Practical GuidanceFree Trial
Register to request a downloadable copy
Learn More AboutPractical Guidance
By: Lexis Practice Advisor Attorney Team
THE AMERICAN BAR ASSOCIATION (ABA) RECENTLY issued Formal Opinion 483, addressing lawyers’ ethical obligations to their clients after a data breach “exposes [their] confidential information.” Importantly, the ABA noted that compliance with these ethical obligations does not necessarily satisfy attorneys’ obligations under state law, and vice versa.
The ABA acknowledged that not all cyber events rise to the level of a data breach for purposes of the opinion and limited the reach of the opinion to “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” This includes the use of ransomware and attacks on lawyers’ computer infrastructure that render them incapable of accessing clients’ confidential information in order to continue representing them effectively.
According to the opinion, attorneys have an ongoing obligation to monitor the security of their electronic systems in order to increase the likelihood that any data breach that occurs will be detected. This obligation stems from the attorney’s responsibility to preserve the confidentiality of clients’ information through reasonable efforts to prevent loss of or access to such information. The ABA stressed that the standard is not one of strict liability, but of reasonableness.
In the event of a breach, attorneys must take immediate steps to stop the attack and mitigate the damage. While the actual method of doing so “is beyond the scope of this opinion,” the ABA emphasized the importance of “proactively developing an incident response plan with specific plans and procedures.” These will vary from lawyer to lawyer or from firm to firm but should always identify the network anomaly and assess its nature and scope, determine whether data has been compromised, quarantine the threat, prevent removal of information from the network, and restore the network’s security. This process of restoring the system will assist attorneys in preventing future breaches and determining whether new technology should be implemented.
The ABA drew a distinction between obligations to current and former clients. It explained that though all current clients potentially affected by a data breach must be informed of the fact, there is no clear rule with regard to former clients. Because the existing Model Rules direct attorneys to return all papers and property to clients when their business relationship is concluded, the opinion suggests that “as a matter of best practices,” lawyers and clients should agree before the termination of their relationship how the client’s electronic information will be handled.
Post-breach obligation to notify current clients is triggered only when data is actually disclosed to third parties. In such cases, the lawyer must disclose “enough information for the client to make an informed decision as to what to do next, if anything.” At a minimum, lawyers must advise clients that there has been unauthorized access to their information and should also explain the steps they plan to take to respond to the breach. Finally, lawyers should consider their additional obligations under federal and state law.
– Lexis Practice Advisor Attorney Team
RESEARCH PATH: Data Security & Privacy > Data Breaches > Articles
THE SECURITIES AND EXCHANGE COMMISSION’S (SEC) newly formed Cyber Unit has completed its first enforcement action under the agency’s Identity Theft Red Flags Rule.
Voya Financial Advisers Inc., an Idaho broker-dealer, agreed to be censured and to pay $1 million in fines to settle charges that it failed to adequately protect customer records and information and to develop and implement a written identity theft prevention program (In the Matter of Voya Financial Advisors Inc., File No. 3-18840, 2018 SEC LEXIS 2595).
As part of its business, Voya gave its independent contractor representatives access to a proprietary web portal containing information that allowed them to manage customers’ brokerage accounts using their own computer equipment and networks.
The SEC alleged that over a six-day period in 2016, cyber intruders posing as Voya contractors used the company’s support line to request that three contractors’ passwords for the web portal be reset. The intruders used the new passwords to gain access to the personal information of approximately 5,600 Voya customers.
The SEC alleged that Voya’s conduct violated both its Identity Theft Red Flags Rule (17 C.F.R. § 248.201) and its Safeguards Rule (17 C.F.R. § 248.30 (a)).
Under the Red Flags Rule, the SEC said, Voya was required to develop, implement, and periodically update a written identity theft program “that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account” and that includes “reasonable policies and procedures” to identify, detect, and respond to red flags.
