a network intrusion originating from the Far East, we worked with the client to contain the intrusion, and arranged for forensic security experts to meet with the client the following day. The forensic security experts eradicated the threat to the client's system, and blocked all email traffic coming from that sector of the Internet without the loss or exfiltration of any data.