Failure to take data security seriously
In 2014, the New York Times reported that a growing number of big corporate clients were demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information. However, for many years, corporations have required service providers to undergo rigorous security assessments.
This includes lengthy and time consuming questionnaires detailing cyber security measures, on-site visits, and additional insurance coverage. To this end, it was the clients that pushed service provider’s security standards to higher levels and the service provider community quickly realized if you wanted these business relationships, you would increase your data security. Of course not all security measures are created equal and due to the shear burden of this expense, some of us have taken more security measures than others.
Safeguarding our client’s corporate secrets, business strategies and intellectual property as though it is our own personal information is part of what our clients are entrusting us to do but in today’s environment, security is expensive.
With corporations and government agencies turning their attention to law firm’s data security. the newly amended regulations around HIPAA and HITECH have made significant changes to the obligations around management of personal and health information. In general, the new rules expand the obligations of physicians and other health care providers to protect patients’ protected health information (PHI), extend these obligations to a host of other individuals and companies who, as “business associates,” have access to PHI, and increase the penalties for violations of any of these obligations.
Under the new rules, law firms and e-discovery service providers are business associates and under these new definitions must comply with the new regulations or face substantial penalties from federal regulators. Unlike PCI which is a private initiative undertaken by banks and financial institutions, liability under the new HIPAA regulations traces directly back to the federal government creating substantial risk for you and your client.