Foreword: This content should not be considered legal advice. As a general rule, the Plaintiffs Bar represents individuals who have been subjected to unauthorized exposure of their personal information; however, recent reporting related to a marketing vendor, XSOCIAL MEDIA, engaged by Plaintiffs Firms brought our attention to the very real possibility that Plaintiffs Firms could easily find themselves as defendants in matters arising form cyber security breaches, even in situations in which the firm was not in direct control over the server or other computer system that was breached. We would encourage firms to engage in independent research related to the regulatory and statutory topics covered and welcome any information, including differing opinions, on the substantive matters covered herein.
The most important takeaway from our research on this topic can easily be summed up by the following statement:
If a cyber security breach occurs within systems controlled by your firm, or a vendor engaged by your firm, which could have POTENTIALLY exposed client or potential client personal data, do not stick your head in the sand and hope the issue goes away. The most significant negative consequences that may occur after such a breach arise from failing to act transparently, not necessarily from the fact that the breach occurred. If your systems are breached, or your vendors’ systems are breached, you and/or your vendor are the victim of a crime. Additionally, any client or potential client who was subjected to having the personal data exposed, is a victim of that same crime and has a legal right to know they have been victimized or potentially been victimized by a third party, just as you were. Notifying your clients places them in a position to be on alert and mitigate any damage that may occur because of the exposure. Failing to notify your clients effectively makes you a party to the same bad acts that were perpetrated against you.
ALARMING REPORTS OF MARKETING VENDOR SECURITY BREACH
Alarming reporting regarding an alleged data security breach at XSOCIAL MEDIA, a major provider of marketing services to Mass Tort Law firms, draws our attention to potential liability and other exposure Plaintiff Law Firms could face in the ever-changing digital age.
The reporting related to XSOCIAL MEDIA (see examples below) caused our researchers to pose and research the following question:
Could a Law Firm face liability or disciplinary exposure from the third-party vendor and marketing agency data breach?
Our research resulted in some surprising implications and conclusions. The most important conclusion reached was that every Plaintiff Firm should not only review the cybersecurity practices within their own firm, every firm should also be diligent in remaining aware of cyber security issues related to any marketing vendor the firm engages. Secondly, in the event that a breach does occur resulting in the POSSIBLE exposure of client’s private information, review and comply with State and Federal Statutes which require notifying the effected persons and, in some states, notifying the State Attorney General.
WHO IS XSOCIAL MEDIA?
According to the company’s website, XSOCIAL MEDIA engages in the business of:
“Finding clients via Facebook advertising is what we do on a big scale.”
WHICH LAW FIRMS ENGAGE OR ENGAGED XSOCIAL MEDIA?
Among the testimonials found on the homepage of the XSOCIAL MEDIA homepage we found the following:
“Jacob and his team have been helping us on various projects for several years now and his performance has always been great”. Robert Blanch, Levin Papantonio
“Jacob has done, and continues to do, an amazing job for our law firm. He is incredible to work with.”
Martin Levin, Levin Papantonio
Given the high profile of the Levin Papantonio firm, as well as the firm’s companion organization, Mass Torts Made Perfect, we would have no reason to believe that this firm would labor under any belief that its actions could ever “fly under the radar.” Consequently, we have no reason to believe that this firm would ever knowingly engage actions that might result in unwanted attention from State Attorney Generals and other enforcement agencies. The same is true of other firms and attorneys known to us for whom testimonials appear on XSOCIAL MEDIA’s homepage.
Unfortunately, if the reporting relevant to the XSOCIAL MEDIA security breach (see below) is accurate, law firms that have employed the services of the agency may face requirements and duties to notify “effected clients” despite the fact that the “breach” did not occur into a server owned nor directly controlled by these firms.
REPORING ON XSOCIAL MEDIA ALLEGED SECURITY BREACH
Report: Medical Data Leaked for Hundreds of Thousands of Users (including US Veterans)
xSocialMedia’s unsecured database exposed 150,000 sensitive medical records.
Ad agency data leak leaves veteran combat-injury information vulnerable.
xSocial Media Exposed 150,000 Records Containing Personal And Medical Information.
xSocialMedia’s unsecured database exposed 150,000 sensitive medical records.
Hundreds of thousands of medical records exposed in two data breaches media advertising agency exposes patients’ medical info.
Online media advertising agency exposes patient’s medical info.
POTENTIAL LAW FIRM LIABLITY AND OTHER EXPOSURE ARISING FROM A THIRD PARTY VENDOR CYBER SECURITY BREACH
Without opining on or drawing factual conclusions as to the accuracy of the above reporting, our staff engaged in research relevant to four major areas of concern based on an “if such a breach did occur” basis.