Here, the SEC said, although Voya had a written program in place, it was not appropriately reviewed and updated and did not include policies and procedures to respond to identity theft red flags.
Under the Safeguards Rule, the SEC said, Voya was required to adopt “written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” The policies and procedures must be “reasonably designed” to ensure security and confidentiality of customer records, protect against any anticipated threats or hazards to the security and confidentiality of customer records, and protect against unauthorized access to customer records and information.
Voya violated the rule, the SEC said, because its policies and procedures were not reasonably designed to meet the rule’s objectives. The agency singled out Voya’s procedures for resetting contractors’ passwords, terminating web sessions with contractors, identifying higher-risk contractors and customer accounts, and creating and altering customer profiles.
In response to the intrusion, Voya undertook remedial efforts, including blocking malicious IP addresses, revising its user authentication policy to prohibit the issuance of temporary passwords over the phone, and issuing breach notices and one year of free credit monitoring to affected customers. Voya also named a new Chief Information Security Officer responsible for creating and maintaining cyber security policies and procedures and an incident response plan. The SEC noted that Voya’s remedial efforts were taken into consideration in reaching the settlement.
In addition to the fine and censure, Voya agreed to retain an independent consultant to review its policies and procedures and issue a report to the company and the SEC.
The SEC announced the formation of its Cyber Unit in September 2017 as a means of concentrating enforcement efforts on cyber- related misconduct, including market manipulation schemes, hacking, and intrusions into retail brokerage accounts.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” Robert A. Cohen, chief of the Cyber Unit said. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
RESEARCH PATH: Capital Markets & Corporate Governance > Corporate Governance and Compliance Requirements for Public Companies > Compliance Controls > Articles
RECENT LEGISLATIVE DEVELOPMENTS IN THE WAKE OF the #MeToo movement reflect a trend among the states against nondisclosure agreements and other confidentiality provisions in the resolution of workplace sexual harassment complaints. Some states are tightening their requirements for the training of employees in sexual harassment awareness as well.
Provisions of the New York State budget bill signed into law in April expressly forbid mandatory arbitration, which is often confidential, as well as nondisclosure agreements, unless the complainant specifically requests one in the interest of privacy. As part of the law, New York requires employers to notify their employees in writing of their sexual harassment prevention policies. The state provided a model policy that employers may adopt, but left them with the option of creating their own policies as long as they conform to the law.
Washington State followed suit with regard to the confidentiality of dispute resolution in workplace sexual harassment cases. In June, the legislature enacted a new law that prohibits employers from requiring employees to sign a nondisclosure agreement, either as a condition of employment or as part of settlement proceedings, and bars mandatory arbitration of workplace sexual harassment complaints. Washington is building a “work group” to build model sexual harassment policies and provide subsequent guidance to employers.
New Jersey and California have also banned nondisclosure agreements in discrimination and harassment settlements. Senator Connie M. Leyva, who authored the California bill, said that this legislation would “finally lift the curtain of secrecy that has continued to protect these perpetrators” for decades by silencing their victims.
The South Carolina General Assembly is currently considering legislation that would bring an end to forced arbitration of sexual harassment complaints.
An Arizona law permits employees to disregard nondisclosure agreements to accommodate requests from law enforcement, or as a part of court proceedings. The original bill, if passed in its entirety, would have banned nondisclosure agreements altogether in the settlement of sexual harassment claims.
In Pennsylvania, Governor Tom Wolf launched a webpage dedicated specifically to information about how to report workplace sexual harassment that links to information from victim’s rights groups.1 Meanwhile, legislation banning nondisclosure agreements is pending before the Pennsylvania General Assembly. It would also expand the existing protections under Pennsylvania law to more workers across the state and require anti-harassment training for both supervisors and employees.
Please see guidance for employers when investigating #MeToo complaints on page 24 of this edition.
RESEARCH PATH: Labor & Employment > Discrimination, Harassment, and Retaliation > Articles