HardwareNew Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

New Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

The New York State Bar Association (NYSBA) has approved a report from the NYSBA Committee on Technology and the Legal Profession that recommends amending the mandatory continuing legal education (CLE) rule to include cybersecurity training. If approved by the CLE board, the new rule would require New York attorneys to take one CLE cybersecurity credit every two years and would make New York State the first to implement a specific cybersecurity requirement.

The recommendation comes on the heels of the SHIELD Act, a law that took effect this past March and requires businesses (including law firms) to use reasonable safeguards to protect New York residents’ personal information, and the COVID-19 pandemic, which has forced nearly everyone to move business online. As lawyers do more work from home on personal devices and networks without the safety net of their corporate security systems, it’s more important than ever for them to understand the cybersecurity risks and safeguards that need to be in place.

What are an attorney’s ethical obligations regarding cybersecurity?

The ethical guidelines that every attorney must adhere to certainly cover cybersecurity in broad terms. Protecting client information is a top priority, for example, whether that information is on paper or online. There are also many ethics obligations focused on communications and confidentiality, including safeguarding confidences competently and acting responsibly if an unauthorized disclosure occurs. Generally, lawyers are expected to implement reasonable administrative, technical, and physical safeguards to protect their clients. These safeguards are particularly important when dealing with PHI and are mandated by HIPPA:

Administrative safeguards are the policies and procedures that help protect against a breach, including documentation processes, training requirements, data maintenance policies and more. These administrative protections also ensure that the physical and technical safeguards are implemented correctly.

Physical Safeguards make sure data is physically protected. Security systems, video surveillance, locks on the doors and even rules about mobile device usage are physical safeguards.

Technical safeguards are the technologies and related policies that lawyers and firms enlist to protect data from unauthorized access.

The American Bar Association has issued some guidance on data privacy and cybersecurity obligations that echo these safeguards, noting that attorneys are expected to develop and implement data privacy and security programs, monitor for data breaches and understand the basic features of relevant technology to competently service their clients. The new potential CLE requirement will help ensure that NY attorneys are familiar with these obligations and hopefully better equipped to fulfill them. Cybersecurity is becoming an increasingly important part of any law practice, and it’s critical that attorneys have the tools and knowledge to uphold their ethical responsibilities in the digital age. Our Beckage team works with law firms of various sizes and scope to implement data security programs designed to protect the security, confidentiality, and integrity of private information.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

WorkforceTweaking Your Incident Response Plan to Address A Distributed Workforce

Tweaking Your Incident Response Plan to Address A Distributed Workforce

With the sudden, drastic increase of distributed workforces came implementation of new practices and access solutions, which in turn created more surface area for bad actors to attack and more potential gaps for them to exploit.  

A business’s Incident Response Plan is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Such a plan generally lists the roles and responsibilities of staff positions as they work through phases of Detection, Analysis, Containment and Eradication, Recovery, and Reporting. The collection of key staff members is commonly understood to be the Incident Response Team (IRT) and their familiarity with the plan and preparation in advance of a potential incident are often key to successful responses.  

Here are some important considerations in evaluating your current Incident Response Plan:

Communication

Communication is always key, but now it may need to be handled without face-to-face meetings or assembling the IRT in a conference room. An Incident Response Plan, similar to a Disaster Recovery Plan or Business Continuity Plan, should plainly state the methods of communication IRT members will rely on, in order of preference, in response to a potential incident. Thought should be given to what forms of communication are likely to be interrupted or compromised in an incident, and what back up communication method(s) will be relied on. With IRT members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all IRT members? Be careful of using free platforms or apps to communicate.  Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena.

Relatedly, does the Plan identify which leaders are responsible for internal or external communications regarding an incident? For example, in an office setting business phone lines and clustering of staff could allow a team to efficiently direct all inbound questions or concerns about an incident to a VP of Communications. Pick a title not a department. Now, with cell phones serving as a primary tool of communication, does your team need a refresher of how to address communication from external parties or a reminder of professional responsibilities when confronting a potential incident? Also remember, during an incident, systems are likely not accessible because they are encrypted. So, does every member of the IRT have a printed version of the Incident Response Plan at home with everyone’s contact information?

Resource Allocation

The first phase of most Incident Response Plans revolves around detection – identifying what is happening and collecting details about a potential incident. Your Incident Response Plan might implicitly assume that IT staff or others with specialized knowledge related to identifying a security or privacy issue are on hand or available at the same location as a point of compromise. When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Where possible, it may be time to consider end point detection and response solutions – an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response.  