The first area of concern our researchers addressed was, of course, HIPAA. Surprisingly, our research led to the conclusion that “HIPAA” violations might pose the least potential exposure (if any) for law firms under the scenario considered. We have listed our four primary “areas of concern” below in reverse order of “degree of concern.” The listing will be followed up by our tentative findings and conclusions in the reverse (area of most concern first).
HIPAA VIOLATIONS: (unlikely to expose the law firm to liability) CAVEAT: The plain language of the HIGHTECH act would not appear to have expanded the “covered entity” limitations of HIPAA in a manner that would be apt to our present subject; however, certain ambiguities in the HITECH Act could be construed to have created such an expansion.
LIALIBTY ARISING FROM VENDOR CYBER SECURITY BREACH: (dependent on the existence of an agency relationship)
RULES OF PROFESSIONAL CONDUCT: Law Firm exposure (Bar action) arising from the vendor breach is improbable; however, failing to notify plaintiffs of the breach, could be significantly problematic.
FEDERAL and STATE CYBER SECUIRTY BREACH NOTIFICATION REQUIREMENTS: (Significant potential exposure, especially arising from the various State laws, less under Federal Law).
POTENTIAL LIABLITY AND OTHER EXPOSURE ARISING FROM NOTIFICATION REQUIREMENTS
Section Foreword: One of the most important and potentially easily overlooked language in the various States Cyber Security Breach Notification laws, arises from the fact that the notification is triggered on the POTENTIAL exposure of individuals’ private information. It is also worth noting that numerous states, in addition to requiring notification be sent to effected persons, certain Government authorities must also be notified in detail. Below are two examples:
In Florida, the following authorities must be formally notified:
Department of Legal Affairs, (State Attorney General) as well as file a police report.
In New York, the following authorities must be formally notified:
NYS Attorney General, NYS Division of State Police; and the Department of State’s Division of Consumer Protection.
Although there are a number of Federal Statutes that address Cyber Security Breaches and notification requirements relevant to individuals from whom personal data was POTENTIALLY exposed, our research found that the laws of the various States apt to the subject could potentially be far more problematic than Federal Law. The foregoing arguably imposes a “best practice” on Mass Tort firms, that accept clients from numerous states, to become familiar with the cyber security breach and notification laws of every state, before or certainly upon the occurrence of any event which might cause issues for a firm in “real time.”
The National Conference of State Legislatures Publishes a 50 State Security Breach Notification Laws “compendium” which can be viewed at this link.
The Law Firm of PERKINSCOIE also publishes a similar 50 State Compendium which may be more up to date, which can be viewed at this link.
It should be noted that the various states are routinely amending the laws referenced in the “compendium”; therefore, if you believe your firm has potential exposure under any of these laws, firms may wish to check each state’s most recent statutes, for which you represent clients.
- When reviewing the various States Cyber Security Breach Notification laws, keep in mind that the attorney client relationship as a rule places the attorney in the role of a fiduciary. Certain states may impose greater duties relevant to circumstances in which a fiduciary relationship exists.
- Without regard to whether a given state law imposes a requirement, that same States Bar rules and most recent opinions relevant to Cyber Security may pose such a requirement apt to attorneys.
It was not my law firm’s server that was breached, how could I be responsible for notifying anyone of the breach?
The foregoing is a logical question and one might think that the duty to notify individuals who were subject to having their personal information “exposed” would fall solely on the entity that controlled the server that was breached. Think again!
Our take, after reviewing every State’s Cyber Security Breach notification law concluded in general is as follows:
Any entity or individual who received and electronically or otherwise stored the “breached data” has an individual and unique duty to provide notice to everyone for whom personal data was or was potentially exposed.
There does appear to be exceptions (generally) to the above:
- If the entity that controlled the server, notified the “exposed individuals” provides proper notice per the various Federal and State Laws, other third party lawful and legitimate recipients of the data are not required to “double notify” the exposed individuals. Caveat: The foregoing should not be taken to mean a given States Bar rules might none the less require the law firm to provide notice without regard to any other notice provided by a third party.
- In general, the State Laws provide some “safe harbor” for recipient entities (such as law firms who received client personal data from vendors) who did not know nor should have reasonable been aware of the breach. Caveat: If the reporting related to XSOCIAL MEDIA is accurate, these safe harbor protections might not be available. Given the breadth of reporting on the matter, it would be difficult for a firm to claim that could not have been reasonable expected to be aware of the alleged breach.
