Law Firms Beware! States Continue to Address Cybersecurity Risk: New Jersey Gets Results from Civil Enforcement Unit
On an almost daily basis, almost every one of us provides sensitive personal information electronically to businesses, including law firms, simply assuming that cyber attackers will be unable to access the information. Often, they can, regardless of the reasonable safeguards in place. Criminals seeking to profit by misusing, unlawfully acquiring or unlawfully selling a client’s personal information may attempt to breach the law firm’s electronic systems with various methods
- Phishing / Spoofing / Unauthorized Access to E-mail
- Hacking / Unspecified Intrusion
- Internal / Employee Error
- Internal / Employee Theft
- Vulnerability / Misconfiguration / Programing Error
Phishing or brand spoofing, the most common method of data breach, is a fraudulent scam by which an individual disguises themselves as a reputable companies and “phish” for personal data, such as social security numbers, date of birth information, and bank account numbers. The act is simple: the criminal will send an email to an unsuspecting victim requesting, with some sense of urgency, that the victim click on a random link. After clicking on the link, the unsuspecting victim will be induced, by a warning of severe consequences for inaction, to reveal their confidential information. Even if the victim does not reveal any confidential information, simply clicking on the link increases the vulnerability of the victim’s computer to malicious viruses.
Employee error is yet another common method for criminals to perpetrate cyber security breaches. For example, in 2018, a plaintiff commenced an action in Morris County, New Jersey, against his prior law firm that handled his matrimonial divorce action because the law firm allegedly disseminated plaintiff’s confidential information to the plaintiff’s ex-wife by simply forwarding an email with a link containing the information to the ex-wife’s matrimonial counsel, who then forwarded the link to the ex-wife. Thereafter, the ex-wife allegedly accessed the confidential information. Ultimately, attorneys should be mindful that their law firms may be subject to claims of legal malpractice and breaches of fiduciary duty for cyber security breaches based upon employee error for dissemination of confidential information. Given the fact-sensitive nature of these data breaches, a motion to dismiss often is not enough to extricate the firm from the case early. For that reason, data security and data privacy are among the fastest-growing economic and personal concerns facing law firms.
Not surprisingly, New Jersey is one of the ever increasing number of states to amp-up cyber security protection. Similar to its neighboring states, including New York, New Jersey defines a data breach as the “unauthorized access” to electronic data containing personal information when access to the personal information has not been secured by encryption or by other methods that renders the personal information unreadable or unusable. N.J.S.A. 56:8-161. Personal information ranges from sensitive data, such as social security and bank account numbers to less confidential data such as an email addresses if in combination with any password or answer to a security question that would permit access to an online account. Id.
Following a national trend, New Jersey has doubled-down on its efforts to protect businesses, such as law firms, from cyber threats by creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity (DPC) Section, within the office of the New Jersey Attorney General. The DPC Section authorizes the Division of Consumer Affairs and other New Jersey state agencies to commence civil litigation when New Jersey business or residents fall victim to a cyber security data breach. While New Jersey state agencies will enforce the DPC Section, New Jersey courts remain the primary source of relief for law firms victimized by cyber scams.
On October 31, 2019, one year after the formation of the DPC Section, New Jersey announced a 6% decrease from the 958 breaches reported to State Police in 2017. While the reported data breaches decreased, in the top methods of breaches of security in 2018 are still phishing, hacking, and employee error.
In other words, even with increased awareness, law firms are still susceptible to cyber security breaches. The answer may be to remain vigilant and take proactive steps to protect clients from data breaches, including:
• Installing personal firewalls and use the most current and up-to-date anti-virus software;
• Avoid clicking on e-mail links or attachments from unknown senders;
• Being on the look-out for emails with spelling errors, awkward sentence structure, links embedded in the message narrative that contain all, or part, of a legitimate name; and
• Selecting strong passwords containing letters, numbers, and symbols and change the password frequently.
Even though New Jersey has amped-up its cyber security enforcement with the DPC Section and it appears that cyber security breaches have decreased, law firms should be mindful that the decreases may be the result of a decrease in reporting and not an actual decrease in cyber security breaches.
This article was prepared by Rachel Aghassi and Spencer A. Richards of the New York City-based law firm of Furman Kornfeld & Brennan LLP. Rachel and Asher are part of a team of 36 lawyers and paralegals devoted to the defense of attorneys and other professionals in malpractice and disciplinary matters, as well as the defense of construction and personal-injury accidents. For more information about the above topic or authors, please visit: www.fkblaw.com
We trust that the above article was useful and thought-provoking; however, please note that it is intended as a general guide and opinion only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters. For more information on LPL coverage generally, contact USI Affinity today.