Role Adaptation

Work from home environments may change a member of the IRT’s ability to address the role or responsibilities they were previously assigned. Often times Incident Response requires confidential conversations, privileged communication and/or discussion about sensitive data and it is important to address with members of the IRT whether they can meaningfully, and responsibly participate in incident response when working from home. There are often more competing interests in a homebound setting than in an office and when updating and reviewing an Incident Response Plan, your company has the chance to address with each member of the IRT whether they can still satisfy their role while potentially handling such competing interests.  Such review can allow for updates and edits to IRT members’ roles and responsibilities in advance of a potential incident, instead of in the midst of one, saving valuable time, energy and focus.

Practice

An Incident Response Plan best serves its purpose when it is regularly reviewed as part of a tabletop exercise.  Such an exercise promotes clarifying questions amongst members of an IRT and familiarizes everyone involved with their roles and expectations for others. Additionally, an Incident Response Plan rehearsal reminds all IRT members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, must be considered when discussing or communicating about an incident.

Now that your IRT is working from home, how will they make use of your Incident Response Plan? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed IRT.  Such practice can highlight the differences created by an at-home response, such as does everyone on the IRT have a hard copy of the Incident Response Plan in the event one is not accessible online?

Coordinated Vigilance

Updating your Incident Response Plan is key, but it should be done in coordination with improvement to other safeguards.  In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, can mitigate risks to security. While employees are adjusting to an array of new norms, it may be less disruptive to add a few more, including multi-factor authorization, new password complexity standards, and other access control measures. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Cannabis PrivacyRecent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

Recent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.

Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.

What is Cyber Liability Insurance?

Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:

• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.

• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.

• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.

• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.

• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.

• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.

Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.

Why Cannabis Businesses Need It

Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.

One thing is for certain: data is becoming increasingly valuable. Our Beckage CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

SHIELD ActBeckage Urges NYS AG To Delay SHIELD Act Enforcement

Beckage Urges NYS AG To Delay SHIELD Act Enforcement

In light of the rapidly evolving COVID 19 pandemic and the unprecedented changes to the New York workforce and network infrastructure, Beckage PLLC has sought from New York’s Attorney General (AG) Letitia James a delay to the March 21 compliance milestone and general enforcement of the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act by six months.  

By letter dated March 18, 2020, the law firm Beckage, on behalf of a range of its clients which cut across industries and size in New York State, asked the AG to provide this relief for companies as well as a concurrent postponement of enforcement actions and civil penalties to allow companies throughout New York State to work to update their administrative, physical, and technical controls in light of the current pandemic.

For background, phase two of the SHIELD Act’s implementation has a compliance deadline of March 21, 2020.  This compliance milestone requires companies handling NYS resident data to have certain administrative, physical, and technical controls and policies in place by this date for data security protections.

Leading up to March 21, companies were forced to respond to the COVID 19 outbreak, shift overnight to a remote workforce, but still meet the phase two of the SHIELD Act.  Companies throughout the state have experience sudden changes in a very short period to adapt to the COVID 19 pandemic.  Accordingly, any prior SHIELD Act compliance work needs to be reviewed and updated as necessary.  

Considering the COVID 19 pandemic, for which Governor Cuomo issued a state-wide emergency declaration on March 13, 2020, Beckage’s letter to the AG highlighted the incredible challenges posed as it relates to the SHIELD Act.  

Jennifer A. Beckage, Beckage said, “Businesses throughout the State are moving hundreds, if not thousands, of employees to remote workforce and cloud-based environments and are dedicating extensive Information Technology and HR resources to these efforts.  The diversion of these resources to COIVD 19 efforts means that many organizations may not have the resources to meet the SHIELD Act’s March 21, 2020 milestone.”  Additionally, even organizations with extensive resources that have already taken steps to comply with the Act by the milestone are now seeing their entire enterprise shift in light of COVID 19.  As Ms. Beckage explained, “By moving to remote workforces overnight, existing policies, practices, network infrastructure, and risk assessments may have completely changed, rendering current policies in some respects irrelevant or obsolete, or requiring updates to existing administrative, physical and technical controls.”

Beckage supports the goals of the SHIELD Act and applauds New York’s efforts to keep the state’s laws up to date with current technology.  Beckage is organizing comments on behalf of businesses impacted by the SHIELD Act, which will be anonymized and included in a report prepared by Beckage to the New York’s AG’s office as they continue to seek assistance from the AG.  Should you wish to be included, please submit your comments through our SHIELD Act comment portal by emailing shieldactcomments@beckage.com.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Second Compliance Deadline of NY SHIELD Act ApproachesSecond Compliance Deadline of NY SHIELD Act Approaches

Second Compliance Deadline of NY SHIELD Act Approaches

If you waited until the last minute to develop a data privacy program, well now it is required in New York. Signed into law on July 26, 2019 by Governor Cuomo, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to implement safeguards for the “private information” of New York residents and broaden New York’s security breach notification requirements.

Read More
1 2 3