Caveat: Check each state’s laws (by client’s residence) to determine what, if any, “safe harbors” exist in that state.
STATE RULES OF PROFESSIONAL CONDUCT
Note: When accessing your firms notification obligations under the “notification laws” of the various states, it appears that you must apply the law of the residence state of each client who may have been subject to exposure of their personal information. You may also need to file a report with authorities in any state in which you occupy a premises, or are directly subject to that state’s Rules of Professional Conduct, even if the breach did not expose a single (resident) individual’s personal data in that state.
When accessing the various States Bar Rules, it is less clear as to whether an attorney need only concern themselves with the states in which they are barred vs states in which clients may reside, but in which the given attorney is not barred.
Given the increasing frequency of cyber security breach occurrences, almost every State Bar has opined on a lawyer’s obligations after a cyber security breach, without regard to whether the attorney or law firm controlled the breached server, or the server was controlled by a third party service vendor (i.e. marketing vendor). In general, the ABA has opined on attorneys’ obligations related to exposure of client data arising from a cyber security breach (without regard to fault for or cause of the breach.)
Quotes from the ABA:
ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Rule 1.4 does require that notice of a breach to a current client include, at a minimum: That there has been unauthorized access to or disclosure of the client’s information. That unauthorized access or disclosure is reasonably suspected of having occurred.
Even a given state’s (by client residence) “notification” laws might not require the law firm to notify plaintiffs (only requiring the entity that controlled the server to provide notice) the ABA has opined in general as follows:
The committee’s opinion reviews lawyers’ duties: of competence under Rule 1.1, as informed by Rules 5.1 and 5.3; of confidentiality under Rule 1.6; to inform clients under Rule 1.4; and to safeguard client property under Rule 1.15. The committee also notes that an attorney’s ethical obligations under the Model Rules are distinct from statutory obligations imposed by state or federal laws.
The committee points to the ABA Cybersecurity Handbook the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition.
Takeaway: If your firm’s client’s personal information has potentially been exposed, without regard to “State and Federal Cyber Security Law”, it is probable that your State Bar Rules would require you to notify any potentially effected client. This requirement would appear to apply without regard to whether the exposure occurred because of a breach of a server controlled by a law firm or a third-party vendor (e.g. a marketing vendor). More simply stated, if the person is your client and you know or should know their personal information has been exposed via a cyber security breach, you are most likely obligated to let the client know.
HIPAA VIOLATIONS AND NOTFICATION REQUIREMENTS
45 CFR §§ 164.400-414 The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
HIPAA provides The Department of Health and Human Services to enforce the provisions of the act against “covered entities.” The definition of “covered entities” under HIPAA is extremely limited, only including health care providers, their agents and other narrowly defined entities which would neither include law firm marketing vendors nor law firms.
It is not however, clear whether the HITECH Act, expanded the definition of “covered entities” beyond the original definition found in HIPAA.
OTHER POSSIBLE LIABILITY ARISING FROM A CYBER SECUIRITY BREACH
Could a law firm be held liable (under general negligence theories or statute) for allowing or failing to prevent a cyber security breach of a third-party marketing vendors (or other vendor) computer systems?
The tentative answer to the foregoing seems to turn on the nature of the relationship between the law firm and the third-party marketing or other vendor:
- If an agency relationship exists between the law firm in which the law firm is the principal, it is possible that the law firm could be held liable for the breach, despite the fact that the law firm had no direct control over the servers or other computer systems that were breached.Example: If a law firm hires an ad agency or other marketing firm, to run advertising or engage in lead generation specifically for that firm, then an agency relationship might exist in which the law firm is the principal and is therefore liable for the agents’ (the vendors’) negligence.
- Conversely, if a law firm simply buys leads from a third party marketing vendor, without “hiring” that vendor to perform any specific task intended to result in the manifestation of those leads, it is less likely that an agency relationship would be created.
Note: The relevant jurisprudence related to the existence of “vicarious liability” imposed upon principles arising from acts of their agents is complex. Deception of the principal by the agent, relevant to the matter at Bar, can provide a defense for the principal. Generally, this defense requires that deception be express (the agent actively mislead the principal). Unfortunately, the fiduciary nature of the attorney client relationship further complicates this analysis.
It would seem manifestly unjust for a law firm to be held liable for a data breach, under circumstances in which the law firm had no means by which to ensure the third party vendor exercised adequate “cyber security measures”, none the less, the jurisprudence relevant to agency relationships not only fails to exclude the possibility of such an injustice but instead creates a backdrop in which such a scenario could occur.