My Two Cents: If companies are beginning to be held responsible to their clients for data breaches of their third-party software vendors and providers, should lawyers be concerned too?

/ The Tech-Savvy Lawyer.Page/

I came across this article by Peter Selvin for TodaysGeneralCounsel.com. He’s raised the concern that courts are beginning to test whether companies can be held liable to their clients for data breaches of their third-party software vendors and providers. This is not a far stretch as companies would be responsible for data theft from their own servers of their employees’ Private Personal Information (PPI) or Personally Identifiable Information (PII). But my concern is, what about the little guy like solo and small-firm lawyers?

Remember, the Model Rules of Professional Conduct require all lawyers to take reasonable steps to protect our clients’ information. (MRPC 1.6). It further requires us to keep up-to-date with technology. (MRPC 1.1 Comment 8). So, how far in-depth do we need to analyze the security standards of the third-party software providers and off-site data clouds before we use them (I have some suggestions below). And then, when we are using (likely known to be) secure sources, e.g., Microsoft 365, Dropbox, Box, Clio, inter alia., do we need to monitor them in case of a breach? And then what do we do if there is a breach? I have some suggestions.

What to do if you have a data breach:

  1. If you have malpractice insurance, contact them and ask for guidance;

  2. If you have cyber insurance, contact them and ask for guidance;

  3. If you have neither, attempt to confirm with the company in question (or other reliable third-party sources) about the breach and what was affected. Also, ask them what they are going to do for their customers.

  4. If you are neither 1 nor 2, and after you confirm with the company that your client’s data may be affected, contact your client. Let them know of the potential breach, that they may have been affected, and that they should monitor their credit score and watch for any unusual activity in their banking and credit card accounts;

  5. Lastly, if there is a data breach and client information is likely exposed, you will need to contact your Bar Association. I'd start with your bar's confidential ethics inquiry hotline (most bar associations have them) for guidance.

What can you do to protect yourself from potential liability from these kinds of breaches? You need to keep an eye on your software and data storage providers. For example, if you are still using LastPass for your password minder despite my warning noted here, you are setting yourself up for trouble. Don’t use sketchy or lesser-known providers – if you do, make sure you vet them by reviewing their security protocols and customer reviews. Another option is to get cyber insurance.

Peter provides some great thoughts about choosing a potential insurance provider that I summarized below:

  1. Ensure cyber insurance covers vendors' networks for potential damages from data breaches.

  2. Have sufficient limits on your own cyber insurance policy for data breach incidents.

  3. Conduct regular cybersecurity audits of vendors' safeguards.

Also, I'd look to your carrier for ideas about being cyber secure. They have a strong interest in making sure you are not vulnerable.

Peter also has some ideas about screening your vendors and providers, summarized below:

  1. Require vendors to carry cyber insurance with your company as additional insured, as per written agreement.

  2. Establish a written agreement for vendors to defend and indemnify your company from data breach claims backed by their own cyber insurance.

But I don't think these demands are very realistic for solo and small/medium firms. The big or medium size vendors will likely not give in to your demands (although they may likely take suggestions). I think that for our liability concerns (from both our clients and bar associations), we would need to vet and monitor our vendors and providers at least reasonably. If you don't do at least these steps, for instance, still using LastPass, given the very public issues the company has been experiencing, then I can easily see a lawyer having trouble soon after a breach, especially if it is their own network.

In the end, you need to be diligent about what you use, keep an eye out for news of potential breaches, and follow up quickly if there is a breach.

Stay Cyber Safe and Happy Lawyering!

MTC